What’s Really Behind Facebook’s New Privacy and Encryption Effort?

NEWS ANALYSIS: Mark Zuckerberg says he wants Facebook to move toward personal, secure messaging and away from open broadcasting, but is this really about something else?

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Facebook privacy

On its face, Mark Zuckerberg’s announcement that Facebook plans to move to a more privacy-oriented service seems like welcome news, given how he and his company have run roughshod over his users’ privacy since its founding. But now he’s saying that he wants to make personal interactions more private and secure, and that he wants to move his messaging apps, including Facebook Messenger and WhatsApp, to a common platform so users of either can message anyone on the other.

With that change, Zuckerberg says he wants to implement end-to-end encryption that’s so secure that not even Facebook will be able to see what’s in those messages. He labels this as a boost to privacy on Facebook. Zuckerberg also said he wants messages to be ephemeral, so that they disappear over time, with the idea that you can’t be held responsible for something you said 15 years ago that looks totally stupid now.

By now you’ve seen plenty of examples of folks in the public eye having to explain dumb things they said when they were teens, so there’s no doubt that some limits would be appreciated. But is this really some altruistic move on Facebook’s part, or is there more to it than that?

“I understand that many people don't think Facebook can or would even want to build this kind of privacy-focused platform,” Zuckerberg admits in his blog entry, “because frankly we don't currently have a strong reputation for building privacy protective services.” However, he notes that Facebook has shown that the company can create privacy-protecting services, such as WhatsApp.

What the Zuckerberg Memo Doesn’t Say

What’s instructive about the Zuckerberg Memo is as much in what it doesn’t say as in what it does. For example, Zuckerberg doesn’t say anything about shutting down the public news feeds that make up the core of Facebook. Nor does he say how he plans to continue his fight against disinformation, hate speech or personal attacks that now are so much a part of Facebook.

Zuckerberg also doesn’t mention that by emphasizing encrypted, person-to-person communications, he’s making it so that Facebook has an excuse for not monitoring those activities. After all, if everything’s encrypted, how can Facebook be responsible?

And in fact, exactly that scenario has already played out on WhatsApp, as the encrypted service was used in India, Latin America and some part of Europe to spread disinformation, encourage attacks and help spread violence.

For example, in 2018 in India, fake news and disinformation that was spread through WhatsApp led to rioting, widespread violence, and a series of lynchings and murders. Similar attacks also happened in Mexico, where two people were burned to death. In Sri Lanka, according to reports, the entire service was shut down to end violence there.

Facebook, as you might expect, pointed out that it couldn’t read the messages causing the problems because they were encrypted. The best that the service could do was to limit the number of times a message could be forwarded.

But Zuckerberg doesn’t mention that WhatsApp has emerged as a vector in spreading phishing attacks. He also doesn’t mention the significant vulnerabilities found last year by Check Point that allow messages to be intercepted and read, and the contents changed. In the fall of 2018, Google’s Project Zero found a vulnerability that could cause WhatsApp users to lose control of their accounts by simply answering a video call. Facebook has fixed these, but it’s clear that ironclad security hasn’t been a priority for Facebook, although the company says it plans to get better.

Monetizing Private Communications

Facebook also hasn’t said how it plans to monetize these private communications. Will it inject ads into encrypted video calls? Or will users have to look at an ad before they can message their friends? This isn’t clear, but considering that Facebook has to make money to stay alive, it’s important to know how this is going to happen.

It’s also important to determine how Facebook will support your activities when you use it for business. If public messaging is being scaled back, will your reach to your customers be limited? If all messages will be encrypted and limited to five users per message, as is the case now, will you even be able to reach your customers in a meaningful way?

While in one sense, it’s nice to see that Facebook is aware of its own limitations when it comes to privacy, there’s a lot more to it than that. Facebook already faces significant jeopardy in Europe because of the transgressions of Cambridge Analytica and other leakages of customer data. Is this perhaps a way to satisfy regulators that Facebook is trying to fix its privacy problems so as to avoid a huge fine?

Until Facebook’s intentions become clear, the biggest question for a business user of Facebook is whether the social network is worth the risk. How much risk are you willing to accept if Facebook fails to deliver advertising impressions? Or if Facebook suddenly makes it impossible to reach your current and would-be customers?

Even if you decide to accept the risk that Facebook’s current spate of mea culpas may hurt your business without warning, it would seem that it’s worthwhile to spin up another platform that’s more stable in its intentions and in general more trustworthy.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...