Hint: It has to do with something called “privacy”. You might be perfectly aware of it, or you might be appalled to find out, but the truth remains the same: unlike the end-to-end encrypted WhatsApp, Messenger is unable to protect your content from prying eyes. And a new report reveals that Facebook can not only access all the content you send on the messaging app, it even downloads that content to its own servers without any warning, regardless of how personal or private it may be.
The team responsible for this report actually has a pretty good track record with holding companies accountable for privacy violations. Comprising of Tommy Mysk and Talal Haj Bakry, the team caught TikTok reading Apple device users’ clipboards and managed to push the consumer electronics giant into making important security changes to its platform.
Mysk and Haj Bakry stumbled upon Messenger’s glaring flaw when they set out to explore how messaging platforms in general handle “link previews”. This is the term used to describe the content preview that you recipient is able to see when you send them a website link, a news article, or even private documents.
“We think link previews are a good case study of how a simple feature can have privacy and security risks,” the team wrote in the report.
Facebook’s Messenger, they found out, has a concerning approach to link previews: server-side link previews. As the report puts it, “when you send a link, the app will first send it to an external server and ask it to generate a preview, then the server will send the preview back to both the sender and receiver.”
However, as one might imagine, this is a security nightmare. While Facebook doesn’t provide link previews in its end-to-end encrypted chats, it certainly has them included in its normal chats, and it is in the normal chats that the team discovered all manner of vulnerabilities that impact user privacy.
As the researchers explain in their report, “links shared in chats may contain private information intended only for the recipients. This could be bills, contracts, medical records, or anything that may be confidential… Although these servers are trusted by the app, there’s no indication to users that the servers are downloading whatever they find in a link. Are the servers downloading entire files, or only a small amount to show the preview? If they’re downloading entire files, do the servers keep a copy, and if so for how long? And are these copies stored securely, or can the people who run the servers access the copies?”
So, what’s the big takeaway here? If Messenger isn’t your primary messaging platform, perfect. If it is something you are reliant on for your daily communications, it’s best to refrain from sending any links to private information. Just switch to an end-to-end encrypted app for this purpose, because Messenger is certainly not safe for your personal information.