facebook image

Facebook can read your secret chats without you knowing it

Facebook can read your secret chats without you knowing it

Facebook has got not much good press in recent years – with one important exception: When the company end of 2016 for those days around one billion users end-to-end encryption in Facebook Messenger introduced , there was goodwill and applause from all sides.

For the first time, two users were even able to securely communicate with the messaging app, even though they liked to call it a “data octopus” – without any third parties being able to see the news. Thus, the communicating and the platform – and settled by experts for the step towards more user-privacy celebrate . “In practice, this means that even if the police ask Facebook to publish the content of the chats, the company can not do that, they simply can not decrypt the data,” praised for example the technology magazine Mashable

But motherboard research shows that there is a backdoor that allows Facebook to read encrypted messages – without the sender noticing.

This is not a “backdoor” in the strictest technical sense, as they were published, for example, by the Shadow Brokers hacker to secretly penetrate into a computer permanently – but Facebook has indeed built a mechanism that the company after the message of a user allowed to read actually encrypted messages. in October 2016.

That actually seems impossible: For the encryption, Facebook relies as well as WhatsApp on the secure and renowned signal protocol , which also comes in the same messenger used. But the sticking point here is the implementation of the protocol, which is described in a technical white paper on the subject of secret chats: It just allows Facebook to read the messages in decrypted form, if they have been reported by a user.

Fewest of the 1.3 billion messenger users are likely to realize that Facebook can gain unnoticed access to their private and end-to-end encrypted messages – but this happens automatically as soon as one of the two parties discusses the conversation as possible Violation of the community standards reports. In Facebook’s English help pages, it is clear : “A message will decrypt the latest news from a conversation and send it to our support team for review.” Also on the German help pages is this paragraph, but he has a crucial error: The word “decrypted” was translated incorrectly with “encrypted”.

We asked Facebook where and when exactly the messages of a user are decrypted after a message. However, the company has not responded to this question.


It also says on the help pages of Facebook: “We will not tell the person you’re talking to that you reported them.”

Facebook can even reconstruct encrypted messages that have destroyed themselves

One option that garnered praise in 2016 was the ability to delete messages in the secret chats. Users can set a timer for them to automatically destroy after a certain amount of time. Even these messages can be reconstructed by Facebook when the recipient of a message reports – even a while after the message has already destroyed itself and is no longer visible to either of the two chat partners. So Facebook leaves open the possibility to punish users for violations within a “secret conversation”, as Facebook calls the encrypted chats.

So far this has not been known. Probably also because chats with a strong end-to-end encryption, as developed by Open Whisper Systems, should actually protect against access by secret services, law enforcement agencies or companies.

On request, Facebook did not want to comment on how many of the “youngest” news the company can read. “That depends on the message,” writes a Facebook spokesperson for Motherboard.

The Facebook dilemma: privacy or family law?

Facebook emphasizes that it does not have access to secret chats unless they are reported by one of the participants as a possible violation of Community Standards. Then, unlike WhatsApp, which refers to law enforcement agencies, Facebook also examines the private realm of secret conversations “to identify users who violate Messenger’s Terms of Use,” writes a Facebook spokesperson in an email to Motherboard.

Most recently, this became apparent in a case in which more than 1,000 Danish teenagers were charged with distributing child pornography: The teenagers had a video in which two 15-year-olds have sex, sent via the Facebook Messenger – and Facebook gave according to reports User data to the police. Whether all 1,004 adolescents were identified after a message in the messenger and whether including users who had spread the videos in secret conversations, even Flemming Kjaerside, the head of the Danish cybercrime police, where the data finally ended up for investigation, not answer.

Facebook sees this possibility of messenger tracking the privacy of the users but not affected. “The ability to report such violations does not relax the guaranteed end-to-end encryption of secret conversations,” said a spokesperson. “Facebook never has access to unencrypted ( sic ! ) Messages unless a participant in a secret conversation volunteers.”

The back door that Facebook left open here shows the pitfalls of dealing with community standards: how far should the terms of use, in effect the house rules of the network, extend? Should Facebook enforce the guidelines only on the newsfeed or also in the non-public communication in the messenger?


But there is an important difference between posts and the secret messages of the Facebook messenger: In the latter case, the interlocutors rightly assume that their conversation is privately private and remains: “Your messages are already safe, but secret conversations are off encrypted to the other device, “Facebook announces in a message when a user launches the first secret conversation in Messenger. That suggests: nobody else will read this message. But exactly this promise can not keep Facebook.

Encryption was the most important messenger feature for users at all

All non-encrypted messages that are exchanged via the Facebook Messenger stores Facebook on their own servers.

In general, end-to-end encryption means that no one can read the messages except the sender and the recipient – not even law enforcement agencies, intelligence agencies, or Facebook itself. The content is encrypted on the sender’s device, delivered to the recipient’s device and decrypted there – and vice versa.

For many users, the end-to-end encryption should therefore have been an incentive to download the Facebook Messenger – after the also belonging to Facebook service WhatsAppThe parent company Facebook had also introduced a feature with which messages could be safely sent and not spied out. Accordingly, Facebook first campaigned to offer secure communications – and tech magazines like Wired recommended, “You can now encrypt your Facebook chats, so do it.”


Facebook itself confirmed on request from Motherboard, “that the [secret] messages are intended only for the two parties – for anyone else, not even for Facebook”. But this statement is accompanied by the possibility of decryption in the reporting process a fat “unless” provided.

If you need privacy, you should use another encrypted messenger

Security researchers already commented on the design of the secret conversations during the introduction in October 2016: Facebook does not activate the encryption in the messenger automatically – the user has to turn it on himself. In addition, it only works on one device per user, and only from the mobile app, not in the browser.

For technical reasons, secret messages can only be viewed on the device with which they were exchanged. The answers of the interlocutor then appear in a black instead of a blue dialog bubble. In addition, a timer can be set with a click on the stopwatch icon, with which messages are automatically deleted from the chat after a pre-set time.

There are also some other restrictions that other messengers have already solved better : Voice messages, videos or video messages and gifs can not be sent encrypted with Facebook, even if that would be technically possible. Group messages can also be exchanged without encryption

All in all, it can be said: Who really has something private to discuss, should stay away from the messenger.

Source by:-motherboard


Comments are currently closed.