← Messaging Apps
F

Facebook Messenger

Fail
Meta Platforms · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.facebook.orca
Manufacturer: Meta Platforms

⚠️ The bottom line

Meta kept your Messenger conversations readable for over a decade while their other app (WhatsApp) had encryption since 2016. They chose ad revenue over your privacy for seven extra years. Meta told Congress that Messenger messages are private. In 2022, a Nebraska mother and her 17-year-old daughter were charged with illegal abortion — and the key evidence was their Facebook Messenger conversations, which Meta handed to police with a search warrant. The daughter was sentenced to 90 days in jail and two years probation. Meta complied with 76% of all government data requests in 2023. "Private" means "private until a detective asks.".

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
3/4 HIGH
Is someone spying on me?
Data Sharing
4/4 EXTREME
Who gets my data?
Kids at risk
Security
4/4 EXTREME
Is it actually secure?
Honesty
4/4 EXTREME
Can I trust what they say?
Kids at risk
REPLACE Extreme risk. Look for alternatives or lock down hard.
Use Signal instead
Subpoenaed twice, could only produce two timestamps
See report →
10Contradictions
5Critical
4High
1Medium
8Sources
Findings by concern
Spying 3/4 HIGH 2 findings
⚡ highfirmware analysis vs policy claims
Meta says nobody can see your encrypted messages, but they still see who you talk to, when, how often, where you are, what links you share, and when you read messages.

What they claim: 'Nobody during delivery, including Meta, can see or listen to what's sent or said.' (Post-E2E)

What we found: Even with E2E, Meta collects: full contact graph, timestamps, frequency, message/call logs, device info, IP, location, link previews (server-side), read receipts, typing indicators, contact lists, app install history.

⚡ highapp permissions vs policy claims
To send a text to a friend, Facebook wants your camera, microphone, texts, calendar, location, every contact, and all installed apps. In 2014 they forced you to install this app or lose messaging.

What they claim: Messenger requires standard communication permissions.

What we found: com.facebook.orca requests: camera, microphone, contacts, location, SMS, phone/call info, storage, calendar, Wi-Fi info, device ID. Constellation Research: 'unprecedented and frightening.' In 2014, Facebook forced separate Messenger app installation.

Data Sharing 4/4 EXTREME 2 findings
⚠️ criticalpolicy claims vs regulatory findings
The FTC caught Meta violating privacy orders three times: a consent decree in 2012 (no fine), a $5 billion fine in 2019 (the largest privacy penalty in history), and a finding of continued violations in 2023. Each time, Meta promised to change. Each time, the FTC found they hadn't. The $5 billion fine was 6% of one year's revenue. Meta's stock price went up the day it was announced — investors calculated it was cheaper to pay the fine than to stop collecting data.

What they claim: 2012 FTC consent decree: agreed not to misrepresent privacy. 2019: $5B fine with CEO compliance certification.

What we found: Violated 2012 order within months. Cambridge Analytica exposed 87M profiles including Messenger inboxes via read_mailbox. $725M settlement. 2023: FTC found Meta STILL in violation. Used 2FA phone numbers for advertising. Meta challenged FTC's authority.

⚠️ criticalpolicy claims vs app permissions
Meta told parents their kids could only chat with approved contacts. A bug let strangers in. Meta didn't tell anyone publicly. The FTC found they lied about parental controls.

What they claim: Messenger Kids: safe, parent-controlled messaging for children ages 6-12.

What we found: 2019 bug let children chat with unapproved adults. Facebook didn't disclose publicly. FTC (2023) found Facebook 'misrepresented' parental controls. Proposed ban on monetizing data from under-18s.

Security 4/4 EXTREME 4 findings
⚠️ criticalpolicy claims vs firmware analysis
Meta kept your Messenger conversations readable for over a decade while their other app (WhatsApp) had encryption since 2016. They chose ad revenue over your privacy for seven extra years.

What they claim: Meta positions Messenger as private. 'End-to-end encrypted messages ensure only you and the people you're communicating with can see what's sent.'

