Facebook saves the links you share on Messenger and Instagram DMs.
No, not just the URL itself, but the entire content of the page you are linking to.
In October, app developers Tommy Mysk and Talal Haj Bakry discovered a privacy and security risk on Facebook’s private messaging platforms.
Whenever a user shared a link on Facebook Messenger or in a DM on Instagram and a link preview was generated, the data from that link was downloaded to the social media giant’s servers. According to Mysk and Bakry, this also occurred when the linked site contained many gigabytes of data.
“Facebook servers download the content of all links sent via Messenger or Instagram DMs,” Mysk and Bakry write in their report. “These can be bills, contracts, medical records or anything that can be confidential.”
It’s not uncommon for users to share links through private messaging platforms with potentially sensitive information. But why does Facebook have to download this data – especially data worth many gigabytes – from every link that is shared on Messenger or in an Instagram DM?
Mysk and Bakry originally reached out to Facebook to share what they discovered, assuming it was an accidental result.
Just this week, the two developers discovered an interesting update: Facebook has completely deactivated the link preview in Facebook Messenger and Instagram … only in Europe.
Why? The company had to remove them to comply with strict EU online privacy laws. Downloading and storing the data in links that users share is against these laws.
Link previews, in case you are not familiar, are automatically generated small thumbnails, page titles and descriptions that appear when a user pastes a link on the Facebook platforms.
Links: What links look like that have been shared on Messenger in Europe. Right: How left looks in North America.
“Stopping this service in Europe strongly suggests that Facebook may use this content for purposes other than generating previews,” the developers said.
In their original report, Mysk and Bakry also examined how other major online platforms – like Twitter, Slack, and Discord – handled the link previews. Facebook and Instagram were the only ones to download gigabytes of data from each link. Most other platforms didn’t download more than 50MB in order to generate the information required for link preview.
As the two developers point out, Facebook announced in December 2020 that it would make changes to its platforms due to the European data protection directive for electronic communications. However, at the time of the announcement, Facebook didn’t specify exactly what these changes would look like.
“We contacted Facebook in September 2020 to see what we thought could be a privacy issue (and possibly a fatal flaw), and they basically dismissed our concerns,” said Mysk and Bakry. Facebook informed the two that the feature “works as intended”.
It is important to note that Facebook continues to generate link previews and download all data from the linked pages anywhere outside the EU.
So the next time you share a link, keep in mind that Facebook picks up what you’ve deleted and stores the data on its servers.