Why Facebook is right to scan ‘private’ messages

FacebookIt is being reported that a class action suit has been filed against Facebook, claiming that the social network is systematically examining ‘private’ messages sent by users.

Specifically, what seems to be up for grabs are the contents of links to third-party websites contained inside supposedly private messages.

The lawsuit, which can be read in full here, claims that data mined in this way by the social network is shared with third parties such as advertisers and marketers.

When a user composes a Facebook message and includes a link to a third party website (a “URL”), the Company scans the content of the Facebook message, follows the enclosed link, and searches for information to profile the message sender’s web activity.

Sign up to our free newsletter.
Security news, advice, and tips.

This practice is not done to facilitate the transmission of users’ communications via Facebook, but because it enables Facebook to mine user data and profit from those data by sharing them with third parties – namely, advertisers, marketers, and other data aggregators.

Representing to users that the content of Facebook messages is “private” creates an especially profitable opportunity for Facebook, because users who believe they are communicating on a service free from surveillance are likely to reveal facts about themselves that they would not reveal had they known the content was being monitored. Thus, Facebook has positioned itself to acquire pieces of the users’ profiles that are likely unavailable to other data aggregators.

The class action cites independent research by security firm High-Tech Bridge which last year tested which social networks accessed secret and unpredictable URLs that it shared privately via various services.

According to the complaint filed by Matthew Campbell and Michael Hurley with the Northern District Court in California:

Contrary to its representations, “private” Facebook messages are systematically intercepted by the Company in an effort to learn the contents of the users’ communications…

For its part, Facebook says that the allegations are “without merit”.

So, what should we think about this?

Well, social networks like Facebook do need to make clear what they do or don’t do with content posted by it users both publicly and privately on the service, including messages sent supposedly privately between two users.

But I don’t see anything necessarily wrong in principle with online services automatically scanning messages between individuals, and examining the links that they are sharing.

Indeed, if Facebook’s security team didn’t have such systems in place I would believe them to be disturbingly lax in their duty of care for users.

After all, if you didn’t properly scan and check links there’s a very real risk that spam, scams, phishing attacks, and malicious URLs designed to infect recipients’ computers with malware could run rife.

Facebook phishing

Different services and social networks may investigate URLs to different depths, with varying levels of thoroughness, in their attempt to determine whether the webpage linked to contains malicious or scam content.

Whether Facebook needs to reword its terms and conditions to make clear that it will be scanning the contents of private messages, and exploring links that are shared, remains to be seen and is something for sharp-suited legal types to look into.

And the social network does need to ensure its 1,000,000,000+ members know what Facebook does, and why, so there is proper transparency which allows users to make informed decisions.

With that information you may decide, for instance, not to use Facebook for private messaging and use something with end-to-end encryption instead.

But one thing that is certain to me is that automated scanning of links sent via ‘private’ messages is overall a good thing for Facebook users’ security.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

5 comments on “Why Facebook is right to scan ‘private’ messages”

  1. I agree with you that social networking sites have a duty
    of care to scan private user messages, however, I disagree with the
    selling of that information to third parties for the purpose of
    making a profit. This is especially immoral as they have taken
    significant steps to ensure users that the messaging facility
    within Facebook is private.

  2. Imigrant

    Its actually no fair, FB and others social networks should say it loud to public and their users what they do, and not leaving that to users to find out later on… anyway for me its breaking privacy of users not telling them what they do and why leaving it for later till actually somebody discover what social networks do…

  3. Benjamin

    "Indeed, if Facebook’s security team didn’t have such systems in place I would believe them to be disturbingly lax in their duty of care for users.."

    – I don't agree with this really. It's up to the user to decide whether to click or not, unless clicking on these things could actually harm facebook itself (in an actual, physical way), which to my knowledge it doesn't. It'd be like blaming your email provider for you opening a dodgy attachment – it just doesn't make sense.

    They definitely need to make it clearer what they're saying and doing, as at the moment it just looks like they're persistently trying to sneak stuff in under the radar.

  4. James

    You seem to be paying lip service to social network's "need to make clear what they do or don’t do with content" by concluding that "automated scanning ‘private’ messages is overall a good thing for Facebook users’ security." I.e. what they are allegedly doing is wrong (they are not doing what you have said they *need* to be doing), but, overall, meh.

    Rewording terms and conditions is an idiotic suggestion if they are indeed doing what they are accused of doing in the suit. Obviously, they need to not label massages private if they are not private.

  5. Neil

    Whether they should or not, they have denied that they do,
    which is a lie. Then there's what they do with the
    information they gather from scanning. I posted a URL for a hotel
    via a PM last night, and later saw the exact same photo from the
    URL I posted as a 'suggested post' for another
    hotel booking site a short while later. So, they're
    clearly lying about the fact that they ARE scanning it, and they
    are clearly using the information gathered from scanning, for
    advertising purposes.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.