By Aishwarya Jagani
Facebook recently debuted its Messenger Rooms group video-chat service, touting it as a safer alternative to the Zoom’s embattled video-conferencing platform, but experts tell Digital Privacy News that’s not the case.
“In terms of privacy, I would consider FBMR to be slightly higher-risk than Microsoft Teams and definitely better than Zoom, but on a par with Google Meet,” said U.K. privacy expert Rowenna Fielding.
“Both Facebook and Google’s business model is based on harvesting people’s data to profile them for microtargeting of advertising,” she explained, “whereas Microsoft doesn’t data-mine enterprise products — and Zoom has clarified that they don’t data-mine user content at all.”
Fielding, head of individuals’ rights and freedoms at the data-protection consultancy Protecture in Bristol, was just as ambivalent about Messenger’s security features.
“It’s difficult to say whether FB Messenger Rooms will be more or less secure than other services,” she told Digital Privacy News. “Most of Facebook’s security issues so far have been to do with who they have chosen to allow to access people’s data rather than accidental breaches.
“All of these services have admin tools that allow users to invite, remove or block other people from access — and provide controls on the amount of data shown to other users of the service,” she said.
Facebook, based in Menlo Park, Calif., did not immediately return requests seeking comment, but Chief Privacy Officer Erin Egan assured users in an April 24 blog post that the company had “built Rooms with privacy in mind.”
“Facebook’s definition of privacy seems to be ‘protected from everyone except Facebook.’”Rowenna Fielding, U.K. privacy expert.
Egan also said that “audio and video from Rooms won’t be used to inform ads,” but some privacy advocates challenged the efficacy of those claims to Digital Privacy News.
No Messenger E2EE
Introduced in April, Facebook positioned Messenger Rooms as an alternative to Zoom Communications Inc.’s platform, which had been plagued with “Zoombombing” and other privacy issues, particularly since the spread of COVID-19.
The service allows anyone with a Facebook account to initiate a group video chat with as many as 49 other participants.
But Facebook immediately came under fire for lacking end-to-end encryption (E2EE) in its Rooms, unlike other video-chat apps like Apple’s Facetime, Signal, Microsoft Teams — even WhatsApp.
This allows anyone to potentially access and listen in on these private video chats, including Facebook’s.
Amid pressure from privacy and human-rights advocates, Zoom agreed last month to provide full end-to-end encryption to all users, after first saying it would only provide the service to paying customers.
However, for all Facebook’s reassurances regarding security, the video-chat feature in Rooms is not end-to-end encrypted.
Fielding told Digital Privacy News: “There is a ‘secret conversations’ feature to FBMR that does use E2E encryption and stores message data only on the end devices for a more secure option.
“However, the video-chat feature is not end-to-end encrypted, meaning that it is potentially vulnerable to interception or impersonation.
“It also means that Facebook has access to all the content,” she said.
Los Angeles technology journalist Sam Biddle observed: “Rooms’ lack of E2E encryption means that Facebook, technically, could access video chats if they wanted to. And if an outside hacker were able to penetrate Facebook, they could, technically, access that data as well.”
Joseph Steinberg, a New York cybersecurity expert, told Digital Privacy News that “sophisticated attackers might be able to enter, watch and-or record a session.
“It means that Facebook itself could potentially do so.
“This also includes scenarios such as rogue-employee entering sessions, Facebook surreptitiously providing the government with access to Meeting Rooms after receiving a (police) warrant — or hackers gaining access to sessions via Facebook,” Steinberg said.
The “data policy” appears to be purposely vague on the information Facebook will collect. One such statement reads: “To provide the Facebook products, we must process information about you. The type of information that we collect depends on how you use our products.”
Fielding told Digital Privacy News: “Although the FBMR policy states that user content itself will not be used for profiling and targeted advertising, user metadata is not explicitly excluded from being used for data-mining.
“The implication being, therefore, that it is used in this way,” she said.
Facebook “built Rooms with privacy in mind.”Erin Egan, Facebook chief privacy officer.
“The risk to users is that you have to basically trust Facebook to not abuse your data.
“People should be skeptical anytime Facebook says it’s not interested in a user’s data, because their entire history shows the opposite.”
Last year, for instance, Facebook admitted to hiring outside contractors to transcribe audio clips from users — some of which contained vulgar content — later promising to end the practice.
“Facebook’s definition of privacy seems to be ‘protected from everyone except Facebook,’” Fielding observed, “which is ironic — because most of the privacy threat on the platform comes from Facebook themselves and their commercial partners.
On monitoring Room video chats, Facebook’s Egan said in the April blog: “Regardless of whether you use Rooms through your Facebook account or join as a guest, we don’t watch or listen to your audio or video calls.”
“Rooms’ lack of E2E encryption means that Facebook, technically, could access video chats if they wanted to.”Sam Biddle, technology journalist.
But the platform could be tracking and collecting data in ways most people don’t think of, experts told Digital Privacy News.
“Metadata provides a lot of information,” cybersecurity expert Steinberg said, “and, even providers who offer end-to-end encryption may collect valuable metadata.
“If the government wants to know with whom you are speaking on WhatsApp, for example, it can obtain a warrant and find out — even if you have end-to-end encryption enabled.”
But Egan said in the blog that Facebook might collect some data from users who use their app without an account to “to provide the service and improve the product experience.”
She acknowledged that Facebook might collect information “like the name of a room and who’s in it” and that it might share the data “with outside vendors that help us do things like reviewing and addressing issues reported by users.”
But Fielding told Digital Privacy News: “Metadata can be just as revealing and sensitive as message content itself.
“Sophisticated attackers might be able to enter, watch and-or record a session.”Joseph Steinberg, cybersecurity expert.
Zoom vs. Facebook
Overall, however, experts told Digital Privacy News that neither product was strong on privacy or security.
“There’s very little reason to have full confidence in either Facebook or Zoom’s commitment to user privacy, based on their histories,” journalist Biddle said. “Both companies state publicly that they’re committed to privacy, but their actions don’t match their words.
“I’m not sure if one is worse than the other — although Zoom, at least, offers end-to-end encryption, while Messenger Rooms does not.
“On the other hand,” he told Digital Privacy News, “Zoom has a problematic relationship with the Chinese government.”
Aishwarya Jagani is a writer based in Mumbai, India.
Sources (includes external links):
- Erin Egan Blog Post: Privacy Matters: Messenger Rooms
- Facebook: Data Policy
- Forbes: Facebook Just Launched Messenger Rooms—What You Should Know Before Using It
- The Intercept:Facebook Says Very Little on Privacy of Messenger Rooms
- Bloomberg: Facebook (FB) Paid Contractors to Transcribe User Audio Files
- DPN: Daily Digest (6/18) (Zoom reference about E2EE).