Facebook Promises Encrypted Messaging, but You Don't Need to Wait

End-to-end encryption won't stop the company from using your communications to gather data for targeted ads

message encryption concept iStock-880349732

In a 3,200-word post, Facebook CEO Mark Zuckerberg laid out a vision Wednesday for a “privacy-focused social network” built on the company’s three messaging apps: Facebook Messenger, Instagram Direct, and WhatsApp.

At the heart of the proposal—published a few days before the first anniversary of the Cambridge Analytica scandal—is a plan to protect users’ data by adding the end-to-end encryption employed by Facebook-owned WhatsApp to its Facebook Messenger service. However, the technology, which prevents anyone but the sender and recipient from reading a message’s content, is already widely available on other services, privacy experts say. And when the change comes, it still won’t prevent Facebook from using consumers’ communications to gather data.

“Just because it’s encrypted doesn’t mean that it’s private,” says Emory Roane, an attorney who focuses on policy issues for the Privacy Rights Clearinghouse.

More on Digital Privacy

Zuckerberg promised additional protections in his post as well, saying that in the future Facebook messages and metadata might be deleted automatically after a specified time and that data would be securely stored in countries that respect privacy and freedom of expression. However, he did not commit to a time line for these changes, saying only that they would be implemented over the next few years.

There’s no reason for consumers to wait for the most concrete feature, end-to-end encryption for messages, which is already built into several apps. Messages without encryption still offer a substantial measure of privacy.

Still, consumers should be aware of several nuances. For one, even if a company doesn’t read your messages, it could still use them to gather data that could be used to show you targeted ads.

Two Types of Messages—Both Pretty Private

Broadly speaking, there are two types of text messages.

First are the text messages that use an old technology called SMS, or Short Message Service. SMS messages have been around since the era of the 1990s flip phone. (Texts that include a photo or video are automatically sent as MMS, or Multimedia Message Service, messages, and companies generally treat them the same way.)

These messages aren’t encrypted while they’re on the cellular companies’ servers, though they normally are encrypted when they zip through the ether from your phone to the nearest cell tower. Theoretically, a cellular company might be able to read them.

However, America’s four major carriers tell Consumer Reports that they don’t open or read your SMS or MMS messages. In a statement, a T-Mobile spokesperson told CR by email, “Content of personal SMS messages is not read or utilized for marketing purposes,” nor is the content shared with third parties for their own marketing purposes.

The only exceptions are cases involving law enforcement and court orders—and in those instances, the law has to move fast: Text message contents are rarely preserved for more than a few days after being delivered, according to the cellular carriers.

All this is important because there are just so many SMS messages. Americans send nearly 1.5 trillion of them each year, according to CTIA, a trade association representing the U.S. wireless industry.

The second kind of text message is the kind you send through a service such as Apple’s iMessage, Facebook Messenger, Gchat, Signal, Telegram, or WhatsApp. These normally don’t use SMS technical protocols. Instead, they send their information as regular internet traffic.

Some of those services, including iMessage, Signal, and Facebook’s WhatsApp, already use end-to-end encryption. But Facebook Messenger doesn’t have end-to-end encryption.

There’s one caveat with the encrypted apps—everyone in the conversation has to be using the same app. Some services, such as WhatsApp, let you communicate only with other users. In other cases, you can send a text to people who aren’t using the app, but it won’t be encrypted. If you use iMessage to text a contact who has an Android phone, it travels as an SMS.

However, whether they encrypt your messages or not, messaging services including Facebook say they refrain from reading your communications for targeted advertising or other purposes.

Metadata Isn’t as Private

So far, so good. But what you write in a message isn’t the whole story when it comes to privacy.

Text metadata—information such as who you text with, how often, and when—is equally valuable to advertisers and marketing companies.

WhatsApp provides end-to-end encryption, but the company says it considers texting metadata fair game for marketing. The company’s privacy policy says, in part: “Facebook and the other companies in the Facebook family also may use information from us to improve your experiences within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads.”

By contrast, Signal, an app favored by many privacy and security experts, doesn’t share metadata except in limited circumstances involving government requests, according to the company’s privacy policy.

Metadata is valuable because it can be just as revealing as what you write in a message, says Jonathan Mayer, assistant professor of computer science and public affairs at Princeton University in New Jersey, and former chief technologist for the Federal Communications Commission’s Enforcement Bureau.

“The inferences are pretty precise,” Mayer says. In his research, metadata was used to accurately conclude whether text subjects were preparing for medical procedures or using drugs illegally. It could also determine their religious affiliations. Further, because some companies and organizations have dedicated phone numbers for automated services, texting metadata could also reveal which bank and pharmacy you use, and which political groups you support, he says.

How to Preserve Your Privacy

Consumers may be used to technology companies tracking their web searches and even scanning emails to gather marketing information, but text messages have enjoyed a higher level of privacy. To make sure your texting communications stay as protected as possible, follow these tips.

Use an encrypted messaging service. Even if Facebook or Verizon promises not to read your messages, you want to make sure you’re protected against hackers, too. For this purpose, it’s safest to use an encrypted messaging service. Just be sure that both you and your partner in the conversation are using the same app.

If you’re using iMessage, you may notice that the color of a message bubble sometimes changes. If two iPhone users are having a text conversation, the text bubbles are blue. If you iMessage someone and the bubbles are green, that means the other person is using a different messaging service or an Android phone and the messages won’t be encrypted.

Be cautious with smartphone permissions. If you use an iPhone, your apps can’t request access to your SMS messages, but they can on Android devices—and a lot of them do. If you’re concerned about text message privacy, be cautious in granting this permission—the more often you grant access to SMS, the more vulnerable you are to privacy intrusions. Check the Permissions tab in your phone settings to see which apps have made the request, and to revoke permission if necessary.

Don’t assume your metadata is private. Remember, messaging apps are like other online services, from music-streaming companies to restaurant-review sites. If the privacy policy doesn’t explicitly say that data isn’t being used for commercial purposes, details about who you talk to by text may be no more private than your web searches or online purchases.

Smartphone Privacy Protection

A smartphone can be an incredibly useful device—but what do all those apps do with your information? On the "Consumer 101" TV show, Consumer Reports expert Justin Brookman explains how you can protect your privacy.

Headshot image of Electronics editor Thomas Germain

Thomas Germain

I want to live in a world where consumers take advantage of technology, not the other way around. Access to reliable information is the way to make that happen, and that's why I spend my time chasing it down. When I'm off the clock, you can find me working my way through an ever-growing list of podcasts. Got a tip? Drop me an email ( thomas.germain@consumer.org) or follow me on Twitter ( @ThomasGermain) for my contact info on Signal.