If you’re one of Facebook Messenger’s 1.3 billion users, then the sudden WhatsApp backlash should serve as a stark warning. Yes, Messenger’s data harvesting is significantly more alarming than WhatsApp’s. But, worse, there’s now another serious new problem that may convince you to leave.
Prompted by an unfortunate series of events, some woefully mismanaged PR, and a widely misreported story, WhatsApp is now damaged. And while its vast userbase can withstand a few tens of millions departing for Signal or Telegram, messengers are viral by their nature—it’s why they’re so valuable. And that risks a long-term impact.
If every departing user encourages just 5 to 10 of their friends to do the same over the next year, then the numbers build. And if enterprises ban the use of WhatsApp for work-related messages, then those numbers build even faster. Signal’s group-link is a brilliant trick. It enables the scale of “digital migration” we’re seeing now.
Facebook Messenger has watched on as this train wreck series of events has unfolded for its sister platform, but the damage it risks is even greater. WhatsApp was already on the back foot before its disastrous terms of service change, contesting the negative headlines that followed Apple’s privacy labels. Yes, WhatsApp looked bad compared to Signal and Telegram, but it looked truly angelic compared to Messenger.
MORE FOR YOU
In reality, the WhatsApp debacle has distracted attention away from just how bad Messenger’s invasion of your privacy is. There is no justification for it. We all know Facebook makes its living from our data—that’s how we pay for its “free” services. But there does need to be a limit. If we find ourselves in a place where Facebook says we’ll take everything we can get our hands on, and we say, yes, that’s fine, then what does that say about us and the value we place on our own privacy.
WhatsApp’s main defense against the backlash has been “we cannot see your private messages… and neither can Facebook.” No such luck, though, if you’re a Messenger user. Facebook admits that it monitors the content sent in private messages between users. And Facebook definitely does share all its metadata with itself, another claim WhatsApp has contested for its own users and metadata.
We saw a perfect illustration of Facebook Messenger’s scant regard for your privacy when researchers Tommy Mysk and Talal Haj Bakr, of iOS clipboard fame, disclosed that it was downloading private file attachments sent between users to its own servers, as well as links to file shares and websites. This issue with Messenger accessing your private information is easily solved—that’s what end-to-end encryption is all about.
“Your personal messages are protected by end-to-end encryption,” WhatsApp emphasized in its fightback. “We will never weaken this security.” Messenger users can also benefit from this same level of security, but only in “secret conversations.” Unlike WhatsApp, though, this only supports messages between two people, not within groups and not switched on by default. When it is selected, it stops Facebook snooping on your messages and downloading your links and attachments.
It’s this lack of end-to-end encryption that makes Messenger a no-go for me. This should be the default for any messaging platform you use. Facebook itself has warned of the risks when such encryption is not available, and WhatsApp deserves great credit for universalizing access, making end-to-end encryption available to 2 billion users. As a result. Facebook has ironically become the world’s most powerful advocate for its use in messaging, contesting lawmakers who argue for mandatory backdoors.
Don’t take end-to-end encryption for granted—the fact that we can call and message from anywhere in the world, safe from the network probes of governments and bad actors, is a huge plus. One of the ironies of the WhatsApp backlash is that users are leaving WhatsApp, which is default end-to-end encrypted, for Telegram, which is not.
This brings me to the serious new problem that is likely to impact Messenger users—the reason you should now switch to an alternative. Back in 2019, Facebook’s Mark Zuckerberg argued that private messaging would become the new normal, replacing the social need to share everything, everywhere. This followed on from the first reports into Facebook’s plans to integrate WhatsApp with Messenger and Instagram’s DMs, creating a messaging behemoth serving almost 3 billion users.
At the time, this signaled concerns for WhatsApp users but also led to reports that Messenger would become end-to-end encrypted—a major improvement. But two years on, we have seen no tangible progress, bar secret conversations, disappearing messages and some beta WhatsApp code that suggests a messaging gateway under development. What we have seen, though, is the beginning of that integration, starting with Messenger and Instagram, with no security improvements in sight.
