Facebook’s privacy settings are complicated, especially when it comes to messaging.
Between WhatsApp, Messenger, and Instagram, there’s little cohesion. Thus, many Facebook users unnecessarily sacrifice their privacy because they misunderstand, or are unaware of, each app’s features.
As Wired explained in January, WhatsApp is the only one of Facebook’s major apps to offer end-to-end (E2E) encryption by default. That means Facebook doesn’t have the ability to read messages between users on that platform. Only senders and recipients possess the keys to decrypt their WhatsApp communications.
Messenger also offers E2E encryption, but it’s not the default setting. Instead, the option is buried as “Secret Conversations,” a feature few users are aware of.
Instagram does not offer E2E encrypted direct messages yet, but as TechCrunch reported in January, Facebook plans to extend E2E encryption as part of Facebook’s larger integration plan. The company has not provided a timeline for E2E encrypted Instagram DMs.
Part of the reason for a renewed focus on Facebook’s E2E encryption—or, in some cases, lack thereof—stems from a prospective data-sharing agreement between the US and the United Kingdom. The agreement, expected to be signed by UK Home Secretary Priti Patel in October, would compel US-based social media companies to share encrypted messages with UK law enforcement to assist with criminal investigations. (The contents of E2E encrypted messages, however, would remain out of reach.)
“The data access agreement, which marks the culmination of four years of intense lobbying by the UK, is seen by Downing Street as an essential tool in the fight against terrorism and sexual abuse,” The Times of London reported Sept. 28. However, while the newspaper stated that WhatsApp messages would be affected by the treaty, it appears that is not the case due to WhatsApp’s E2E encryption.
“We were surprised to read this story and are not aware of discussions that would force us to change our product,” Will Cathcart, head of WhatsApp, posted on Hacker News. “We believe people have a fundamental right to have private conversations. End-to-end encryption protects that right for over a billion people every day.”
Facebook’s former chief security officer Alex Stamos also discussed the reported treaty. In a lengthy Twitter thread, Stamos explained that the US’s Electronic Communications Privacy Act and Stored Communications Act, both signed in 1986, do not “allow American tech companies to turn over the contents of communications, even to human rights-respecting democracies with independent court systems.” There are exceptions, he acknowledged.
Stamos wrote: “ECPA/SCA is a really important tool for pushing back on authoritarian countries. The companies like to say things like ‘we follow local law’, but in reality, they resist orders every day by saying ‘sorry, SCA won’t let us do that.’ So we can’t just create a blanket exception.”
With regard to the expected US-UK data-sharing agreement, there are two “big issues,” Stamos wrote. First, “[e]nforcement of laws online are often a shared responsibility between governments and companies.” Second, “US companies now transmit and store communications content for the entire planet using global infrastructure.”
Ultimately, the forthcoming treaty, the first international agreement under the US’ CLOUD Act, would allow UK courts to request information from US-based social media companies—and it appears, vice versa. “The fight over encryption continues,” Stamos wrote, “but the US/UK agreement hopefully reduces some of the pressure by giving UK [law enforcement] the same options as US [law enforcement].”
While there remain few guarantees of online privacy, Facebook users who hope to maintain some semblance of personal digital space may want to switch from Messenger to WhatsApp.