Facebook and Instagram Link Previews Would Break EU Privacy Law, Say Security Researchers - MacRumorsOpen MenuShow RoundupsShow Forums menuVisit ForumsOpen Sidebar
Skip to Content

Facebook and Instagram Link Previews Would Break EU Privacy Law, Say Security Researchers

A follow-up report by security researchers Talal Haj Bakry and Tommy Mysk has alleged that Facebook Messenger and Instagram are collecting and using data from link previews in a way that would breach European privacy law.

facebook messenger icon new

In October last year, Bakry and Mysk revealed that link previews in popular messaging apps can lead to security and privacy issues on iOS and Android. It was discovered that apps could leak IP addresses, expose links sent in end-to-end encrypted chats, download large files without users' consent, and copy private data through link previews.

In that report, Bakry and Mysk found that Facebook Messenger and Instagram behaved unlike other messaging apps in that they downloaded the entire contents of any link to its servers, regardless of size. When questioned about this unusual behavior, Facebook reportedly said that it considers this to be "working as intended."

Copies of link preview data kept on external servers could be subject to breaches or misuse, which may be particularly concerning for users who send links to sensitive or confidential private data such as business documents, bills, contracts, or medical records.

Now, Bakry and Mysk have found that Facebook has recently stopped generating link previews in Messenger and Instagram for users in Europe to comply with the European Union's ePrivacy Directive. The change also applies to users outside Europe if they communicate with someone in the region.

messenger link previewsLinks sent in Facebook Messenger as seen in Europe and other regions

The researchers suggest that since Europe has "some of the most robust privacy laws" and Facebook has now removed link previews seemingly to comply with the legislation, the company must have been using the data from link previews in a way that would breach the ePrivacy Directive.

It is an implicit confirmation that Facebook's handling of link previews in Messenger and Instagram did not conform to privacy regulations in Europe, otherwise they wouldn't have disabled the feature... Stopping this service in Europe strongly hints that Facebook may be using this content for purposes other than generating previews.

Bakry and Mysk believe that Facebook's link previews may have infringed on articles 4:1a, 4:2, and 5:3 of the ePrivacy Directive. These articles include the requirement that personal data can only be accessed by authorized personnel for legal purposes, the need to inform users of the risks of a data breach, and the need to gain user consent having been provided with "clear and comprehensive information" about how data is collected.

As links may relate to personal data, the ePrivacy Directive prevents Facebook from storing, processing, or using this information without explicit consent from users in the EU. Facebook would also have to make it clear to users why it is downloading the contents of link previews prior to requesting consent.

Bakry and Mysk have demonstrated that Facebook servers download and store the content of links sent through its apps, and if the same link is sent a second time, Facebook generates a link preview without downloading the contents of the link. This purportedly indicates that the content is stored or cached by Facebook and is proven by the amount of data that is uploaded from a user's device.

Link previews continue to be available in Messenger and Instagram for users outside Europe. Facebook's current Terms of Service state that any content users share through any of Facebook's services will be used for various purposes such as personalizing content, ads, making suggestions, and learning about users, both on and off Facebook's products. In Europe, this use of personal data now requires explicit consent from users even if it is approved by Facebook's Terms of Service.

Facebook disabled link previews for users in Europe to comply with new privacy regulations. This confirms our privacy concerns that sending links to private files in Messenger and Instagram is unsafe. While Facebook did disable link previews in Europe, users in other regions should refrain from sending links through either of these apps. The better option would be to switch to other messaging apps which respect user privacy in all parts of the world alike.

Bakry and Mysk are now actively recommending that users outside Europe do not send links in Messenger or Instagram due to privacy concerns, and have even suggested that users move to other messaging apps entirely.

Beyond link previews, the researchers have previously investigated popular iPhone and iPad apps "snooping" on iOS pasteboard data and HTTP security vulnerabilities in TikTok.

Popular Stories

Instagram Feature 1

Instagram Now Lets Users Reorder Posts on Their Profile Grid

Tuesday June 9, 2026 2:51 am PDT by
Instagram is now rolling out a long-awaited feature that lets users rearrange posts in any order on their profile grid. The update, which began reaching users on June 8, is available via the Instagram app for iPhone and Android. To reorder posts, users can go to their profile, long-press any post on the grid, select "reorder grid" from the pop-up menu, then drag content to the desired...
iCloud iPhone 17 Pro

iPhone Users Who Pay for iCloud Storage Get Two New Perks on iOS 27

Thursday July 2, 2026 6:10 am PDT by
If you pay for certain iCloud+ storage plans beyond the 5GB that Apple offers for free, you will receive two more perks on iOS 27 at no additional cost. A summary of the two new iCloud+ perks on iOS 27:Increased daily usage limits for some new Apple Intelligence features, including image generation in the revamped Image Playground app. HomeKit Secure Video cameras receive generated video...
Apple Event Logo

Apple Just Released a New Product

Thursday July 2, 2026 8:04 am PDT by
Apple's first product release of summer 2026 occurred this week, but do not get too excited, as it is merely the Beats Solo Buds in a new color. Beats Solo Buds are now offered in orange through Best Buy in the U.S., with availability set to expand to 7-Eleven stores in Japan on July 4. Apple already offered orange Solo Buds in India for free with the purchase of an iPhone 15 or iPhone 15 ...

Top Rated Comments

Matthew.H Avatar
71 months ago
Why does this not surprise me.
Score: 9 Votes (Like | Disagree)
71 months ago
What is more curious, is that day by day we have story after story of the FB group misusing data, mining data, selling personal data, building profiles of individual for nefarious means, manipulating the political sphere etc etc...

And YET people still use the services every single day.
Score: 8 Votes (Like | Disagree)
infinitejest Avatar
71 months ago
They only do that to save small businesses, guys!
Score: 6 Votes (Like | Disagree)
Pangalactic Avatar
71 months ago
Waiting for the Facebook reply "But tracking and data mining is good for you! It is privacy that violates your...ehmm...advertising potential!"
Score: 6 Votes (Like | Disagree)
luvbug Avatar
71 months ago
Evil, just simply evil. Scumbags extraordinaire.
.
Score: 6 Votes (Like | Disagree)
Mike_Trivisonno Avatar
71 months ago
Honestly, what the heck is wrong with these companies? They are so weird and creepy. Can't they just stop stalking their users? Just quit it. People want advanced technology, not cyber-stalking freaks.
Score: 6 Votes (Like | Disagree)