Facebook and Instagram Link Previews Would Break EU Privacy Law, Say Security Researchers

A follow-up report by security researchers Talal Haj Bakry and Tommy Mysk has alleged that Facebook Messenger and Instagram are collecting and using data from link previews in a way that would breach European privacy law.

facebook messenger icon new

In October last year, Bakry and Mysk revealed that link previews in popular messaging apps can lead to security and privacy issues on iOS and Android. It was discovered that apps could leak IP addresses, expose links sent in end-to-end encrypted chats, download large files without users' consent, and copy private data through link previews.

In that report, Bakry and Mysk found that Facebook Messenger and Instagram behaved unlike other messaging apps in that they downloaded the entire contents of any link to its servers, regardless of size. When questioned about this unusual behavior, Facebook reportedly said that it considers this to be "working as intended."

Copies of link preview data kept on external servers could be subject to breaches or misuse, which may be particularly concerning for users who send links to sensitive or confidential private data such as business documents, bills, contracts, or medical records.

Now, Bakry and Mysk have found that Facebook has recently stopped generating link previews in Messenger and Instagram for users in Europe to comply with the European Union's ePrivacy Directive. The change also applies to users outside Europe if they communicate with someone in the region.

messenger link previewsLinks sent in Facebook Messenger as seen in Europe and other regions

The researchers suggest that since Europe has "some of the most robust privacy laws" and Facebook has now removed link previews seemingly to comply with the legislation, the company must have been using the data from link previews in a way that would breach the ePrivacy Directive.

It is an implicit confirmation that Facebook's handling of link previews in Messenger and Instagram did not conform to privacy regulations in Europe, otherwise they wouldn't have disabled the feature... Stopping this service in Europe strongly hints that Facebook may be using this content for purposes other than generating previews.

Bakry and Mysk believe that Facebook's link previews may have infringed on articles 4:1a, 4:2, and 5:3 of the ePrivacy Directive. These articles include the requirement that personal data can only be accessed by authorized personnel for legal purposes, the need to inform users of the risks of a data breach, and the need to gain user consent having been provided with "clear and comprehensive information" about how data is collected.

As links may relate to personal data, the ePrivacy Directive prevents Facebook from storing, processing, or using this information without explicit consent from users in the EU. Facebook would also have to make it clear to users why it is downloading the contents of link previews prior to requesting consent.

Bakry and Mysk have demonstrated that Facebook servers download and store the content of links sent through its apps, and if the same link is sent a second time, Facebook generates a link preview without downloading the contents of the link. This purportedly indicates that the content is stored or cached by Facebook and is proven by the amount of data that is uploaded from a user's device.

Link previews continue to be available in Messenger and Instagram for users outside Europe. Facebook's current Terms of Service state that any content users share through any of Facebook's services will be used for various purposes such as personalizing content, ads, making suggestions, and learning about users, both on and off Facebook's products. In Europe, this use of personal data now requires explicit consent from users even if it is approved by Facebook's Terms of Service.

Facebook disabled link previews for users in Europe to comply with new privacy regulations. This confirms our privacy concerns that sending links to private files in Messenger and Instagram is unsafe. While Facebook did disable link previews in Europe, users in other regions should refrain from sending links through either of these apps. The better option would be to switch to other messaging apps which respect user privacy in all parts of the world alike.

Bakry and Mysk are now actively recommending that users outside Europe do not send links in Messenger or Instagram due to privacy concerns, and have even suggested that users move to other messaging apps entirely.

Beyond link previews, the researchers have previously investigated popular iPhone and iPad apps "snooping" on iOS pasteboard data and HTTP security vulnerabilities in TikTok.

Top Rated Comments

Matthew.H Avatar
8 months ago
Why does this not surprise me.
Score: 9 Votes (Like | Disagree)
and 1989 others Avatar
8 months ago
What is more curious, is that day by day we have story after story of the FB group misusing data, mining data, selling personal data, building profiles of individual for nefarious means, manipulating the political sphere etc etc...

And YET people still use the services every single day.
Score: 8 Votes (Like | Disagree)
Mike_Trivisonno Avatar
8 months ago
Honestly, what the heck is wrong with these companies? They are so weird and creepy. Can't they just stop stalking their users? Just quit it. People want advanced technology, not cyber-stalking freaks.
Score: 6 Votes (Like | Disagree)
luvbug Avatar
8 months ago
Evil, just simply evil. Scumbags extraordinaire.
.
Score: 6 Votes (Like | Disagree)
Pangalactic Avatar
8 months ago
Waiting for the Facebook reply "But tracking and data mining is good for you! It is privacy that violates your...ehmm...advertising potential!"
Score: 6 Votes (Like | Disagree)
infinitejest Avatar
8 months ago
They only do that to save small businesses, guys!
Score: 6 Votes (Like | Disagree)

