Safety for vulnerable users on Facebook apps

9 July 2023

High-risk users include human rights defenders, activists, journalists, but also politicians and their staff, and media influencers. Individuals categorised as high-risk are more likely to be targeted for online attacks. This is because access to their accounts holds much more value to the attacker. For example, a human-rights defender can be planning their next advocacy efforts – information that is valuable to a government authority. Moreover a journalist running an investigation on corruption could be targeted by a corporate entity. Changing digital safety behaviour, even the simplest of habits, is not an easy sell. But it’s worth noting that a recent study reported that most data breaches are due to human error and not security vulnerabilities. So behaviour change is crucial to protecting your online life. As a high-risk user, you need to plan your defenses by identifying potential threats. Back to the door analogy.


OTP authenticators > SMS authentication

Receiving a code via SMS is similar to hiding the second key under the doorway rug – it’s almost in plain sight. Using a one-time password (OTP) authenticator application instead is a much safer alternative, akin to protecting the key in a safe. It’s highly recommended to download a trusted OTP authenticator, preferably an open source one, and once you activate two-factor authentication on Facebook and Instagram ask to receive the code via an authenticator application.

‘Brush your teeth, use a password manager’

For high-risk users, using a password manager is as essential as brushing teeth. Attackers don’t just guess passwords, they use software to brute-force or crack passwords by trying all possible options (like picking a lock). It’s therefore essential for passwords to be strong, and unique so you don’t use the same password anywhere else. A password manager will help you store all your passwords securely, and generate passwords so you don’t have to. You only need to memorise the master password to access the password manager.

An additional benefit of password managers is storing notes securely. When would that be necessary you might ask? Upon setting up two-factor authentication FB apps will provide you with back-up codes in case you lose access to your phone or the app that generates OTPs for you. You can store these back-up codes securely in the password manager.

Zero-click exploits

Security vulnerabilities are unavoidable. Doors offer indispensable protection to houses, but they’re still breakable. FB takes security seriously but when a breach is discovered, FB will notify you if your account has been a target and your account has been compromised.

Private communication

Encryption protects our private messages, allowing us to safely share sensitive information like family photos, passwords, or our bank details when we want to transfer money to our friends. Without it, our personal and financial information could be at risk. WhatsApp is an encrypted service which uses the Signal protocol as the basis for its end-to-end encryption. “End-to-end encryption” means that nobody can spy on a message once you send it and up until it reaches the person you intend to send it to. On WhatsApp, you can turn on “Disappearing messages” so that new messages in the chat are erased after seven days. From the WhatsApp chat, go to the contact’s name, then Disappearing messages, “Continue”, “On”.

Messenger offers a feature called “Secret conversations” which you can turn on to talk to someone in an encrypted channel. This is only available on Mobile and not on the Web application.

Conversation data back-up

Messenger conversations and Instagram direct messages are stored forever in FB servers. If you accidentally send sensitive information, you have 10 minutes to be able to delete the message by tapping on the message and selecting the delete option. On WhatsApp you have about an hour to delete the message.

Conversations on WhatsApp are stored on your device – locally. You can also opt to store your chats on a personal cloud provider such as iCloud or Google Drive. It’s important for you to know that the backup is not protected by encryption so you need to make sure that you’re also taking the appropriate measures to protect your cloud backup such as activating two-factor authentication and using a unique and strong password to protect your account.