By Talal Haj Bakry and Tommy Mysk
If you enjoyed this work, you can support us by checking out our apps:
tl;dr
Facebook has recently stopped generating link previews in Messenger and Instagram for users in Europe to comply with Europe’s ePrivacy Directive. In our previous post we showed that Facebook’s servers were downloading data from any link sent through Messenger or Instagram, even gigabytes in size. The change is further evidence that Facebook is using this data for purposes beyond generating link previews, as this change only applies in Europe which has some of the most robust privacy laws.
Quick Recap of Link Previews
Our previous post covered some of the technical aspects of generating link previews: the short summary and preview image shown alongside links in messaging apps. While it’s a nice feature, we showed that generating link previews in some apps can come with unexpected privacy problems. In particular, Facebook Messenger and Instagram were the only two out of all the apps we tested that downloaded the entire contents of any link and stored it on Facebook’s servers, even if the data was gigabytes in size.
You can see this in action here:
We did contact Facebook in September 2020 about what we thought could be a privacy issue (and potentially a serious bug), and they basically dismissed our concerns.
Facebook in Europe
Not long after we published our link preview post, Facebook announced in December 2020 changes to their services in Europe which disabled certain features that didn’t comply with Europe’s 2002 Privacy and Electronic Communications Directive (ePrivacy Directive). Although Facebook did not specify exactly which features were disabled, we recently discovered that link previews are no longer available for users in Europe. This even applies to users outside of Europe if they happen to be chatting with someone in Europe.
This raised an eyebrow because it is an implicit confirmation that Facebook’s handling of link previews in Messenger and Instagram did not conform to privacy regulations in Europe, otherwise they wouldn’t have disabled the feature. As we demonstrated in our videos, Facebook servers download the content of any link sent through Messenger or Instagram DMs. This could be bills, contracts, medical records, or anything that may be confidential. Stopping this service in Europe strongly hints that Facebook may be using this content for purposes other than generating previews.
Europe’s ePrivacy Directive was actually introduced in 2002 but it wasn’t applicable to messaging and calling services until December 2020. The directive includes several articles that can be relevant to the way Facebook generates link previews and may have been the reason why Facebook had to disable the feature. The articles are as follows:
Ensure that personal data can be accessed only by authorised personnel for legally authorised purposes.
Article 4:1a
In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.
Article 4:2
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.
Article 5:3
Since links may contain personal data, these articles prevent Facebook from storing, processing, or using this data without explicit consent from users in Europe. Furthermore, Facebook must clarify the purpose of processing and using the data prior to obtaining the consent.
Our videos clearly show that Facebook servers download and store the content of links sent through either app — if the same link is sent again, Facebook generates a link preview without downloading the link. This indicates that either the preview itself or the content is stored or cached.
Facebook Outside Europe
Link previews are still available in Messenger and Instagram for users outside of Europe, albeit the feature will be disabled if users happen to be chatting with someone in Europe.
Users should be aware that Facebook uses the content of links shared in the chat for purposes other than generating link previews. This actually doesn’t go against Facebook’s Terms of Service, which clearly state that any content users share through any of Facebook’s services will be used for various purposes. This section literally includes everything:
What kinds of information do we collect?
Things you and others do and provide.
Information and content you provide. We collect the content, communications and other information you provide when you use our Products, including when you sign up for an account, create or share content, and message or communicate with others. This can include information in or about the content you provide (like metadata), such as the location of a photo or the date a file was created. […]
How do we use this information?
Provide, personalize and improve our Products.
We use the information we have to deliver our Products, including to personalize features and content (including your News Feed, Instagram Feed, Instagram Stories and ads) and make suggestions for you (such as groups or events you may be interested in or topics you may want to follow) on and off our Products. To create personalized Products that are unique and relevant to you, we use your connections, preferences, interests and activities based on the data we collect and learn from you and others (including any data with special protections you choose to provide where you have given your explicit consent); how you use and interact with our Products; and the people, places, or things you’re connected to and interested in on and off our Products.[…]
https://www.facebook.com/policy
In Europe, on the other hand, the use of personal data requires explicit consent from users even if using such data is covered by the Terms of Service.
This is another video showing Facebook data-hungry servers download a 2.7 GB file 9 times:
The Bottom Line
Facebook disabled link previews for users in Europe to comply with new privacy regulations. This confirms our privacy concerns that sending links to private files in Messenger and Instagram is unsafe. While Facebook did disable link previews in Europe, users in other regions should refrain from sending links through either of these apps. The better option would be to switch to other messaging apps which respect user privacy in all parts of the world alike.