Forgot your password?
typodupeerror
Data Storage Encryption Privacy Social Networks Hardware News Your Rights Online

Cryptographic Tools To Keep You Hidden On Facebook 148

Posted by timothy
from the unless-they-don't dept.
Al writes "Many people reveal way too much personal information on social networking sites — something that can easily lead to identity theft or unwanted attention from employers etc. Technology Review has a story about several cryptographic tools that can be used to hide your activity on Facebook, from both untrusted users and from Facebook itself. Urs Hengartner, an assistant professor of computer science at the University of Waterloo, developed a Firefox plugin that obfuscates anything marked with '@@' on Facebook and only reveals the correct information to trusted users who have the right keys. The sensitive data itself is even stored on an outside server so that even Facebook cannot access it. The piece mentions two other projects, NOYB and flybynight, that also aim to make personal information more secure on Facebook."
This discussion has been archived. No new comments can be posted.

Cryptographic Tools To Keep You Hidden On Facebook

Comments Filter:
  • Excellent Example! (Score:5, Insightful)

    by swanzilla (1458281) on Wednesday September 09, 2009 @04:06PM (#29370765) Homepage
    From the article:
    Dubbed FaceCloak, the tool assures its users that sensitive data stays private, Hengartner says. "If you have a particular illness, you might want to allow only your friends to see that," he says.
    or alternatively, you might keep that shit off Facebook
    • by MrNaz (730548) * on Wednesday September 09, 2009 @04:17PM (#29370959) Homepage

      This is Web 2.0. Common sense has no business here.

    • by FooAtWFU (699187) on Wednesday September 09, 2009 @04:26PM (#29371133) Homepage
      Their solution to keeping private data off Facebook: Put it somewhere off of Facebook! ... wow, wish I thought of that. Now if only we could trust the off-of-Facebook people...
    • by palegray.net (1195047) <philip DOT paradis AT palegray DOT net> on Wednesday September 09, 2009 @04:30PM (#29371187) Homepage Journal
      I don't use Facebook. People don't have to solve problems they don't create in the first place.
      • by ArhcAngel (247594) on Wednesday September 09, 2009 @04:55PM (#29371549)

        I had no need for FACEBOOK either until a few months ago. A very dear friends lost her husband to a car accident. they had moved years ago but we tried to keep in touch. To disseminate information about the accident and subsequent hospital updates (he lived for about a week after the accident) etc. she decided it would be easier to post the info on FACEBOOK where all her friends could see it at once rather than fielding umpteen calls an hour. I created an account and was able to follow the status as well as provide long distance support via posts to her wall. What I also found was that there were lots more friends I had lost touch with long ago I was able to reconnect with. Several of which have renewed friendships and communicate via FACEBOOK daily even though there is little chance we will get to see each other any time in the near future.

    • by DarkOx (621550) on Wednesday September 09, 2009 @04:37PM (#29371303) Journal

      I really don't know why this concept is so hard for people. My mother told me once when I was very young something very simple. "If you don't want someone to read it don't write it down." was what she said.

      You know she was right. Its completely fool prof, nobody can find your not so well hidden diary, nobody can guess your cipher key that is weaker than you imagined, nobody can crack you later found to be flawed cipher, nobody can reproduce it in the clear accidentally or otherwise.

      If its truly private it does not belong on the Network at all Facebook or anyplace else encrypted or not.

      • by initialE (758110)

        The real problem is, most people are unable to tell what information is something that they shouldn't want someone to read. It could be something I posted once, and regret doing later. It could be that circumstances change over time to make previously unclassified information highly sensitive. Most of all, it could be information that is harmless to me, but highly sensitive to someone that I know. So your mother may be right, but I don't see how she is relevant here on the internets.

      • I really don't know why this concept is so hard for people. My mother told me once when I was very young something very simple. "If you don't want someone to read it don't write it down." was what she said.

        You know she was right. Its completely fool prof, nobody can find your not so well hidden diary, nobody can guess your cipher key that is weaker than you imagined, nobody can crack you later found to be flawed cipher, nobody can reproduce it in the clear accidentally or otherwise.

        If its truly private it does not belong on the Network at all Facebook or anyplace else encrypted or not.

        And don't forget about the best kept secret. It is the one that you keep totally to yourself. You think you have trust in another. Sure for a while, but change in relationships do happen and then the cat is out of the bag. Much like having personal info entrusted to a bank/hospital/company. What happens when that institution goes out of business? Where is your data now? Laws governing handling of that data are great, but really worthless once the personal data is compromised.

