If you’re one of Facebook Messenger’s 1.3 billion users, then you have just been given a serious reason to quit. While recent headlines suggest the platform is adding new security protections, there's a nasty twist which makes this more risky than it seems, raising new questions about Facebook and its secretive backend systems.
While Apple’s controversial CSAM update and surprise backtrack have dominated the headlines, Facebook has quietly made a huge change to Messenger that arguably has more serious implications for your security and privacy than anything Apple has done.
Messenger’s biggest issue has always been its lack of default end-to-end encryption. Now after years of delays and disappointments, Facebook says it is finally teasing out some of this long-awaited functionality. But there are two huge issues buried under the surface here, both of which you need to know if you continue to use the app.
Facebook is in the data collection business—we all know this. But it’s also in the user collection business. Just look at the numbers. Facebook has four apps that have topped 3 billion installs—Facebook itself, Messenger, WhatsApp and Instagram. TikTok is the only other app to hit those heights. Think that through for a moment.
But not all those users are the same. Facebook, Messenger and Instagram are tightly linked. The main platform and its photo-sharing subsidiary grip you with algorithmic timelines literally coded to learn from their mistakes—when you look up, exit the app, do something else. Meanwhile, Messenger and Instagram DMs enable you to engage your social graph, linking all that catchy content in one place with everyone you know.
WhatsApp is different—it has always been different. There’s no algorithmic content to pull you in, no timeline to scroll, just a bunch of chats and groups where users message each other in relative privacy. Facebook is desperate to mine the metadata, the social graphs, to push ads and business services. But WhatsApp remains different, aloof.
And so, what to make of Facebook finally pushing forwards with its horribly delayed end-to-end encryption for Messenger and Instagram DMs to match WhatsApp’s security? Let’s be clear, you should use a fully encrypted messenger—but that doesn’t mean all messengers should be fully encrypted or that encryption in of itself is a silver bullet that suddenly makes everything private and secure.
Many respected security professionals are adamant that end-to-end encryption should be ubiquitous. “Digital eavesdropping is dangerous,” says ESET’s Jake Moore. “Messenger has made the correct decision to highlight the importance of end-to-end encryption by making it default on all communication. This will no doubt increase confidence in a platform which has been chipped away at over recent years.”
I would ordinarily agree—but Facebook Messenger is different. It is part of a social media platform that collects vast amounts of observational data on its users as they use the platform; it is also used by children and enables users to search for people and then initiate contact with them—you simply cannot do that on WhatsApp or Signal.
I take a simple view here. If my kids are using social media, I don't want a stranger to be able to trawl the site, find their profiles and secretly message with them. Facebook tells me it has technology to prevent this. But funnily enough, I don't trust Facebook’s assurances that its technology can manage this—neither does leading child advocacy group NSPCC, which warns the evidence shows encryption will lead to “a significant drop in reports of child abuse... a [failure] to protect children from avoidable harm.”
Facebook tells me that Messenger encryption will not reduce its ability to flag child abuse on its platform. But internally the company doesn't seem so sure. Earlier this year, Facebook’s head of global policy management was asked whether reported cases of child abuse might “disappear” with encryption and said “I would expect the numbers to go down. If content is being shared and we don’t have access to that content, if it is content, we cannot see then it is content we cannot report.”
For its part, Facebook now says it will add controls to allow users to “prevent unwanted interactions by deciding who can reach your chats list, who goes to your requests folder, and who can’t message you at all.” But putting the onus fully on kids to protect themselves from unwanted contacts is every bit as bad an idea as it sounds.
Is there some acknowledgement of this in the other news from Facebook about its “opt-in end-to-end encryption for Instagram DMs?” Maybe. The platform says that it now plans “a limited test with adults in certain countries that lets them opt-in to end-to-end encrypted messages and calls for 1:1 conversations on Instagram.” Keeping full encryption adult-only on Instagram would be a welcome move.
Whatever view you took on Apple’s on-device CSAM and iMessage filtering—it is clearly impossible to trawl iMessage looking for people to contact. You need to have a phone number or iCloud ID to reach out. But it emphasizes the point. Shielded messaging and open social media platforms are a toxic combination.
