Facebook has got not much good press in recent years – with one important exception: When the company end of 2016 for those days around one billion users end-to-end encryption in Facebook Messenger introduced , there was goodwill and applause from all sides.
For the first time, two users were even able to securely communicate with the messaging app, even though they liked to call it a “data octopus” – without any third parties being able to see the news. Thus, the communicating and the platform – and settled by experts for the step towards more user-privacy celebrate . “In practice, this means that even if the police ask Facebook to publish the content of the chats, the company can not do that, they simply can not decrypt the data,” praised for example the technology magazine Mashable
But motherboard research shows that there is a backdoor that allows Facebook to read encrypted messages – without the sender noticing.
This is not a “backdoor” in the strictest technical sense, as they were published, for example, by the Shadow Brokers hacker to secretly penetrate into a computer permanently – but Facebook has indeed built a mechanism that the company after the message of a user allowed to read actually encrypted messages. in October 2016.
That actually seems impossible: For the encryption, Facebook relies as well as WhatsApp on the secure and renowned signal protocol , which also comes in the same messenger used. But the sticking point here is the implementation of the protocol, which is described in a technical white paper on the subject of secret chats: It just allows Facebook to read the messages in decrypted form, if they have been reported by a user.
Fewest of the 1.3 billion messenger users are likely to realize that Facebook can gain unnoticed access to their private and end-to-end encrypted messages – but this happens automatically as soon as one of the two parties discusses the conversation as possible Violation of the community standards reports. In Facebook’s English help pages, it is clear : “A message will decrypt the latest news from a conversation and send it to our support team for review.” Also on the German help pages is this paragraph, but he has a crucial error: The word “decrypted” was translated incorrectly with “encrypted”.
We asked Facebook where and when exactly the messages of a user are decrypted after a message. However, the company has not responded to this question.
It also says on the help pages of Facebook: “We will not tell the person you’re talking to that you reported them.”
One option that garnered praise in 2016 was the ability to delete messages in the secret chats. Users can set a timer for them to automatically destroy after a certain amount of time. Even these messages can be reconstructed by Facebook when the recipient of a message reports – even a while after the message has already destroyed itself and is no longer visible to either of the two chat partners. So Facebook leaves open the possibility to punish users for violations within a “secret conversation”, as Facebook calls the encrypted chats.
So far this has not been known. Probably also because chats with a strong end-to-end encryption, as developed by Open Whisper Systems, should actually protect against access by secret services, law enforcement agencies or companies.
On request, Facebook did not want to comment on how many of the “youngest” news the company can read. “That depends on the message,” writes a Facebook spokesperson for Motherboard.
Most recently, this became apparent in a case in which more than 1,000 Danish teenagers were charged with distributing child pornography: The teenagers had a video in which two 15-year-olds have sex, sent via the Facebook Messenger – and Facebook gave according to reports User data to the police. Whether all 1,004 adolescents were identified after a message in the messenger and whether including users who had spread the videos in secret conversations, even Flemming Kjaerside, the head of the Danish cybercrime police, where the data finally ended up for investigation, not answer.
Facebook sees this possibility of messenger tracking the privacy of the users but not affected. “The ability to report such violations does not relax the guaranteed end-to-end encryption of secret conversations,” said a spokesperson. “Facebook never has access to unencrypted ( sic ! ) Messages unless a participant in a secret conversation volunteers.”
But there is an important difference between posts and the secret messages of the Facebook messenger: In the latter case, the interlocutors rightly assume that their conversation is privately private and remains: “Your messages are already safe, but secret conversations are off encrypted to the other device, “Facebook announces in a message when a user launches the first secret conversation in Messenger. That suggests: nobody else will read this message. But exactly this promise can not keep Facebook.
All non-encrypted messages that are exchanged via the Facebook Messenger stores Facebook on their own servers.
In general, end-to-end encryption means that no one can read the messages except the sender and the recipient – not even law enforcement agencies, intelligence agencies, or Facebook itself. The content is encrypted on the sender’s device, delivered to the recipient’s device and decrypted there – and vice versa.
For many users, the end-to-end encryption should therefore have been an incentive to download the Facebook Messenger – after the also belonging to Facebook service WhatsAppThe parent company Facebook had also introduced a feature with which messages could be safely sent and not spied out. Accordingly, Facebook first campaigned to offer secure communications – and tech magazines like Wired recommended, “You can now encrypt your Facebook chats, so do it.”
Facebook itself confirmed on request from Motherboard, “that the [secret] messages are intended only for the two parties – for anyone else, not even for Facebook”. But this statement is accompanied by the possibility of decryption in the reporting process a fat “unless” provided.
Security researchers already commented on the design of the secret conversations during the introduction in October 2016: Facebook does not activate the encryption in the messenger automatically – the user has to turn it on himself. In addition, it only works on one device per user, and only from the mobile app, not in the browser.
For technical reasons, secret messages can only be viewed on the device with which they were exchanged. The answers of the interlocutor then appear in a black instead of a blue dialog bubble. In addition, a timer can be set with a click on the stopwatch icon, with which messages are automatically deleted from the chat after a pre-set time.
There are also some other restrictions that other messengers have already solved better : Voice messages, videos or video messages and gifs can not be sent encrypted with Facebook, even if that would be technically possible. Group messages can also be exchanged without encryption
All in all, it can be said: Who really has something private to discuss, should stay away from the messenger.