        And yes, I too warn all folks ab

        • I more or less catalog things in my head by who is allowed to know them. There's public knowledge, friends only stuff, family only stuff (those two may or may not overlap in some situations), only-if-you-were-involved stuff, not-even-if-you-were-involved stuff, and stuff that I blank out of my mind and shove in the "someone else's secret that I shouldn't think about unless I'm talking to them and they reference it" drawer. That last one is kept shut, locked, and blanked from my mind most of the time -- I
        • by jridley (9305)

          I think it's funny how many of them use their pets/childs names or birth year as passwords to their on-line bank account. ...and then take a "quiz" where they fill in their pet's name and birth year to see what their porn star name is, or something.

    • Re: (Score:1, Insightful)

      by lavardo (683333)

      And also, people need to remember that the government has / will have access to that information very easily!!

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      John says: @@hfuwiefu43hhf83h
      Dave says: Oh no! How did you get Herpes ?
      • John says: @@hfuwiefu43hhf83h
        Dave says: Oh no! How did you get Herpes ?
        John says: @@jhdajksdhasjkdhask
        Dave says: Oh ... I guess i'd better get down to the clinic then?
  • by natehoy (1608657) on Wednesday September 09, 2009 @04:06PM (#29370779) Journal

    If I don't want something on Facebook, I don't put it on Facebook. There! Problem solved!

    Why do I need a tool to encrypt data so only selected people on Facebook can see it? Isn't that what PGP email is for? So I can send out information to specific people and (in theory) only those people can see it?

    And, additionally, if I don't trust Facebook with a bit of information, what in the hell makes you think that I'd trust a completely unknown third party who is building specific plugins so they can collect things I don't want on Facebook on THEIR SERVERS?

    Sounds to me like someone is saying "post all your blackmail-worthy thoughts here. I'll keep 'em safe! Trust me!" in their best used car salesman voice.

    • Re: (Score:3, Interesting)

      by elrous0 (869638) *
      I was struck by the same thing. Asking for crytographic tools on Facebook is kind of like asking "Does anyone make billboard covers?"
      • by natehoy (1608657) on Wednesday September 09, 2009 @04:47PM (#29371435) Journal

        Or "encrypting" a billboard using those 60's-looking inkblot things that can only be seen using special polarized/colored "decoder glasses".

        People know there's a message there, they know you're trying to hide it, so why bother all your "semi"-friends with tons of postings like:

        @@rA3wrAw#FraW3rar3awra3WFaW#fFRAw3WF3Aw#F#:aw#:Rfa

        Which, before decoding, can be read as

        @@NANNER NANNER NANNER YOU CAN'T READ THIS BECAUSE YOU'RE ONLY A DEMI-FRIEND NOT A REAL FRIEND. TRY TO DECODE THIS ASSHAT! OR FIND THE SERVER IT'S COMING FROM AND HACK THEM FOR SERIOUS BLACKMAIL FUN AND PROFIT! :)

      • "Does anyone make billboard covers?"

        YES! And, for a limited time only, for $19.95 plus S&H, we will ship you, not one, BUT TWO! billboard covers! Act now, pick up the phone and call 1-800-SUC-KERS! Credit card customers get this ADDED PREMIUM OFFER - - - yada yada yada.

        Actually, I think you can get anything you can imagine if you watch enough late-night television.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      I actually liked most of the summary but the last bit. I think it would be quite cool to post encrypted messages on facebook. Prepend them with some kind of header. Write a Firefox Extension that recognizes this header, runs that through pgp and presents you the clear text.

      Actually it would be even more cool if HTML had a tag to mark encrypted text. Either you have the correct key and see the text, or you don't and see some placeholder.

      No third parties involved at all. I think that would be really awesome.

      • by natehoy (1608657) on Wednesday September 09, 2009 @04:38PM (#29371317) Journal

        I have a hammer. It's a nice hammer. I use it to bash things. Nails, sheet metal, inanimate objects that make me angry, etc.
        I have a screwdriver, it's a nice screwdriver. I use it to loosen or tighten screws. It also makes a decent primitive prybar for light jobs.

        I have PGP email. It's nice PGP email. I use it to send secure encrypted communications to a list of recipients that I control.
        I have Facebook. It's a nice Facebook. I use it to say anything that I think my friends and the general public might want to know about my pathetic existence.
        I also have Pidgin. It's a nice Pidgin and has the Encryption module. I use it if I need to say something "off the record" quickly to a trusted pal.

        I would no more use my Facebook to send secure messages to my friends than I would use my hammer to loosen a screw, or my screwdriver to pound sheet metal into shape.

        My point: Right tool for the right job.

        Maybe I'm being pedantic or unimaginative, but I can't see a single reason why I'd want to post stuff to Facebook and have it only visible to certain people. Other people are just going to see I'm hiding something and either be honked off they are not included or try to hack it. And if I'm going be (IMHO) stupid enough to post it, there's no way in hell it's ending up as cleartext on ANY server run by ANYONE I don't personally know so I can personally go down and personally yell at them if the data ever got out.

