by Paul Rubell, Esq.
Facebook Messenger is neither secure nor encrypted. Despite Facebook’s marketing of Messenger as a private way to communicate safely, it is not private at all.
First, the encryption claim. Messenger is not as secure as WhatsApp and Apple’s iMessage. Facebook’s text product disguises the data in transit while your text message travels through the Internet pipeline from your computer or mobile device to your recipient’s. However, once the text arrives at its destination, it is decrypted and can be read by anyone with access – both by Facebook staff as well as by anyone looking at your device. In contrast, WhatsApp and iMessage are “end-to-end” encrypted, keeping all “data at rest” as safe and private as “data in transit.”
Second, the Facebook spying. Facebook regularly scans messages sent by its users. Facebook tracks all messages that contain a hyperlink to a Facebook page or webpage. The name of the sender and recipient is used to market and advertise Facebook’s services to the host of the link page or site.
According to a complaint filed in federal court in California, when a Facebook user composes a message with a URL in the message’s body, Facebook generates a “URL preview” consisting of a brief description of the website and a relevant image from the website, if available. Facebook keeps a record of each “URL preview”, which is called an “EntShare.” The “EntShare” is tied to the specific user who sent the message. Facebook also creates another record called an “EntGlobalShare” which tracks all users who sent a message containing the same hyperlink. The lawsuit alleges that Facebook uses the information to fuel its algorithms for measuring user engagement and making recommendations. The accompanying flow chart illustrates Facebook’s information tracking.
It is claimed that Facebook shares this user data by redirecting the content of private messages to the operator of the linked webpage. This is intended to help the website customize content for its existing visitors and target advertising to attract new visitors.
Facebook also scans messages in order to increase a page’s “Like” count. When a Facebook user sends a message with a URL, Facebook counts that as equivalent to a user actively clicking “like” on the website link. In this way, even though the user has not ‘liked’ the page or website, Facebook shows the message link as a ‘like’ for purposes of tabulating the number of likes. Testimony in the lawsuit claims that Mark Zuckerberg complained in an email that Twitter’s numbers for its “like”-equivalent were much higher than Facebook’s, and he told his staff that “we should be showing the largest number we can rationalize showing.”
An expert witness in the case testified that Facebook uses a share object called an “EntShare” that is created in Facebook’s source code. Each message has a unique EntShare with a unique numerical identifier, and each EntShare is tied to the Facebook user ID of the message’s sender. All of this information is stored in a database called Titan that shows the date and time that the message was sent, the sender’s user ID, the recipient’s user ID, and the EntShare ID.
The federal Electronic Communications and Privacy Act (ECPA) regulates data in transit. Briefly, it is illegal to monitor data that is flowing through the pipes of the internet. However the law focuses on the content of messages, not their metadata. The ECPA statute contains exceptions that permit “record information” such as the name, IP address and identifiers about the sender of a message to be monitored.
The Facebook users who brought the lawsuit claimed that Facebook has used a uniform system architecture and source code to intercept and catalog its users’ private message contents. Facebook did not deny that charge.
Encryption is a way for people and businesses to communicate securely. False advertising by Facebook that its messages are encrypted like Apple’s is wrong.
(c) Copyright 2016 by Paul Rubell. All rights are reserved.