Top Stories

tim cook mark zuckerberg

Tim Cook Urged Mark Zuckerberg to Delete User Data From 3rd Party Apps in Private 2019 Meeting

Monday April 26, 2021 4:33 am PDT by
At a private meeting on the sidelines of an informal gathering of tech and social media executives in July of 2019 in Sun Valley, Idaho, Apple CEO Tim Cook urged Facebook CEO and founder Mark Zuckerberg to delete all user information his company has collected from third-party apps, according to The New York Times. According to the Times, the executives met annually at the conference...
instagram features missing eu

Facebook Temporarily Disables Some Messenger and Instagram Features in Europe to Comply With EU Data Rules

Thursday December 17, 2020 4:08 am PST by
Some Messenger and Instagram features are temporarily unavailable to users in Europe in order to comply with new rules on data usage currently being rolled out in EU countries. Affected users are seeing alerts in the Facebook-owned apps that some features aren’t available to "respect new rules for messaging services in Europe." The alert doesn't specify what the missing features are, but ...
Apple vs Facebook feature

Former Employees Explain What Facebook Has to Lose When Apple Implements App Tracking Transparency

Thursday March 11, 2021 3:28 pm PST by
As Apple prepares to implement App Tracking Transparency changes in iOS 14.5, CNBC spoke with several former Facebook employees to get details on why Facebook has been so heavily against the planned privacy updates. Starting this spring, Facebook and other app developers will need to get express permission to access a user's advertising identifier, or IDFA, which is used to track usage...
tim cook data privacy day

Tim Cook Responds to Facebook Criticism of iOS App Tracking Transparency Changes, Says It's 'Hard To Argue Against' Privacy

Saturday April 3, 2021 1:26 am PDT by
In a preview of an interview with The New York Times' Kara Swisher, set to be published on Monday, April 5, Apple CEO Tim Cook said he's "shocked" at the criticism Apple has received in recent months over upcoming privacy changes in iOS, and claimed that they're "hard to argue against." Apple plans to begin enforcing App Tracking Transparency (ATT) changes following the release of iOS 14.5,...
Twitter Feature

It's Not Just You: Tweet Previews Aren't Showing in iMessage Right Now

Friday May 7, 2021 11:42 am PDT by
While sharing a Twitter link in an iMessage conversation typically results in a light-blue bubble with an in-line preview of the tweet, and an image if one was included, tweet previews appear to be broken right now. As of Friday morning, Twitter links shared in iMessage conversations appear as basic gray bubbles with the twitter.com domain and no other information. It's unclear if this is an ...
Facebook Feature

Facebook Data for Over 535 Million Users Leaked on Hacker Website

Monday April 5, 2021 2:10 am PDT by
The personal details of more than 553 million Facebook users have been published on a website for hackers, according to multiple reports over the weekend. The details appeared on Saturday, according to Business Insider, and are also available in 106 different country-based packages, included 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in...
fortnite apple featured

Facebook Doesn't Want to Give Apple Requested Documents in Epic v. Apple Fight [Updated]

Monday April 5, 2021 11:34 am PDT by
Facebook and Apple are squabbling over document requests in the ongoing Epic v. Apple legal battle, according to a new discovery letter filed with the court today. Facebook is involved because Facebook executive Vivek Sharma is set to testify on behalf of Epic. Apple wants a "limited set of documents" that are needed for a fair cross examination of Sharma, who plans to testify about Apple's...
Facebook Feature

Zuckerberg Now Claims Apple's App Tracking Transparency Rules Could Benefit Facebook

Thursday March 18, 2021 3:51 pm PDT by
Despite campaigning heavily against Apple's upcoming anti-tracking rules, Facebook CEO Mark Zuckerberg today said that Facebook will "be in a good position" when Apple begins enforcing App Tracking Transparency and could even benefit from the changes. "It's possible that we may even be in a stronger position if Apple's changes encourage more businesses to conduct more commerce on our...
google privacy labels

Google Planning to Take 'Baby Step' Approach to New Privacy Features for Users

Monday May 17, 2021 8:16 am PDT by
Google is facing internal concerns that implementing an Android equivalent of Apple's ATT or App Tracking Transparency framework, which offers iOS and iPadOS users the ability to opt-out of tracking across apps and websites, will hurt its more than $130 billion annual spending budget for ads, according to a new report from The Information. According to the report that cites sources within...
facebook pay qr codes

Facebook Pay Introduces Personalized QR Codes for Person-to-Person Payments

Monday April 5, 2021 6:51 am PDT by
Facebook Pay is expanding on its service by rolling out person-to-person payments via QR codes, allowing users to scan a friend or family member's QR code, and instantly transfer money. Facebook Pay launched in 2019 as an easy and convenient service for people to transfer money to friends and family, pay businesses, purchase products, and more. It's integrated into all of Facebook's apps,...