      • Re: (Score:3, Interesting)

        by Darkness404 (1287218)
        Yeah, I'm sure all your friends want to see "Bob Smith to Joe User DFKSDJFKSDJFKDSJFDSuupoi23423po4i32423op4JLKEJFEFIJEIJFEIOFJEJFEI" all through their newsfeed....
    • Re: (Score:3, Insightful)

      by warrior_s (881715)

      If I don't want something on Facebook, I don't put it on Facebook. There! Problem solved!

      No, you can not predict what information may put you in trouble in the future. Something that looks harmless at present may bite you in the ass in the future (e.g. during job search etc.). So, if you have encrypted your posts right from the beginning, then you don't have to worry about the future.

      • by natehoy (1608657) on Wednesday September 09, 2009 @05:22PM (#29371925) Journal

        OK, fair enough. But that means I'd have had to think ahead enough to know what might possibly be incriminating down the road. Because if I encrypt EVERYHING, then I have to give EVERYONE I want to be able to read it a decryption key, which means those decryption keys are going to be about as secure as a "don't steal this" sticker on a bicycle.

        Facebook already has a "hide information" where you can select who sees what. If you don't trust Facebook, you're probably better off putting nothing at all there. Putting encrypted data there only means it's obvious you are hiding something.

        Plus, you're still posting the data unencrypted to a central server, just not one owned by Facebook. Do you trust THEM?

        Someone, other than you, is in control of that data. If you think it could be incriminating, perhaps you should think twice about posting it.

        • by natehoy (1608657) on Wednesday September 09, 2009 @05:23PM (#29371947) Journal

          "A false sense of security is far more dangerous than a real sense of vulnerability."

          • by jdgeorge (18767)

            "A false sense of security is far more dangerous than a real sense of vulnerability."

            True, perhaps, for the person in question, but maybe not so true for everyone else.

            People tend to be better behaved and more predictable when they feel secure, but when they feel threatened, they don't just go cower in a corner; they lash out. Some more dramatically than others.

            From a societal perspective, it may be better that people have that false sense of security.

          • "A false sense of intelligence is far more dangerous than a real sense of what actually fucking matters and know anything you put on facebook if you are smart does not matter so stop using far removed, inapplicable, ivory tower-IT department quotes to get your point across about how a social networking site is going to lead to your downfall"
    • I have friends who only communicate reliably by facebook. I tried communicating by email, but they don't check their email often enough for that to work. Monthly is a fair description.

      I personally view this as a way that after I have set it up on both ends (because they won't be able to), I can communicate to people I currently can't without giving my information to Facebook. I don't have a facebook account right now because I don't trust facebook.

      • by natehoy (1608657)

        You have friends who only communicate by Facebook, but you don't use Facebook because you can't trust it.

        With respect, the solution is not to take that same information and throw it on yet another server run by yet another unknown third party.

        "Give your information, or give it not, there is no 'trust'."

  • Or... (Score:2, Insightful)

    by TTURabble (1164837)
    Maybe you shouldn't post every detail of your life on a website.

    FTA:

    the tool assures its users that sensitive data stays private, Hengartner says. "If you have a particular illness, you might want to allow only your friends to see that

    What ever happened to calling people?

    • What ever happened to calling people?

      But but but, then how can these evil service providers justify rate hikes to coincide with their CEO's pay raises? You think that CEO makes money off your phone call? Sure he might make a few fractions of a penny, but anything that gets you texting more increases that fraction to a whole. Anything that increases texting volume justifies further rate hikes!

      It's almost as if the CEO's of these companies have discovered a business model based off a highly proliferated internet meme involving gnomes and under

    • Exactly, or texting, or IMing, etc. The point of Facebook is for you to share to -the world- your thoughts. If you want to share your thoughts with one or two other people, there are better ways.
      • by story645 (1278106)

        Even facebook has semi-private tools like chat and messages. Just use either of those instead of a wall post/status update.

    • by pimpimpim (811140)
      I originate from the northern part of Amsterdam, where it is common behaviour to shout these things over the mobile phone or loudly discuss it with your friends, especially while in public transport. Seriously, some time ago the whole bus was informed about whether or not one of the girls should have an abortion or not. Privacy, who gives a shit anymore.
      • by russotto (537200)

        Seriously, some time ago the whole bus was informed about whether or not one of the girls should have an abortion or not.

        Did you tell her "YES"? Because that's clearly the right answer under the circumstances.

    • Calling people is dangerous because a) the CIA b) wire tap and c) ECHELON geez people dont you understand that no form of communication is safe because the method of communication has too many weaknesses (regardless of method) and you can't even trust the person you are trying to communicate to begin with? even if you manage to get a clean connection through the phone systems to your friend (IMPOSSIBLE) hes probably going to sell you out to advertisers anyway.
    • by Jeian (409916)

      Maybe you shouldn't post every detail of your life on a website.

