This post is by Thomas Karpiniec, Chair of EFA’s Policy & Research Committee.
On Friday Facebook announced that they are making their website available as a Tor hidden service. This will improve the Facebook experience for anyone who uses Tor to make their web browsing more anonymous, but there are downsides.
Tor (The Onion Router) is free software to help people conceal their web browsing from their ISP, and by extension, law enforcement and intelligence agencies. It also conceals their identity and location from the sites they are visiting. It does this by bouncing all web browsing traffic between multiple computers before it goes to the real destination. Each computer in the chain only knows about the computer in front and the computer behind. This makes it difficult to trace the communication back to the computer which originally requested it.
If you are careful not to reveal any information about who you are or where you are, Tor can be an effective way to use the Internet with relative anonymity. This is subject to various caveats but it does make surveillance considerably more difficult.
If you have a Facebook account, your name, posts, locations and friendship network document your real identity very thoroughly. From a privacy perspective, using Tor to obfuscate your communications with Facebook is akin to driving to a destination in a car with no numberplate and heavily-tinted windows, then getting out and presenting your drivers licence on arrival. It really doesn’t provide much privacy value.
If you use Facebook there are at least two reasons why you might want to use their Tor service though. If you live in a country where Facebook is blocked but Tor is not, Tor will enable you to bypass that block and access Facebook. It also allows you to gain a small element of additional privacy by not revealing your real IP address to Facebook every time you visit.
But, there are also good reasons not to use Tor to access Facebook. In July some NSA rules were leaked that describe when they target people for surveillance. Using Tor is enough to get you on that list. Being a known user of Tor unfortunately flags you as ‘someone to be watched’.
Until this change, if you connected to Facebook using Tor, it may have triggered their anti-abuse technologies, which would have assumed your computer was part of a botnet. They would require you to validate your identity or possibly prevent you from logging in.
Now you have the option to connect to their new hidden service, which will allow you to log in and use Facebook via Tor. Remember however that this means Facebook are then able to clearly identify you (or your Facebook identity, at least) as a Tor user. Facebook will therefore be creating a log of exactly which account holders are using Tor, regardless of whether this is their intention. They may, in turn, be compelled to provide this information to the NSA or other government agencies, or those agencies may be retrieving it through clandestine means.
Using Facebook can also compromise your other Tor browsing – any browsing you are doing on other sites at the same time through the same exit node may be able to be traced to your Facebook identity. Being logged in to Facebook could reveal your identity to other websites that incorporate social media functionality depending on the privacy settings and extensions in your browser.
While Facebook has received praise for taking the step to implement a Tor hidden service, and there’s no prima facie reason to doubt their motives in doing so, users should be aware that using this service will not necessarily provide greater privacy.
If you use, or are considering using Tor you should carefully consider your own privacy risk profile and make an informed choice.