Why is this a threat to your privacy?
In early 2019, Facebook announced that it plans to merge the backend infrastructure of its three messaging platforms: Facebook Messenger, Instagram, and WhatsApp. Whilst this move is likely an attempt to solidify its hold on the messenger market (WhatsApp and Facebook Messenger are already the most popular messaging platforms), it also has significant impacts on user privacy.
How the Merger Will Work
The proposed merger of the applications exists primarily on Facebook’s backend servers. Instead of supporting three separate messaging platforms, all of the platforms will use the same backend infrastructure.
On the front end, the user experience will only change minorly. All three applications will continue to operate independently; however, users of each application will be able to communicate directly with one another across apps. This helps Facebook to consolidate its dominance of the messaging application market since the vast majority of people use at least one of the three Facebook-owned applications.
Privacy Impacts of the Messenger Merger
At the surface, merging the backend infrastructure of multiple applications owned by the same company may make sense. However, by merging Facebook Messenger, Instagram, and WhatsApp chat functionality, Facebook degrades the privacy of its users in a number of different ways.
Facebook’s various messaging apps require different information upon account creation. For example, a WhatsApp user only needs to provide a phone number to create an account, whilst Facebook and Facebook Messenger require users to reveal their real-world identity (and encourages sharing of a lot more information than that).
With the merger of Facebook Messenger, Instagram, and WhatsApp’s backends, user accounts will be linked across the three services. This means that a user’s real identity (provided to Facebook Messenger) will be combined with their phone number (required by WhatsApp). This enables Facebook to build a much more complete user profile for each of its users, which can then be sold to advertisers and other Facebook partners.
People share different types of personal data and information across each of Facebook’s messaging platforms. A Facebook account may be primarily used to connect to friends and family, whilst Instagram users may follow people with shared interests that they’ve never met before.
By linking the backend infrastructure of the three services, Facebook is capable of aggregating all of the data that a user sends across all of its messaging platforms. This enables Facebook to analyze a much larger amount of data and extract insights from it. The aggregated data can then be used to create more targeted advertising and be sold to third parties.
In its plan for integrating its three messaging platforms, Facebook claims that they want to implement end-to-end encryption for all of them. However, they have also stated that this is a challenging problem and might take multiple years to complete.
One of the primary issues with implementing end-to-end encryption across the messaging platforms is that all three of them currently offer different levels of it:
● WhatsApp is end-to-end encrypted by default
● Facebook Messenger offers end-to-end encryption as an option (disabled by default)
● Instagram offers no end-to-end encryption
To offer secure end-to-end encryption across all platforms, all three messengers need to have the same implementation of end-to-end encrypted chat. Currently, this is not the case, making a significant revision necessary to offer it. Attempting to “bolt on” end-to-end encryption to the services that do not currently offer it increases the probability that an error or oversight will compromise its security.
Even if all three platforms offer end-to-end encryption for messages, the small print is important. Whilst WhatsApp currently uses end-to-end encryption, its data is stored decrypted on the device, and, in the past, backups stored on the WhatsApp servers were not encrypted. Unencrypted device-side storage can already theoretically be accessed by Facebook Messenger on iOS, and server-side backups can be easily mined for data.
Facebook’s historic stance of “we can’t read your messages because they are end-to-end encrypted” ignores these facts either deliberately or through ignorance. This lends weight to anecdotal reports that Facebook is already mining private WhatsApp conversations for information.
In recent years, the data privacy regulatory landscape has grown much more complex. New laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) provide customers with new rights and place new restrictions on businesses’ ability to collect and process consumer data.
One of the most common requirements is an explicit “opt in” or “opt out” for data processing activities. Facebook Messenger, Instagram, and WhatsApp all may individually have the required user consent options, but combining them can make consent management more difficult. This increases the probability that Facebook will run afoul of GDPR and similar laws due to a failure to clearly and explicitly request user consent for their data collection and processing practices.
Is Facebook Trying to (Further) Undermine User Privacy?
The fact that Facebook is taking steps that potentially degrade the privacy of its users should come as no surprise. The Cambridge Analytica scandal and other events have demonstrated that Facebook does not value the privacy of its users. The organization’s entire revenue model is based upon selling user data to marketers and advertisers, making its claims of support for user privacy suspect.
Another warning sign is the fact that this merger directly violates the promises made by Facebook when acquiring WhatsApp and Instagram. These platforms’ founders were promised that their applications would have a high degree of autonomy after the acquisition, which this merger clearly violates. The later departure of both Instagram and WhatsApp’s founders from Facebook demonstrates that Facebook’s vision for their applications differs from their own. In the case of WhatsApp’s founders, the breaking point was disagreements over data privacy and encryption.
The Bottom Line for Facebook User Privacy
If done properly, this merger could be a boon for the privacy of the users of Facebook apps. The company claims that all communications will enjoy end-to-end encryption, and integration would enable easy cross-platform messaging.
In reality, Facebook has demonstrated a continuous disregard for user privacy and has built a business on selling their data. If end-to-end encryption is enabled, it is almost certain that the company will maintain some backdoor (like scanning device-side storage) to allow it to continue monitoring and monetizing user communications.