Stop using facebook, If you’re one of the hundreds of millions using Facebook Messenger, then now would be a good time to think about alternatives.
Stop using facebook, While the platform heralded a major security update this week, with the addition of biometric device locks on iOS, the sad truth is that Messenger is seriously lacking on the security front. And this is a problem which is both getting worse and which Facebook cannot easily fix.
In announcing its latest feature updates, Facebook told users that “privacy is at the heart of Messenger—where you can be yourself with the people who matter most to you.” The company said that App Lock would “add another layer of security to your private messages to help prevent other people accessing them.” Unfortunately, this update is akin to adding extra locks to the front door of a bank, while leaving the vault wide open. It’s peripheral at best. There are now alternatives that offer most of the same functionality without the risks. It’s time to switch.
So, what’s the problem. In a word—encryption. Don’t take my word for it—Facebook itself warns users of the risks when messages are not end-to-end encrypted. This security measure, the company admits, would mitigate the compromise of server and networking infrastructure used by Messenger—Facebook’s included.” The company issued that warning in 2017, when introducing its “secret conversations.”
Stop using facebook, Secret conversations enable opt-in end-to-end encryption for specific person-to-person Messenger chats, not for groups and not by default. “A secret conversation in Messenger is end-to-end encrypted and intended just for you and the person you’re talking to,” Facebook says, implying that messages which are not “secret” risk being accessed by more than “just you and the person you’re talking to.”
Facebook has created a serious problem for itself with Messenger. The company has become the world’s leading advocate for end-to-end encryption, even CEO Mark Zuckerberg has personally lauded its benefits. But the company has also admitted that the technical complexities of adding this level of security to Messenger will take years. So—you’re not as secure as you should be, but if you can just hang on a few years, we’ll be sure to get that sorted for you. Really?
Just look at WhatsApp’s explanation for why it’s needed: “Some of your most personal moments are shared with WhatsApp,” it says, “which is why we built end-to-end encryption into our app. When end-to-end encrypted, your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.” WhatsApp is of course owned by Facebook. Enough said.
Stop using facebook, This issues aren’t limited to Facebook Messenger, of course. SMS messaging is even worse. But that has become fairly well understood now. The straightforward advice is to stop using SMS if possible. Apple’s iMessage and Google’s rumoured encryption plans for RCS—an SMS replacement—both provide an end-to-end encryption update option for SMS, still the world’s most pervasive mobile messaging platform.
But Messenger has more than a billion users—and unlike SMS it presents as an updated and fully featured alternative to legacy messaging. “Users choosing to communicate via Messenger must understand the real threat to their information within such apps,” warns ESET cybersecurity guru Jake Moore. “Although many may think the content in their messages isn’t personal, the real issue is that any information on you is open to abuse in the wrong hands.”
Stop using facebook, If you have any doubts, take a look at Twitter’s recent public shaming. No-one should be surprised at Twitter’s admission that the recent hack of more than 100 users also tapped into private messages for 36 accounts. Twitter DMs are not end-to-end encrypted—just like Messenger, it’s been stuck on the roadmap for years.
Twitter is not a private messaging platform—its volume of DMs is a fraction of those sent over Messenger. But take it as a warning. “After the recent complications with Twitter,” Moore says, “it highlights once again the importance of end-to-end encrypted messages and privacy focused messaging platforms.”
The Twitter attack specifically framed the vulnerability when a platform holds the keys to decrypt your private conversations. They may use those keys if asked by law enforcement, but there is also a risk that rogue or tricked employees may do the same. Facebook told me that “our servers are only in a handful of countries that have strong rule of law. We also have strong data protections and safeguards in place that secures data at rest and restricts employee access to message content.”
But, as uber-secure ProtonMail points out, “the best way to protect data is to not have access to it at all. The benefit of using end-to-end encrypted services is that data can be kept safe even in the event of the inevitable data breach because the service provider itself does not have the ability to decrypt user data. In effect, it is impossible for hackers to steal something that the service itself does not possess.”
