Facebook's nonsensical decision to support Tor-powered connections
Facebook has added an "experimental" feature allowing Tor users to connect directly to one of its data servers via an encrypted connection in order to remain anonymous. It's not clear how long Facebook will support the connection, but the engineer who announced it says the mobile website will also be made more compatible with Tor, though he couldn't say when.
It's strange to think that one of the most invasive technology companies in the world is working to support the most popular anonymity tool available. Doesn't Facebook rely on the data it gets from users -- especially the metadata describing what device they're using, where they are, and more -- to inform the targeted advertisements on which it relies? How does that work with Tor?
The answer is that it doesn't, and it doesn't need to. It's not like millions of people are going to install the Tor bundle just because Facebook has made it easier to visit its site via the software. And it's not as if the people accessing Facebook through Tor won't surrender at least some data; you can't do much on Facebook without an account, and the company can use the information volunteered to those profile pages to show advertisements that are at least a little relevant to their viewers.
The connection established between a Tor user and Facebook's service isn't foolproof, either. As the group behind Tor explains on its website:
Tor can't solve all anonymity problems. It focuses only on protecting the transport of data. You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use the Tor Browser Bundle while browsing the web to withhold some information about your computer's configuration.
Also, to protect your anonymity, be smart. Don't provide your name or other revealing information in web forms. Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit. What is Facebook besides a giant Web form asking users to share personal information? It wants to know your name -- and it requires the name you share appears on your birth certificate or driver's license, as many have discovered -- and its primary purpose is sharing information with other people. It asks them what's on their mind. What they're doing. Who they're with. It encourages people to post status updates and photographs and comments.
This feature is a step in the right direction, if only because it allows Facebook users to volunteer information instead of handing it over without informed consent. (How many people really know what metadata is, let alone the implications of sharing it with a company like Facebook?) But so far as privacy features go, this one is probably the least sensical in the history of the Web, and it's more of an oddity than an actual step forward for people who care about online privacy.
[illustration by Brad Jonas]