Facebook is storing the links you share on Messenger and in Instagram DMs.
No, not just the URL itself, but the entire contents of the page you’re linking to.
In October, app developers Tommy Mysk and Talal Haj Bakry discovered a privacy and security risk on Facebook’s private messaging platforms.
Whenever a user shared a link on Facebook Messenger or in a DM on Instagram and a link preview was generated, the data from that link was downloaded to the social media giant’s servers. According to Mysk and Bakry, this occurred even if the linked site contained many gigabytes of data.
“Facebook servers download the content of any link sent through Messenger or Instagram DMs,” write Mysk and Bakry in their report. “This could be bills, contracts, medical records, or anything that may be confidential.”
[embedded content]
It’s not uncommon for users to share links via private messaging platforms with that include potentially sensitive data. But why does Facebook need to download that data — especially many gigabytes worth of data — from every link shared on Messenger or in an Instagram DM?
Mysk and Bakry originally contacted Facebook in order to report what they discovered, assuming it was an inadvertent outcome.
However, just this week, the two developers discovered an interesting update: Facebook has completely disabled link previews in Facebook Messenger and Instagram…in Europe only.
Why? The company needed to remove them in order to comply with the EU’s robust online privacy laws. Downloading and storing the data within a links that users share is in violation of those laws.
Link previews, in case you’re not familiar, are those automatically generated little thumbnails, page titles, and descriptions that show up when a user pastes a link on Facebook’s platforms.
On the left: how links shared in Europe on Messenger look. On the right: how links shared in North America look.
Image: mysk.blog
“Stopping this service in Europe strongly hints that Facebook may be using this content for purposes other than generating previews,” says the developers.
In their original report, Mysk and Bakry also looked at how other major online platforms — like Twitter, Slack, and Discord — handled link previews. Facebook and Instagram were the only two to download gigabytes of data from each link. Most of the other platforms downloaded no more than 50MB in order to generate the information needed for the link preview.
As the two developers point out, Facebook announced in December 2020 that it would be making changes to its platforms due to Europe’s ePrivacy Directive. However, at the time of the announcement, Facebook did not specify exactly what those changes would be.
“We did contact Facebook in September 2020 about what we thought could be a privacy issue (and potentially a serious bug), and they basically dismissed our concerns,” says Mysk and Bakry. Facebook told the two that the feature was “working as intended.”
It’s important to note that Facebook is still generating link previews and downloading all the data from the linked pages everywhere outside the EU.
So, next time you share a link, non-Europeans, remember that Facebook is scooping up what you’ve dropped and storing the data on its servers.