You can’t trawl WhatsApp either, of course, and a private conversation there is more or less exactly that. Yes, it will give metadata to law enforcement if asked, but there’s not that much metadata. it knows your number, contacts, groups, times and places you logon. It says it doesn’t even (usually) capture data on who you message and when.
A private conversation on Messenger or Instagram is very different. Those platforms know everything about you, they’re mining your data by default. With Messenger encryption, you may be whispering in your friend’s ear, and Facebook may not be able to overhear, but it’s watching everything else you do, and it can fill in the gaps. Your actual messaged content might be shielded, but everything else remains fair game.
Facebook is the world’s messaging giant—each of Messenger and Instagram (with its DMs) reach a billion-plus users, while WhatsApp has twice as many. Looking at how WhatsApp competes with iMessage and Android Messages and smaller rivals like Telegram and Signal is interesting. But what’s much more interesting is the way in which Facebook’s own platforms now compete with each other, and specifically that WhatsApp and Messenger are becoming rivals, with their interests far from aligned.
WhatsApp is evolving into a much more complete messenger month by month: Disappearing and view-once messages, multi-device access, stickers and rich chat features, soon (we’re told) quick emoji responses. All of these eat into the advantages Messenger holds over WhatsApp. Yes, this makes integration simpler, but it also plugs major gaps in WhatsApp which might have been keeping you on Messenger.
Of these, the long-awaited news that WhatsApp has finally addressed its biggest weakness, with multi-device access finally live as a public beta ahead of its production release, is a twist with huge implications. “For years,” WhatsApp said, “people have been asking us to create a true multi-device experience that allows people to use WhatsApp on other devices without requiring a smartphone connection.”
As things stand, you now have two Facebook messaging options that are becoming much more closely featured rivals than ever before. WhatsApp, a point-to-point, dedicated messenger, and the combination of Messenger and Instagram, both add-ons to social media platforms, both heavily used by kids and under fire for algorithmically spreading harmful content and endangering users.
If you follow the logic, these three (becoming two) messaging platforms should remain separate. WhatsApp is now closing the feature-gap with multi-device access. You won’t need integration to message WhatsApp users from your tablet or desktop using a different Facebook app, you will be able to use a WhatsApp app for that instead.
The more serious issue is that if Facebook does persist with its Messenger plans, it risks lawmakers forcing backdoors into its encryption given the child safety issues, and it those Facebook plans continue to include backend integration, then WhatsApp will be impacted by this. WhatsApp’s boss Will Cathcart has been publicly beating the drum on encryption all year. Messenger might be the biggest threat to this. Again, we see that interesting agenda, with WhatsApp and Facebook’s interests diverging.
All of which raises the specter for Facebook that it may need to maintain the ring fence around WhatsApp that it promised when it acquired the platform, and which has been under threat ever since. Does Facebook need to accept that the safest option is to preserve WhatsApp’s security, paying the price of restricting security enhancements to Messenger and keeping WhatsApp outside any back-end integration? The imminent threat of carving WhatsApp out of Facebook seems to have diminished, to the extent that integration was a defensive move, can that now be rethought?
So, as you see the PR coming separately from Facebook and WhatsApp, keep this context in mind. Ask yourself are we not hearing two very different, contradictory points of view—does WhatsApp now know that the best thing it can take from 2021 is more independence, even if that comes at Messenger’s (and Facebook’s) expense?
While Apple has been hogging the headlines with the CSAM backlash, the irony is that the quiet news from Facebook that Messenger encryption has progressed has deeper implications for child protection. And Facebook progressing that encryption may have deeper implications for WhatsApp than Apple’s CSAM updates being abused by governments and opening the door to backdoors. Facebook has been repeatedly warned that Messenger encryption is a step too far, and yet here we are.
If you’re still on Messenger, if you’re tied to its multi-device access, then as soon as WhatsApp’s full update reaches your phone you should switch. Unlike Messenger, it will be end-to-end encrypted across all your devices, it harvests much less of your data, and your security doesn’t come at the expense of added risk for others.
Writer: Zak Doffman is a widely recognized expert on surveillance and cyber, as well as the security and privacy risks associated with big tech, social media, IoT and smartphone platforms.
BDST: 1208 HRS, SEP 06, 2021