Are Your Facebook Messages Really Private? Here’s the Truth

3 minute read

Over a billion people communicate through Facebook Messenger every day. While Facebook says it takes measures to keep users’ information private, how secure are those billions of messages really?

Here, Facebook shares information on how some of its security works, while Vyas Sekar, a faculty member of CyLab at Carnegie Melon University and a professor of Electrical and Computer Engineering, breaks down how someone might still find ways around it.

What security measures does Facebook Messenger take?

Facebook’s Messenger feature and app already include a fair amount of security. According to Facebook, Messenger uses the same secure communications protocols as banking and shopping sites. The company also says it uses additional protection to stop spam and malware.

As of 2016, Facebook added an additional security feature called “secret conversations,” which offers an encryption enhancement that Sekar says is similar to default features from messaging apps WhatsApp (which Facebook owns) and Signal. The messages are end-to-end encrypted, which means not even Facebook can access them. However, while these encryption options are on by default in apps like WhatsApp and Signal, users must choose to activate encryption on Facebook Messenger.

Can people get around Facebook’s security?

It’s important to note, Sekar says, that “anything can be hacked.” More importantly, he adds that sometimes no amount of back-end security will stop someone from accessing your messages if they decide to do so by physically accessing the device they’re on. And if someone is able to access your device, besides simply glancing at your messages, they might also be able to install a hidden spying app that can continue to access information in the background of your phone or computer.

It’s also possible for hackers to target a user’s Facebook password by using password-cracking tools or exploiting the ability to reset a password, then use that to sign into a victim’s Facebook account. “There’s often enough someone can see on a public profile that gives enough information to crack a password,” Sekar says.

Hackers can also download a fake app that can mimic Facebook or Messenger’s interface, Sekar said, which may also be used to prompt a user to put in information, like a password, that can be used by someone else.

How can I protect myself from having my messages hacked?

Since a major route around Facebook’s protections involves gaining access to a person’s phone, one way to help ensure your messages won’t be read is keeping your device secure, Sekar says. He recommends making sure there’s a password on your device and that it isn’t left unlocked to prevent people from gaining access in the first place.

Sekar adds that making sure passwords use information that isn’t publicly available and using different passwords for different accounts will also help make it hard for people to get into your account.

More Must-Reads from TIME

Contact us at letters@time.com