Tell Congress to Protect Our Personal InformationLearn More About Unauthorized Access to Data
Last week, the New York Times reported that Facebook has decided to integrate the back-end infrastructures of its three fully-owned messaging products: Facebook Messenger, WhatsApp, and Instagram. At Public Knowledge, aware of the different nature, features, and conditions of use of these three services, we are carefully following the possible privacy and security and competition implications of this market-changing move.
In general, we think the integration of Facebook Messenger, WhatsApp, and Instagram has the potential to be beneficial for consumers -- if done right.
Privacy and Security - Encryption:
WhatsApp, in practice the default messaging app for smartphone users outside the U.S. and China, has raised the standard of communications security and privacy worldwide with one simple trick: It uses end-to-end encryption for all its communications by design and by default. Without asking for approval, WhatsApp ensures that out-of-the-box its users’ communications are fully encrypted. In WhatsApp, only the sender and the receiver of a call or a text can see the content of a communication. Everyone else, including Facebook and a hypothetical government agency, would only see gibberish, not the actual conversation, if they were to intercept a WhatsApp call or conversation. WhatsApp does, however, collect metadata, or data around but excluding the content of a conversation, such as location, time stamps, connection frequency, or your contacts.
In contrast, Facebook Messenger is by default unencrypted unless you specifically look for a “secure” conversation option using the mobile app version, and Instagram messages are fully unencrypted. Lack of encryption means that Facebook, and potentially a government, can see the content of all the conversations you are having in those platforms without needing to have physical access to your device or knowing your password.
Techdirt has reported that Facebook is planning to encrypt Instagram conversations ahead of integrating it with WhatsApp and Facebook Messenger. That’s good news. It would be plainly unacceptable that the security of WhatsApp conversations would be watered down to integrate it with Facebook Messenger and Instagram. Simply put: As a baseline, all communications that start or end in WhatsApp should be encrypted by default, regardless of what the default option in Instagram or Facebook Messenger could be.
But we expect Facebook to do more. WhatsApp’s approach to the security of conversations should be the baseline for all Facebook’s products: Facebook Messenger and Instagram messages should be encrypted end-to-end by design and by default, using WhatsApp’s encryption protocol. It would be a significant privacy and security win for consumers if end-to-end encryption would be the default for Facebook Messenger and Instagram communications.
Privacy and Security - Real Name Policy:
The second issue that worries us is the issue of identity across the different platforms. Facebook Messenger requires users to respect Facebook’s “real name policy” and use in the platform the “name they go by in everyday life”. Similarly, Instagram will ask you for your full name and email to register or to use your existing Facebook account to log-in to the platform, although your username doesn’t have to be your real name. Needless to say, requiring users to register using their real name makes anonymity impossible. In turn, the lack of anonymity on Facebook and Instagram is a barrier and a threat to political commentary, satire, and social and political organizing -- especially, but not only, in autocracies.
In contrast, to use WhatsApp you just need your mobile phone number and an internet connection. We think it would be a terrible development if Facebook were to export Facebook’s real name policy to WhatsApp and Instagram. It’s not necessary for the interoperability of the services and it would endanger the security of WhatsApp users that use the platform to organize politically or simply enjoy greater degrees of anonymity that the ones granted by Facebook. Facebook should not impose a real name policy in WhatsApp.
Privacy and Security - (Even) More Data Accumulation:
When Facebook bought WhatsApp in 2014, it claimed that it was technically impossible to merge the data from those different services. However, Facebook has long been toying with the idea of sharing data between services -- something that European privacy regulators don’t like. In the U.S., the FTC stated in 2014 that, “WhatsApp has made a number of promises about the limited nature of the data it collects, maintains, and shares with third parties -- promises that exceed the protections currently promised to Facebook users. [...]WhatsApp must continue to honor these promises to consumers. Further, if [...]WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC’s order against Facebook.”
Facebook has all the incentives to try and monetize WhatsApp. We hope that it doesn't compromise users’ privacy and security.
Competition - Interoperability:
Unlike email or traditional SMS, the messaging interfaces offered by Facebook, Google, and Apple are usually not interoperable with other products. You can’t use Apple iMessage on Android, and you can’t chat with your Google Hangouts friends from WhatsApp.
In integrating Facebook Messenger, WhatsApp, and Instagram, three different and massive products that originated in three different companies now all owned by Facebook, Facebook is going to demonstrate that interoperability can be done. The integration of WhatsApp, Instagram, and Facebook Messenger can be a blueprint for future interoperability efforts, including opening Facebook’s ecosystem to competitors. If Facebook shows that interoperability with other services is technically possible, it will be harder to justify why they are keeping competitors or potential competitors out of the interoperable ecosystem. If users can communicate seamlessly between Whatsapp and Instagram, Snapchat and Twitter should also have an easy method of achieving interoperability. This may help existing competitors and new entrants have a better shot at disrupting Facebook’s power.
The way billions of people communicate with their friends and family will be radically affected by Facebook’s move to merge its messaging platforms. We still need more details from Facebook’s plan to monetize this move in order to fully understand its privacy implications.
However, we believe that there’s a lot of positive potential in this move. Making WhatsApp-level end-to-end encryption the standard for Facebook Messenger and Instagram would in one simple move radically improve the privacy and security of the communications of millions of people. In addition, this restructuring has the potential to provide a blueprint for the interoperability of competitors and potential competitors.
We will keep following developments to understand better the trade-offs of Facebook’s decision. We are looking forward to Facebook explaining in detail to its users why this move is in their best interest, and not just a rent-seeking strategy.