If you are still using Facebook Messenger, you should be aware of Warning one “essentialâThe security update is now seriously delayed. And while you might be thinking about hanging on, what used to be considered a simple update has gotten horribly twisted. For Messenger’s 1.3 billion users, is it finally time to stop?
If you’re a regular reader of this column, you are well aware of the critical differences between Messenger and WhatsApp, Facebook’s other large-scale messaging platform. While the latter encrypts all content between senders and recipients, ensuring that no one, not even Facebook, can read it, Messenger doesn’t. The company admits that it monitors content, and we recently exposed it to make it even worse.
“The first step in keeping people safe is to have strong security,” WhatsApp boss Will Cathcart mentionned last month, as Secure Messenger launched another privacy campaign around the strength of its encryption. “We believe governments shouldn’t try to encourage tech companies to offer weak security.”
So at first glance, Facebook to promise back in early 2019 to extend WhatsApp encryption to protect Messenger content was a good thing, right? Many users and security professionals certainly think so. âWe need encryption for all conversations, all platforms,â ESET’s Jake Moore told this week’s Straight Talking Cyber, the video at the top of this story. âOtherwise, businesses will sell our data and profit from it. ”
But with Messenger, it’s not as easy as it sounds. WhatsApp is point-to-point messaging, where you can only contact people or numbers you know, with Messenger you can search and browse the site, contacting those you don’t know.
Facebook’s most controversial update in years risks the platform “failing to protect children from preventable harm,” one of the world’s leading children’s advocacy groups, NSPCC, warned this week. saying that the evidence they saw suggests “a significant drop in reports of child abuse” on its sites.
When a messenger is directly linked to a social media site that hosts user profiles, especially when this includes minors, there are serious risks to protecting the content of the messaging, preventing monitoring of this form of content. It is not a theoretical risk. Investigators who brought British pedophile David Wilson to justice this year say that it may not have been caught with Facebook’s extended encryption in place.
UK children’s charity NSPCC tells me that “10% of child sexual offenses on Facebook-owned platforms take place on WhatsApp, but they represent less than 2% of child abuse than the company reports to the police because they cannot see the content of the messages. “We have seen the impact this can have on the 58% reduction in reports of child exploitation after the EU ePrivacy Directive. While a emergency stay solved this problem, children’s advocates say it illustrates the impact encryption will have.
When asked about this issue, Facebook told me that âwe are developing strong security measures designed to prevent damage from happening in the first place and to give people controls to react if it does happen. Working together also gives us more information to identify abusive accounts and allows us to introduce behind-the-scenes security features, like restricting interactions between adults and minors.
The Facebook spokesperson also told me that Messenger’s encryption do not impact on its ability to report and prevent such damage online. But earlier this year, the head of the company’s global policy management, when asked by UK lawmakers whether child abuse cases could ‘go away’ once encryption is in place, admitted that âI would expect the numbers to go down. If the content is shared and we don’t have access to that content, if it’s content that we can’t see, then it’s content that we can’t report. “
A few weeks ago, the boss of British MI5 warned that by encrypting Messenger, Facebook would give a âfree passâ to âsome of the worst people in our societyâ. And this week, UK child welfare police have mentionned roughly the same: “Unless the tech industry starts taking this really seriously, we’re going to see exponential growth in the number of images we record, continued child abuse … and an ever-increasing number of people who have a sexual interest in children.
But WhatsApp’s Cathcart warns that the downside of weakening encryption is worse. âImagine there was a government proposal to put a video camera in every living room in a country connected to the Internetâ, he told the Guardian last month, “so that the government can activate it when investigating a crime … Because it is technical, sometimes the horror of what is proposed is lost.”
This debate is far from settled. On the one hand, messaging without end-to-end encryption puts content and privacy at risk. But, on the other hand, where this encryption is in place, and where adults can message minors, this poses a safety risk to children. Messenger’s real problem is child safety, grooming and radicalization, not messaging between bad actors involved in terrorist plots and serious crime.
The answer, in my opinion, is pretty obvious. Facebook has secure messaging in the form of WhatsApp. This is the platform that popularized end-to-end encryption in the first place, and it uses that security as USP. Facebook users can turn to WhatsApp to send messages to those they know in a secure and private way. Facebook does not need to provide the same âabsoluteâ level of security for Messenger and Instagram. It can certainly protect against surveillance or occasional interception, but it can also facilitate case-by-case interception or forensic examination through the use of protected backdoors.
As a security professional, it’s anathema to me to forgo end-to-end encryption as a universal default. But as a father it is obvious that we have to find a balance here. I keep coming back to the fact that users can browse Facebook and click to send messages to users at will. A lot of kids don’t have privacy protections in place, and although Facebook tells me it can prevent adults from contacting unfamiliar children, anecdotal data and common sense tell me that is not an absolute.
âThe lessons of the past five years clearly show that technology companies and governments must prioritize private and secure communication,â says Cathcart. He’s right, of course, but it doesn’t have to be a one-size-fits-all. And whether that means not encrypting platforms like Messenger, allowing backdoors, or restricting encryption to adult accounts, the options should be explored.
And that brings me to the real crux of the matter here. The grave danger for Facebook is that if it continues to extend WhatsApp’s security to include Messenger, and if lawmakers insist that such an extension comes with trade-offs, there is a real risk that its own. WhatsApp security is weakened.
Conversely, of course, Facebook apparently considers full integration of its platforms to be the best way to keep them under one roof. Whether or not that changes in light of her recent antitrust victory we will wait to see.
Facebook should accept the limitations of any email encryption extension as a compromise to protect WhatsApp. Messenger users reading this should switch their personal chats to WhatsApp (or Signal) and leave Messenger for trivial communications and children. You definitely shouldn’t use it as your default messaging platform if you’re using Android, where switching from the default OS is an option, unlike iOS.
It makes sense that Facebook integrates its messengers. Between them, Messenger, WhatsApp and Instagram serve half of the world’s online population. And while privacy improvements are always welcome, don’t forget the profit motive in such a move. Messengers are sticky, they generate invaluable metadata, and they bring businesses and customers closer and closer. The combination of three already giant platforms in the global messaging giant is not meant to protect our privacy.
Encrypting Facebook Messenger is an answer to a problem that doesn’t need to exist. Facebook can choose to better control its own data collection and monitoring, and it can continue to work with law enforcement to report bad behavior on its platform.
You absolutely should stick to encrypted messaging platforms. This means changing where you could use Facebook Messenger or Telegram (which is not end-to-end encrypted by default) or SMS. This does not mean that we must protect all communications from lawful interception, with no regard for unintended consequences.