This post is by Thomas Karpiniec, Chair of EFA's Policy & Research Committee.

On Friday Facebook announced that they are making their website available as a Tor hidden service. This will improve the Facebook experience for anyone who uses Tor to make their web browsing more anonymous, but there are downsides.

FB-Tor

Tor (The Onion Router) is free software to help people conceal their web browsing from their ISP, and by extension, law enforcement and intelligence agencies. It also conceals their identity and location from the sites they are visiting. It does this by bouncing all web browsing traffic between multiple computers before it goes to the real destination. Each computer in the chain only knows about the computer in front and the computer behind. This makes it difficult to trace the communication back to the computer which originally requested it.

If you are careful not to reveal any information about who you are or where you are, Tor can be an effective way to use the Internet with relative anonymity. This is subject to various caveats but it does make surveillance considerably more difficult.

If you have a Facebook account, your name, posts, locations and friendship network document your real identity very thoroughly. From a privacy perspective, using Tor to obfuscate your communications with Facebook is akin to driving to a destination in a car with no numberplate and heavily-tinted windows, then getting out and presenting your drivers licence on arrival. It really doesn’t provide much privacy value.

If you use Facebook there are at least two reasons why you might want to use their Tor service though. If you live in a country where Facebook is blocked but Tor is not, Tor will enable you to bypass that block and access Facebook. It also allows you to gain a small element of additional privacy by not revealing your real IP address to Facebook every time you visit.

But, there are also good reasons not to use Tor to access Facebook. In July some NSA rules were leaked that describe when they target people for surveillance. Using Tor is enough to get you on that list. Being a known user of Tor unfortunately flags you as ‘someone to be watched’.

Until this change, if you connected to Facebook using Tor, it may have triggered their anti-abuse technologies, which would have assumed your computer was part of a botnet. They would require you to validate your identity or possibly prevent you from logging in.

Now you have the option to connect to their new hidden service, which will allow you to log in and use Facebook via Tor. Remember however that this means Facebook are then able to clearly identify you (or your Facebook identity, at least) as a Tor user. Facebook will therefore be creating a log of exactly which account holders are using Tor, regardless of whether this is their intention. They may, in turn, be compelled to provide this information to the NSA or other government agencies, or those agencies may be retrieving it through clandestine means.

Using Facebook can also compromise your other Tor browsing - any browsing you are doing on other sites at the same time through the same exit node may be able to be traced to your Facebook identity. Being logged in to Facebook could reveal your identity to other websites that incorporate social media functionality depending on the privacy settings and extensions in your browser.

While Facebook has received praise for taking the step to implement a Tor hidden service, and there’s no prima facie reason to doubt their motives in doing so, users should be aware that using this service will not necessarily provide greater privacy.

If you use, or are considering using Tor you should carefully consider your own privacy risk profile and make an informed choice.

2 comments

  1. why don't you tell them the truth?

    facebook using ssl certificates for .onion domains is clearly an attempt to circumvent anonymity on tor.

    browser ssl verfication directly to CAs could leak the users IP
    and facebook is big enough to OWN CAs

    Why are you people not willing to face the truth about centralised ssl verfication generally.
    it doesn't look like its has much do so with security or encryption but everything to do with CENSORSHIP BY THE BACK DOOR

    have you been corrupted or infiltrated or taken over?

    your BLIND support for TLS as some kind of magic security fix for everything is making me very suspicious

    the ssl-everywhere brigade is creating a huge long-term censorship threat with that centralised verification nonsense and you say nothing?

    that is just way too suss...

    please come clean or nobody will trust you any more.

    Comment by honestyplease! on 2 November 2014 at 20:36
  2. That last comment is simply factually incorrect about how certificate validation in TLS/SSL works. Validation of a CA certificate relies on the CA root certificate distributed with your browser or operating system, rather than connecting to the CA directly, and so does not leak your IP address to the CA. In any case if it did leak to the CA, it would leak the Tor anonymised exit node address (which Facebook would already have), not the private IP. And using some form of encryption (such as HTTPS and/or a VPN) is essential when using Tor, otherwise user login credentials can be revealed in transit, removing anonymity.

    EFA supports the EFFs HTTPS Everywhere project, but is well aware if the security weaknesses of the CA system, and encourages knowledge and use of the many different methods that can be used to increase the security of the CA system while increasing privacy, such key pinning and logging systems, and emerging alternatives such as DANE and secure peer to peer and web of trust based systems. We support TLS, but not blindly.

    And Facebooks certificate is issued by DigiCert, which is not owned by FaceBook.

    And we certainly do not feel that we have been corrupted or taken over, and remain rigorously opposed to any form of censorship or privacy violation, and take seriously our obligation to provide good advice regarding relevant technology..

    Comment by David Cake on 3 November 2014 at 06:50