Last year, Facebook told me that it remains “very committed to making Messenger end-to-end encrypted by default,” and that the timing “is consistent with what we’ve said since the launch—that it’s going to take time and we’re committed to doing this right.” The company also emphasized its defense of such encryption before lawmakers.
“People should be able to communicate securely and privately with friends and loved ones without anyone—including Facebook—listening to or monitoring their conversations,” Facebook’s Jay Sullivan told a senate committee in 2019. “Facebook is committed to making such private communications broadly available.”
Sullivan also said that users should be able to send medical and financial information “with the confidence that it will not fall into the hands of identity thieves or others with malicious intent.” But, as things stand, Messenger does monitor content, and you’ll note that “health and fitness,” “sensitive info” and “financial info” are among the mass of user data fields it admits to collecting through its Messenger platform.
Adding end-to-end encryption would have been something of a saving grace for Messenger, preventing content being monitored, collected and processed, albeit it would not protect metadata. But the WhatsApp backlash has seen a stark realization by millions that encrypting content is, in itself, not enough.
WhatsApp has retreated a little, pushing back the date by when users have to accept the forced change of terms, assuring that it will use the time to better communicate the facts behind the frenzy. What it hasn’t done, though, is commit to review the metadata it collects and provide a detailed presentation of the specific data it shares with Facebook, going beyond assurances that nothing material has changed.
Unfortunately for WhatsApp, the genie is out the bottle and that’s not good enough. It has fudged the Facebook factor since 2014, but can’t do this any longer. A flappy-handed presentation won’t assuage the millions whose hackles are now raised. WhatsApp needs to be open and honest, and it needs to decide if it can rein its data collection back, putting it in step with iMessage and Telegram and Signal.
The serious new problem for Messenger users is twofold. First, the delayed extension of WhatsApp-level encryption has become more contentious, both because it would risk antagonizing lawmakers who don’t want to see it expanded and also because it would appear to be a defensive move against the antitrust lawsuits in the U.S. that specifically focus on Facebook’s acquisitions of Instagram and WhatsApp.
Technically, Facebook’s integration is likely struggling to deliver encryption as well as a combined back end that doesn’t materially reduce its data collection for Messenger, while not expanding WhatsApp’s to the extent that even more leave. I don’t envy the technical architects charged with that challenge. Take note if you use Instagram, by the way, it’s even worse than Messenger and goes beyond linked data to tracking.
There is another problem that has hit home in the last week, one that impacts us all. WhatsApp messages and calls are secure—it actually uses Signal’s encryption protocol, albeit a tailored version. It also has an architecture that can accommodate 2 billion users and 100 billion daily messages. The scale of ecosystem required to support this was underlined by Signal’s outage, as millions of news users made the switch. It will take time for other platforms to build their back-ends.
Meanwhile, there is a serious risk that the negative headlines and social media backlash undermines user confidence in WhatsApp’s security. That is dangerous. Anyone working in information security has likely been asked by friends, family and colleagues this week, whether they need to move from the platform. Of course not. And while shifting to Signal is fine, what about Telegram—which is less secure, or Android Messages, which has no end-to-end encryption at all, beyond a limited beta?
The advice now is simple. If you’re still on Messenger or if you’re using Instagram DMs for anything other than engaging with companies you’re buying from or casual contacts, then it’s time to switch. Your easiest option remains WhatsApp given its scale—all your friends and family are likely users. If you want a more secure option, then run Signal in parallel. It will become more usable as ever more of your contacts join.
With WhatsApp and Signal running in parallel, you’re fine from a security and privacy perspective. Eventually you’ll use Signal as the default when contacts are onboard, but you’ll likely keep WhatsApp as well for when they’re not. You can also move all your Facebook Messenger chats and groups to one or the other.
You should do that now.