The world’s least anonymous social network just got a little more private.
Facebook, which has a controversial policy that mandates that users provide their real names and other personal information, has become the first major social network to launch a “dark Web” version of its site, allowing users of popular anonymity software Tor to hide their location from Facebook and protect their data from online spies, be they of the government or corporate variety.
Digital security experts lauded Facebook’s hidden-site experiment, which allows users to access Facebook via an alternate Tor-enabled .onion URL, as a sign the tech giant was shifting gears on some users’ long-running demands for greater privacy. Once Tor seemed to undermine a basic Facebook premise — that a social network should represent users’ true identities — but it has since come to be viewed as a valuable bridge enabling millions of users to log on in countries where Facebook is banned.
Tor works by bouncing a user’s data across several encrypted nodes — volunteer computers and servers anywhere in the world — before arriving at a website as a request. The data, therefore, appears to be coming from the last node in the chain instead of from the user’s computer. The name is an acronym for “the onion router,” a reference to added layers of encryption this process provides.
Facebook and other major sites, including Twitter and Google, have in recent years adopted SSL encryption, which helps safeguard users’ traffic from local eavesdroppers, like the owner of an Internet cafe with Wi-Fi. Tor goes a critical step further by obscuring a user's Web traffic from even the Internet service provider (ISP), making it almost impossible for other parties — from cyberintelligence units to marketers — to identify and locate that user.
“There’s no reason to let your ISP know when or whether you’re visiting Facebook,” wrote Roger Dingledine, the president and director of the Tor Project, in a post commending Facebook’s move. “If you do choose to tell Facebook something about you, there’s still no reason to let them automatically discover what city you’re in today while you do it.”
Hundreds of thousands of users across the globe are already using Tor to access Facebook, but the “dark” site will add extra layers of encryption on Facebook’s end. It will also address problems Tor users run into when logging into Facebook, which has in some cases blocked their connections because it mistakes the circuitous data routing for a hijacked computer.
“Tor challenges some assumptions of Facebook’s security mechanisms,” wrote Alec Muffett, a Facebook software engineer, in a post announcing the new Tor URL. “For example, its design means that from the perspective of our systems, a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada. In other contexts such behavior might suggest that a hacked account is being accessed through a botnet, but for Tor, this is normal.”
The Tor software was developed by the U.S. Navy and is still funded by the State Department, which has promoted its use among activists and journalists in countries such as China or Iran who wish to circumvent government surveillance or localized website blocking. It has also been used by whistle-blowers, including in the United States, to contact journalists or the public without blowing their cover, as well as for less savory purposes, such as distributing child pornography or selling drugs and other illicit goods on the online black market Silk Road.
A knowledgeable individual who asked to be identified as “a source close to Facebook” told Al Jazeera that introducing the hidden site did not undermine the company's true-identity-based platform, because users are still required to use their names and abide by the same policies no matter how they log in. In other words, Facebook will still learn who a Tor user is as soon as that person logs in. They just won’t know where from.
The real-name policy remains a point of controversy for digital security advocates, who say there are many legitimate reasons people should not have to disclose their identity online. Mohamad Najem — a co-founder of SMEX, a social media consultancy that focuses on the Middle East and a Carnegie Fellow at the New America Foundation — said the .onion URL was a big step toward protecting user privacy, but noted that Facebook’s real-name policy still posed a security risk to activists who may be wanted by their governments. “If they catch one admin, it will reveal all the others,” he said, noting that the Egyptian government has in recent weeks arrested hundreds of political dissidents active over Facebook (though it isn't clear how they were tracked down).
Nor is Tor foolproof. Because the software must be downloaded, anyone who has access to a user's physical computer can locate the Tor file and infer suspicious online activity. In Syria, for instance, there are reports that intelligence agencies have confiscated the laptops of political dissidents and thrown them in jail or tortured them if they find Tor on the hard drive. The Electronic Frontier Foundation, a digital rights advocacy group, has also reported that Syrian ISPs were managing to block new downloads of Tor for those who hadn’t yet installed it.
Still, digital rights groups say they hope Facebook’s dark site marks a shifting tide for tech giants to take online privacy more seriously. They hope Facebook’s experiment will set a new standard of security beyond SSL encryption for major websites that hold sensitive user data.
"Post-Snowden, we can talk about companies feeling a certain amount of pressure to take privacy and security seriously," said Runa Sandvik, a privacy researcher and former Tor developer who Facebook credited for helping with the .onion URL.
"Facebook is the site with the real-name policy and with a history of doing a lot of tracking and collection of personal info," she said, "so for Facebook of all companies in Silicon Valley to be the first to make it happen is quite amazing."