1. Meta can read the metadata perfectly well (who communicates with whom and when), which is enough for ads. 2. Meta doesn't want to be able to read messages, since it's a PR nightmare when doing so. Case: Ordered to do so by a government agency. People could switch to Signal. 3. Data isn't readable "in transit", since it's encrypted with HTTPS. Only Facebook servers could read it if they wanted.

As long as they control the client any kind of government order is still a problem for them.

However it does make it a bit more difficult for them to spy on a conversation, which is arguably a good thing.

What use is the metadata for ads?

If two of your recipients interacted with a certain ad, there's a chance you have similar interests.

Combine this with the frequency of your chatting and your location (at least based on ip) and the other little bits of stuff users give about themselves, Meta doesn't really need to know specifically what the contents of your messages are.

In the mass of their users, an informer smart guess is more than enough.

Example: Went to the dentist, and the clinic messaged me a confirmation message via whatsapp. Next day, I got several ads for orthodontic braces.

You make a post looking for a plumber, you spend time chatting with people who are plumbers in their profile - you are interested in plumbers

Top of my head:

* Who are you messaging most (best friends, family). If they like stuff, you might like the same stuff.

* When are you messaging people (awake time > profiling)

* Messaging companies (obvious, what are you into)

Also: Where are you messaging

You clicked an ad about Product X, you're messaging your friend B from a store that sells Product X

-> Serve ads about Product X to B.

They control the client, so they can do whatever they want. They can take the plain text, encrypt it with my key, encrypt it with their key, catenate the two, send to FB, split off their "copy" and decrypt it to do whatever with, and send my "copy" on to the recipient.

e2e isn't a tech issue, it's a trust issue. Do you* trust FB?

* You in general.

>1. Confidentiality in transit

As opposed to the prior step, "0. Analysis During Composition", in which the Messenger client is doing all the metadata analysis/collection while you are typing, and already knows all the tags its going to assign to you for Meta, before the message is encrypted.

Sure, third parties won't be able to see your message. But you did give Meta permission to analyse your content prior to posting.

This anti-pattern is all over Meta's products. You can see it in use when you type an update in Facebook using a browser - just try to leave your comment un-posted, or close the page, etc. Every single keystroke prompts Meta's analysis - which is completed when you press "Post" (prior to encryption/transfer ..)

So this is some slick positioning on the part of Meta's technical PR managers ..

> is it possible that the "ad profiling" can still take place on the client

I believe this is the future in a GDPR world. The server sends a list to the client of 1000 ads, and the client decides which to show based on all the data available locally and a big local neural network model to decide which you're most likely to click.

IIUC the Brave browser is already experimenting with this model. They promise[0] "privacy-preserving" ads to users AND targeting to advertisers:

"...when a Brave Ad is matched to you, it is done on your own device, by your own device, inside Brave itself. Your personal data never leaves your own device."

The mechanism is very similar to what you describe.

[0] https://support.brave.com/hc/en-us/articles/360026361072-Bra...

The problem is that the 'secret sauce' of ad targeting is that model that decides what you're most likely to click... Ad networks really don't want that model outside their data centers...

Alas, the GDPR might force a rethink on that when it gets enforced with teeth.

Exactly this; that's why for both Messenger and WhatsApp the APIs are very closed and protected so that nobody can make any third party clients.

E2EE is great but does not help at all if you don't want Facebook to read your messages and profile you based on their content / who you talk to etc.

No, this is not what E2EE means at all. E2EE means the message is not readable in transit nor is it measured, scanned, sampled, copied, exported, or modified in any way without explicit action taken to do so by one of the legitimate parties to the conversation.

If the client just leaks the plaintext or leaks any information about the plaintext that encryption is supposed to protect then the encryption scheme cannot be described as "end to end".

I agree. The "end" isn't the network interface; it's the user interface.

Client dictates what ads are shown. Fb knows what ads are shown to who. Fb now can deduce what topics people are talking about. Technically convo info has leaked. If someone is getting served ads for Trump, they probably like Trump. If they are getting ads for Biden they probably like Biden. Etc…..

Yes, so that would violate the end to end principle. If the client downloaded all of the possible ads and the selection was totally local, and interaction with any of them was a user choice I think that could still be fairly described as E2E though. Or ads were fetched by private information retrieval.