Facebook Stands Firm in Their Right to Snoop on Users’ Encrypted Messaging

WASHINGTON –– As first reported by Bloomberg, Facebook has responded to U.S. Senator Josh Hawley’s recent letter to CEO Mark Zuckerberg about the company’s supposed “pivot” to a privacy-focused platform. In the letter, Senator Hawley raised questions about whether such a platform could really function as advertised given Facebook’s monetization model. 

“I am frankly shocked by Facebook’s response. I thought they’d swear off the creepier possibilities I raised. But instead, they doubled down,” said Senator Hawley. 

“If you share a link in encrypted messenger with a friend who clicks it, Facebook reserves the right to use cookies to figure out what that link was and what you two might have been discussing in your encrypted chat. If you send a roommate your rent money in encrypted messenger, Facebook reserves the right to use the payment metadata to figure out you might live together. And they call this ‘encrypted’ private messaging,” Hawley continued.  

“My advice to consumers is simple: when Facebook tells you its messaging services are private, you can’t trust them. I’d love to know what Brian Acton and Jan Koum are thinking as they read this response.” 

A few important points to note in Facebook’s response: 

Facebook refuses to swear off efforts to use metadata about encrypted messages to interpolate message content, including which links users share with each other in its encrypted messaging platform. As Senator Hawley noted in his letter, “Facebook knows when its users are interfacing with its messaging products, and it knows through browser cookies and integration with publisher websites when users have clicked links to read articles. . . In combination, these data sources might tell Facebook when its users share links clicked by others through its encrypted messaging platform and which links receive the most traffic through the messaging platform, therefore enabling Facebook to extrapolate the content of users’ conversations and add such insights to users’ advertising profiles.” In its response, Facebook refuses to preclude this possibility, noting that “there are still many open questions about what metadata we will retain and how it may be used” and that “data related to user messaging is integral to how our products currently work.” 

Facebook refuses to swear off efforts to collect and use information about payments made through its encrypted platform to interpolate message content. As Senator Hawley noted in his letter, “A payment system operated by Facebook as an intermediary within an encrypted messaging app is a potential vector for the transmission of sensitive information outside of the supposedly private ecosystem.” In response, Facebook notes that it already “collects data related to the transaction” to “provide a better experience and to better suggest products.” In response to questions about the interaction of payment information and ad targeting, it notes that “information about transactions can be used for personalization on the Facebook platform” – a response that reinforces concerns that payments will be a vector for privacy leakage within Facebook’s encrypted ecosystem.

Facebook refuses to swear off the use of data collected from closed or secret groups for “personalization” and ad targeting. As Senator Hawley noted in his letter, “The principles that have led to your decision to encrypt private messages necessarily suggest that users of groups – certainly of closed or secret groups – deserve the same protections afforded to users of private messenger.” In its response, Facebook reserves the right to collect data on content shared in Facebook groups “as one of many signals that can personalize your experience on the platform.” 

Despite promoting its new platform as privacy protective, Facebook has yet to make critical decisions about the privacy of data shared within it. Facebook repeatedly references “many open questions” about its use of metadata to snoop on users’ supposedly private interactions. Such open questions have not prevented its from marketing its new platform as privacy protective.

The full text of Facebook’s response letter can be found at hawley.senate.gov