Stop using facebook, There’s a warning in there for even the more secure messaging apps. Apple and Google messaging back-ups are not end-to-end encrypted, they basically store a copy of your phone’s decrypted data. And when you use the current WhatsApp cloud back-up feature, you run that same risk—this, though, is now being fixed.
Moore advocates Signal—the platform of choice for cyber experts, with its security-first approach and no form of messaging back-up—as does infosec writer John Opdenakker. “People should consider everything they say in Twitter DMs or via Facebook Messenger can become public sooner or later,” Opdenakker tells me. “If you want private messaging use apps like Signal that offer end-to-end encryption.”
Moore also recommends Telegram—a slightly more complex option. Telegram does not end-to-end encrypt by default. The issue, it explains, is that in doing so it becomes impossible for users to easily access messages on different devices from central repositories or to restore their history when a device is lost and replaced. Telegram does adopt a security-first approach, though, distributing the encryption keys it holds across different jurisdictions to frustrate any internal attempts—whether malicious or at the request of security agencies—to access content.
Security professionals will always recommend the likes of Signal, where feature updates will only be introduced when they do not compromise security. In reality, though, you don’t need to look further than WhatsApp. The world’s most popular platform is end-to-end encrypted by default—it does this for individual chats and groups as well as for voice and video calls, again even when those extend to groups
WhatsApp has had its security wobbles over the years, but its end-to-end encryption has not been compromised. Hackers target devices, not the platform, because each end of an encrypted chat is a decrypted vulnerability. Even Telegram warns: “We cannot protect you from your own mother if she takes your unlocked phone without a passcode. Or from your IT department if they access your computer at work. Or from any other people that get physical or root access to your phones or computers.”
Right now, when it comes to ease of use and features, Messenger beats WhatsApp. But that’s about to change. WhatsApp plans to introduce genuine multi-platform access with linked devices, it also looks set to add encrypted cloud backups of some sort which will provide the central messaging history Messenger offers. Perhaps even more pertinently, WhatsApp will also become interoperable with Messenger some time soon. So you can switch to an end-to-end encrypted (by default platform) while still staying in touch with those that do not.
Any major feature updates where secure platforms seek to match the usability of Messenger will always introduce potential risks. “I’d argue that with many of these apps it’s not end-to-end in the true sense,” infosec researcher Sean Wright tells me. “I say this since you can receive messages and the history of messages when logging into another device.” That said, such risks are a world away from the issues with Messenger or Twitter or SMS, where there is no default end-to-end encryption at all.
So, to all those still using Messenger because it’s easy and familiar, you now have a choice. Stick with this lack of security for the next few years, or make a switch to a platform that offers almost all of the benefits while fixing the most serious problem. “Non encrypted messaging platforms are widely open to attack,” says Moore, “and left vulnerable once exploits are located. We must start to educate people about the risks and start transitioning to privacy focused apps.”
stop using facebook, For its part, Facebook told me it remains “very committed to making Messenger end-to-end encrypted by default,” suggesting that there has been no delay as such, that the timing “is consistent with what we’ve said since the launch—that it’s going to take time and we’re committed to doing this right.” The company also pointed me to its defense of such security in the wake of U.S. government pressure.
“People should be able to communicate securely and privately with friends and loved ones without anyone—including Facebook—listening to or monitoring their conversations,” the company’s Jay Sullivan told a senate committee last year. “People should be able to send medical information, private financial or payment details, and other sensitive content with the confidence that it will not fall into the hands of identity thieves or others with malicious intent… Facebook is committed to making such private communications broadly available.”
But that default security is not in place today and will not be in place any time soon. When Messenger does end-to-end encrypt by default, this advice will change. But, until then, the advice is to seek a secure alternative. Facebook needs to overcome its technical hurdles—but while so many continue to use the app, any urgency will be limited. The best thing we can do is reward those apps—including WhatsApp—that put our security and privacy first, and refrain from using those that don’t.
This news was originally published at forbes.com