What we found: Messenger operated with ZERO E2E for 12+ years (2011-2023). WhatsApp (also Meta) had it since 2016. Even post-Dec 2023, group chats, business conversations, Marketplace messages, Meta AI chats remain unencrypted.

⚠️ criticalpolicy claims vs regulatory findings
Meta told Congress that Messenger messages are private. In 2022, a Nebraska mother and her 17-year-old daughter were charged with illegal abortion — and the key evidence was their Facebook Messenger conversations, which Meta handed to police with a search warrant. The daughter was sentenced to 90 days in jail and two years probation. Meta complied with 76% of all government data requests in 2023. "Private" means "private until a detective asks."

What they claim: 'Keeping messages private is our priority.' Meta's messaging privacy commitments.

What we found: In 2022, Meta provided a 17-year-old's abortion-related DMs to Nebraska police from plaintext storage, enabling felony charges. Meta complied with 76% of 476,802 government data requests globally (88% US).

⚠️ criticalpolicy claims vs firmware analysis
Meta said it doesn't read your messages for ads, but admitted scanning them, got caught using URL data for advertising, and still fetches every link you share — except in Europe where the law says they can't.

What they claim: 'The content of messages between people is not used for ads targeting.' (2018)

What we found: Facebook confirmed scanning Messenger content (links, photos, moderator review). Class action proved URL scanning profiled web activity. Link previews: Meta servers fetch every URL shared (Mysk 2020). Disabled in Europe only.

⚡ highfirmware analysis vs regulatory findings
In April 2021, a database containing phone numbers and personal details of 533 million Facebook users appeared on a hacking forum — for free. Facebook didn't notify affected users. It took a journalist (Alon Gal at Hudson Rock) to discover the leak and go public. Separately, a 2018 bug let attackers eavesdrop on Messenger voice calls before the recipient picked up, and a 2019 vulnerability let any website read your Messenger messages. Three different ways to compromise the app that promises privacy.

What they claim: Meta maintains security of user accounts and data.

What we found: View As breach (2018): 29M accounts, EUR 251M GDPR fine. 533M user leak (2021): Facebook didn't notify users. Google Project Zero: audio call eavesdropping ($60K bounty). Originull cross-origin bypass.

Honesty 4/4 EXTREME 2 findings
⚡ highpolicy claims vs firmware analysis
Meta says they won't use your messages for AI unless you choose — but anyone else in your group chat can feed your messages to Meta AI without asking you.

What they claim: 'We do not use the content of your private messages to train our AIs unless you choose to share.'

What we found: Meta AI integrated into Messenger. Others in your group chat CAN share your messages with Meta AI without your consent. Policy warns to 'be mindful before sharing sensitive information.'

⚫ mediumpolicy claims vs regulatory findings
European regulators forced Meta to let other apps talk to Messenger, and Meta is still fighting over whether 'pay us or we track you' is acceptable.

What they claim: Meta committed to user privacy in EU markets and DMA compliance.

What we found: Designated gatekeeper for Messenger (Sept 2024). Required third-party interoperability. Reversed cross-app messaging between Instagram and Messenger. Ongoing 'pay or consent' investigations. Penalties up to 20% global turnover.

What happened to real people
Documented incidents involving Meta Platforms products and user data.
Cambridge Analytica harvested 87M Facebook users' data without consent for political ad targeting in the 2016 US election and Brexit referendum. $5B FTC fine. [source]
FISA content requests to Meta increased 2,171% since 2014. Meta complied with 88% of 60,000+ government data requests. PRISM participant since 2009. [source]
What your data is worth to governments
Meta complied with 60,000 government data requests in H2 2023. That's +675% over 10 years. Meta has been a confirmed PRISM participant since 2009. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702).
Documented: Cambridge Analytica harvested 87M Facebook users' data without consent for political ad targeting in the 2016 US election and Brexit referendum. $5B FTC fine.
Documented: FISA content requests to Meta increased 2,171% since 2014. Meta complied with 88% of 60,000+ government data requests. PRISM participant since 2009.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources