All it took was to mention a secret link to an mp4, uploaded to a private encrypted server, in a private message to a friend on Facebook. After a while the server logs showed this:
188.8.131.52 - - [04/Sep/2016:20:26:28 +0200] "GET /<hiddenpath>.mp4 HTTP/1.1" 206 131072 "-" "facebookexternalhit/1.1" 184.108.40.206 - - [04/Sep/2016:20:26:31 +0200] "GET /<hiddenpath>.mp4 HTTP/1.1" 200 32387503 "http://l.facebook.com/lsr.php?<omitteddetails>" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" 220.127.116.11 - - [04/Sep/2016:20:26:57 +0200] "GET /<hiddenpath>.mp4 HTTP/1.1" 206 32387503 "<hiddenlink>" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
Seeing a Safari browser download the file, I thought it had been her, so I removed the file from the web server, but she later replied that she hadn't downloaded the video yet.
Since only she, I and Facebook knew of the video, it must have been Facebook downloading the video, faking a Safari browser. So I checked and.. yes.. the downloading IP number belongs to Facebook and the way it downloaded the file three seconds after the normal check for its existence should have made me suspicious.
"facebookexternalhit" is the official Facebook spider to check the integrity of links. As you can tell from the log it only took the first 131072 bytes rather than the entire 32387503. It is a spectacular totalitarian invasion of privacy that Facebook would then download a private video anyway.
After almost an hour, Facebook checked again. By that time the video was gone.
18.104.22.168 - - [04/Sep/2016:21:10:16 +0200] "GET /<hiddenpath>.mp4 HTTP/1.1" 302 286 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
All of the IP numbers appear to be registered to Facebook, although some of them suspiciously refuse to be tracerouted.
Facebook now has a copy of the video that otherwise only exists on my hard disk. The legitimate recipient doesn't.
This behavior is new. At some point in the last three years Facebook must have introduced this new degree of surveillance. I had occasionally sent private https links to people before and never saw such aggressive invasion of privacy.
Update: Even worse, Whatsapp tries to fetch things you mention in messages as you type the URL!
Go have a chat.