Facebook has never had much of a reputation for letting users hide their identities online. But now the world’s least anonymous website has just joined the Web’s most anonymous network.
In a first-of-its-kind move for a Silicon Valley giant, Facebook on Friday launched a Tor hidden service, a version of its website that runs the anonymity software Tor. That new site, which can only be accessed by users running the Tor software, bounces users’ connections through three extra encrypted hops to random computers around the Internet, making it far harder for any network spy observing that traffic to trace their origin.
Inviting users to connect to Facebook over Tor may seem like a strange move. Given that Facebook still requires you to log in and doesn’t allow pseudonyms (in most cases), even Tor users on the site are hardly anonymous to Facebook itself. But even so, Tor users on Facebook can now protect their identities from every other online snoop that would want to unmask them. “No, you’re not anonymous to Facebook when you log in, but this provides a huge benefit for users who want security and privacy,” says Runa Sandvik, a former Tor developer who Facebook credits with advising the project in a blog post. “You get around the censorship and local adversarial surveillance, and it adds another layer of security on top of your connection.”
Tor, after all, doesn’t just let users hide their identities from the sites they visit, anonymously buying drugs on the Silk Road or uploading leaked documents to news sites through the leak platform SecureDrop. It’s also designed to circumvent censorship and surveillance that occurs much closer to the user’s own connection.
Until now, Facebook has made it difficult for users to access its site over Tor, sometimes even blocking their connections. Because Tor users appear to log in from unusual IP addresses all over the world, they often trigger the site’s safeguards against botnets, collections of hijacked computers typically used by hackers to attack sites.
“Tor challenges some assumptions of Facebook’s security mechanisms—for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada,” writes Facebook security engineer Alec Muffett. “Considerations like these have not always been reflected in Facebook’s security infrastructure, which has sometimes led to unnecessary hurdles for people who connect to Facebook using Tor.”
Facebook’s Tor site is designed to be friendlier to those far-flung connections. And Sandvik says it also provides an extra layer of security than running Tor on the user’s end alone can provide. Tor users are often warned about malicious “exit nodes”, the final computer bouncing their traffic around the Internet. Such exit nodes can sometimes be used to spy on their unencrypted traffic or in some cases, even strip that encryption away. When both the user and Facebook are running Tor, however, the traffic doesn’t leave the Tor network until it’s safely within Facebook’s infrastructure.
Over the past few years, sites like Google, Facebook, and Twitter have all implemented default SSL encryption to protect users’ traffic. Sandvik sees Facebook’s Tor hidden service as a sign that Tor may be the next basic privacy protection Silicon Valley companies will be expected to offer their users.
“I would be really excited to see other tech companies that want to do the same,” she says. “And I’d love to help them.”
--- Andy Greenberg, Wired
More from Wired
- How Ebola Healthcare Workers Get Dressed
- 21 Awesomely Well-Designed Products We’re Dying to Own
- American Schools Are Training Kids for a World That Doesn’t Exist
- Why Your Cat Thinks You’re a Huge, Unpredictable Idiot
- 15 Incredible Photos That’ll Remind You to Be Awed by Planet Earth