Is Facebook Monitoring your Messenger Texts?

  • By Paul Rubell
  • 24 May, 2016

Facebook Messenger is neither secure nor encrypted. Despite Facebook’s marketing of Messenger as a private way to communicate safely, it is not private at all.

First, the encryption claim. Messenger is not as secure as WhatsApp and Apple’s iMessage. Facebook’s text product disguises the data in transit while your text message travels through the Internet pipeline from your computer or mobile device to your recipient’s. However, once the text arrives at its destination, it is decrypted and can be read by anyone with access – both by Facebook staff as well as by anyone looking at your device. In contrast, WhatsApp and iMessage are “end-to-end” encrypted, keeping all “data at rest” as safe and private as “data in transit.”

Second, the Facebook spying. Facebook regularly scans messages sent by its users. Facebook tracks all messages that contain a hyperlink to a Facebook page or webpage. The name of the sender and recipient is used to market and advertise Facebook’s services to the host of the link page or site.

According to a complaint filed in federal court in California, when a Facebook user composes a message with a URL in the message’s body, Facebook generates a “URL preview” consisting of a brief description of the website and a relevant image from the website, if available. Facebook keeps a record of each “URL preview”, which is called an “EntShare.” The “EntShare” is tied to the specific user who sent the message. Facebook also creates another record called an “EntGlobalShare” which tracks all users who sent a message containing the same hyperlink.  The lawsuit alleges that Facebook uses the information to fuel its algorithms for measuring user engagement and making recommendations. The accompanying flow chart illustrates Facebook’s information tracking.

It is claimed that Facebook shares this user data by redirecting the content of private messages to the operator of the linked webpage. This is intended to help the website customize content for its existing visitors and target advertising to attract new visitors.

Facebook also scans messages in order to increase a page’s “Like” count. When a Facebook user sends a message with a URL, Facebook counts that as equivalent to a user actively clicking “like” on the website link. In this way, even though the user has not ‘liked’ the page or website, Facebook shows the message link as a ‘like’ for purposes of tabulating the number of likes. Testimony in the lawsuit claims that Mark Zuckerberg complained in an email that Twitter’s numbers for its “like”-equivalent were much higher than Facebook’s, and he told his staff that “we should be showing the largest number we can rationalize showing.”

An expert witness in the case testified that Facebook uses a share object called an “EntShare” that is created in Facebook’s source code. Each message has a unique EntShare with a unique numerical identifier, and each EntShare is tied to the Facebook user ID of the message’s sender. All of this information is stored in a database called Titan that shows the date and time that the message was sent, the sender’s user ID, the recipient’s user ID, and the EntShare ID.

The federal  Electronic Communications and Privacy Act (ECPA) regulates data in transit. Briefly, it is illegal to monitor data that is flowing through the pipes of the internet. However the law focuses on the content of messages, not their metadata. The ECPA statute contains exceptions that permit “record information” such as the name, IP address and identifiers about the sender of a message to be monitored.

The Facebook users who brought the lawsuit claimed that Facebook has used a uniform system architecture and source code to intercept and catalog its users’ private message contents. Facebook did not deny that charge.

Encryption is a way for people and businesses to communicate securely. False advertising by Facebook that its messages are encrypted like Apple’s is wrong.

Cyberliability and Privacy Issues in the Food and Beverage Industry

By Paul Rubell November 2, 2018
Cyberliability and privacy are very important to the food, beverage and hospitality industries. Today the industry faces many 21st century risks. Paul Rubell addresses these risks.

Europe Can Regulate Your Company's Facebook Page

By Paul Rubell July 16, 2018
by Paul Rubell, Esq. Every company in the world that has a Facebook social media page may be subject to the European Union’s newly-enacted GDRP (General Data Protection Regulation) and the chokehold of EU law enforcement. Many businesses wrongly believe they are not collecting personal data via their Facebook pages but that is likely not […]

USA indicts the Chinese hacker who breached Anthem’s website

By Paul Rubell August 30, 2017
  by Paul Rubell, Esq. A 36-year old Chinese national from Shanghai has been indicted by a federal court in California for transmitting malicious software tools to companies located in the United States. Yu Pingan was arrested on August 27, 2017 when he arrived in the United States to attend a conference.  Pingan used the online pseudonym […]

Are violent selfies protected by the Constitution?

By Paul Rubell April 29, 2017
Taking videos is a form of expression that is guaranteed by the Bill of Rights. However, even free speech has constitutional limits. For instance, if you shout "fire" in a crowded theater, you can be arrested and the 1st Amendment will not protect you.

Not best practices: Apple’s iCloud is neither private nor secure

By Paul Rubell April 17, 2017
by Paul Rubell, Esq. Can your business survive a massive data breach? If your business stores, backs up or syncs its data to the cyber cloud, take note. Apple’s iCloud is currently the subject of ransomware. As you will read, the moral to this article is that confidential business data, trade secrets, customer lists and […]

Best practice to keep your trade secrets private: avoid Password Managers

By Paul Rubell April 17, 2017
by Paul Rubell, Esq. Information is the currency of 2017. For this reason it is mission-critical to keep data currency safe, secure and private. Just as gold bricks should be stored in a physical safe, data needs to be kept secret electronically. Passwords are the key to enter the digital vault. Strong passwords are designed […]

Twitter says hello to hacking; Users say goodbye to privacy

By Paul Rubell March 16, 2017
Enjoy my newest article. You can read more on my blog at paulrubellblog.wordpress.com.

Awaiting the President’s Cybersecurity Executive Order

By Paul Rubell March 13, 2017
by Paul Rubell, Esq. Witness today’s risks of cyber crime.  Hackers, bad actors and foreign governments have long had the ability to assault our Nation. Current events have opened citizens’ eyes to the reality of the cyber threat. It is remarkable how the public has either forgotten or turned a blind eye to well-known security […]

Net Neutrality is No More

By Paul Rubell March 3, 2017
By Paul Rubell, Esq. Internet users have been suddenly stripped of an important source of privacy protection.  On March 1, 2017, the Federal Trade Commission (FTC) and Federal Communications Commission (FCC) abruptly suspended the net neutrality rules that had been scheduled to go into effect on March 2nd.  Internet users in the United States have […]

Cross-Browser Tracking: It’s time to update your Privacy Policy!

By Paul Rubell February 16, 2017
by Paul Rubell, Esq. It is remarkable that many companies do not know the vastness of private information they obtain from their social media and website.  It is essential for every business to understand its legal responsibility to protect their customers’ personal information. OLD NEWS:  Web browsers can follow your voyage through the Internet. Firefox, Internet […]
More Posts