Think About It: Messenger's Live Location, and Other Privacy Issues on Facebook

By Travis Jarae

The recent announcement of the new location sharing functionality within Facebook Messenger has spurred controversy regarding potential impacts on consumer privacy and security. Announced on March 27th, the new “Live Location” Facebook Messenger feature allows users to share near-real-time updates of their whereabouts with selected message recipients, for up to 60 minutes at a time.

Despite the addition of this live-location feature, the fundamental security challenges for Facebook and their users remain virtually unchanged. Somewhat paradoxically, by publicizing the ability of Facebook Messenger to collect and disseminate user location data, Facebook has an opportunity to increase the account security of their average user. As the world’s dominant social network, with over 1.15 billion daily active mobile users, Facebook has a unique opportunity to promote proper internet security practices to users around the globe.

With all of the hype around this change, let's not forget location data sharing is not a new feature on the Facebook platform or for Facebook Messenger. All messages sent using the Facebook Messenger app included a snapshot of the user’s current location by default until June 2015. The built-in feature was deprecated after a Harvard student’s revelation that this data could be used to create a shockingly accurate map of a friend’s past whereabouts.

With the latest update, Facebook Messenger users can now share a static “snapshot” of their location or allow live location tracking for up to one hour. The Live Location data is only made available to “friends” selected by the user. Due to the permission-nature of the Live Location feature, no new opportunities for unwanted third-parties to access private user location data have been created. This does not mean that hackers will not find new ways to gain access to user accounts, but merely that no new apparent threats were set up by this feature. The Live Location feature only serves to highlight the real security deficiencies faced by the typical Facebook user whose account is only protected by a password alone.

As our lives becoming increasingly digital, account security concerns are at an all-time high among consumers. Recent research indicates that approximately seven in ten online accounts are secured with a password duplicated (opens a PDF) across multiple websites, and less than half of consumers utilize extra security features such as two-factor authentication (“2FA”). This lack of security awareness has resulted in over half of online consumers admitting to falling victim of at least one stolen password or compromised account in the past 12 months.

Facebook currently supports but does not mandate the use of SMS-based 2FA or hardware security tokens such as YubiKey. By requiring consumers to opt into using 2FA as a requisite for activating Live Location sharing, Facebook has the possibility to advance the safety and online security of their user base. With nearly 80% of adults online in the U.S. maintaining a Facebook account, the company can improve the online security practices for a majority of the nation in one fell swoop.

Even without Live Location functionality enabled, a user’s Facebook account contains significant amounts of private information that can be exploited for gain by hackers and criminals. With the use of “knowledge-based authentication” (e.g. “What’s the name of your first pet?”) still prevalent for password recovery, private details mined from a compromised Facebook account can be used to gain access to other accounts. A single account breach can cascade from the takeover of a user’s social media account to compromising their bank and financial services quickly.

By bringing the availability of location data to the forefront of the user experience and driving the conversation around lax consumer security practices, Facebook can make private user information more secure than ever. As a company that has previously experienced public backlash regarding user location data sharing, Facebook is in a unique position to drive the dialogue around privacy and security issues.

Regardless of whether the Live Location functionality is enabled, Facebook accounts secured with a password alone places users at heightened risk. Addressing these concerns at the root by increasing adoption of 2FA will do more to enhance consumer security than just disabling useful location-based features.

About Travis Jarae

Travis is the founder and CEO of One World Identity, a neutral platform that encourages industry participants to communicate and connect with one another, to teach, and to learn.

More About Travis


Additional reading for two-factor authenticaion