      Many of us are fortunate enough to have friends who *are* actually interested in the details of our lives. I don't run a blog of my day-to-day life because I'm fully aware that the Internet community as a whole doesn't care. I do, however, run a fairly active commentary on my day-to-day life through my Facebook status, where the people on my friend-list who do care comment.

      What ever happened to calling people?

      Because I don't want to call all

  • I wonder if, should said 3rd party go down, does that leave facebook with nothing but gibberish?
  • Crytographic Tools.. (Score:1, Interesting)

    by Anonymous Coward

    The best tool: Don't use facbook?

  • by piltdownman84 (853358) <piltdownman84&mac,com> on Wednesday September 09, 2009 @04:11PM (#29370867)
    So I should feel safe using this tool because it allows 'sensitive data' to be stored on some third party website and not on the 'evil facebook servers'? I would rather facebook had it, as at least I know who they are and that I know its insecure.

    I think I'll just stick with having my facebook profile as only a mask of myself, and not my entire life. Thanx
    • If it's implemented as a Facebook extension, I imagine the server can easily be run on a server of your choice, so instead of $EVIL_CORPORATION you can run it on your own server, or at the very least the hosting provider you are paying to take care of your data.

      And most of this is concept stuff anyway. Implementation for pictures would be really nice, though the program currently pulls random text off the internet to obfuscate the fact that it's not showing you the real text. That sort of scheme would be m

  • by Joe Snipe (224958) on Wednesday September 09, 2009 @04:12PM (#29370881) Homepage Journal

    can't I just not use facebook?

  • What's a crytographic??

  • Like this? (Score:1, Funny)

    by Anonymous Coward

    Name: £Ã[ÃÅ'ÃÂÅMýQÂÂÂâéâ(TM)Ãoe8h
    Sex: â"ÃZÃÅ"Ãoeâ"f
    Relationship: ÂVŽüâÃâÂYÂf
    Status: â"?Ã`ÃâéÂÂYÃŽÃN©Ã"ÃÂ2ÂÃ...$ÃÂqX£â¦ÃOE¾¦1f
    Interests: Ë'Ã]ÃÅ"Ã

  • by ironicsky (569792) on Wednesday September 09, 2009 @04:15PM (#29370939) Journal
    How long until Facebook simply removes any item with a @@ in it? Or builds in a regex to strip any non-alpha numeric characters from info boxes or posts? Or strips any erroneous or "spam" looking stuff from their site?

    I agree with everyone else. If you don't want Facebook knowing all your dirty little secrets don't post your dirty laundry online. Once its online it will NEVER go away... Google Cache, The Wayback Machine [archive.org] and other caching services will leave a digital trail of your stink for ever. Long after that nasty rash goes away.
  • by Anonymous Coward

    If you don't want to be seen in public ... DON'T POST YOURSELF OR YOUR LIFE ON A WEBSITE DESIGNED TO SHOW YOURSELF OR YOUR LIFE TO THE PUBLIC!

    You don't need cryptography, you need to close your web browser.

    As Bruce Schneier says, you can't use cryptography to fix stupidity, sorry.

    Idiots.

    • I agree. This tool is completely redundant. The only people who would want to keep their data private on Facebook are the ones who didn't put their information on it in the first place.

      • Re: (Score:3, Insightful)

        Everyone on Slashdot who has a hardon to prove how big their not-having-a-facebook-penis is and finally needs to get one for some normal reason has to use this tool though! Then when some girl inquires about it they can be all like "I like keeping my information private so I'm encrypting my Facebook isn't it cool? Here's my public key and some documentation on how to use the decryption software, along with some light reading on the encryption methods you might find interesting by the way I'm sure you'll be
  • Social networking sites are all about the drama. Imagine the drama levels when some friends get access to some information and others don't. If the makers of this really want to combine technologies effectively they should somehow connect it to livejournal. Maybe some sort of updating feed about how many people on livejournal are complaining that you put something encrypted up on your facebook page that they can't see? More seriously, it isn't clear to me from this technology that it is completely reliable
    • "Social networking sites are all about the drama."

      Yes, imagine the pure torture someone would go through...

      Post Header: "That Skanky Ho, Wendy, is at it again!"

      Only Wendy finds out that SHE can't read the rest of the post...In fact, nobody but the poster can.

      Teen Girls(between the ages of 10 and 12) around the world now have a new weapon with which to inflict great emotional distress on their anti-peers. I expect the carnage to be widespread and most gruesome (left, left, right, left, left...)

  • While /.ers tend to have the knowledge not to post everything about themselves on Facebook. Sadly, /.ers do not make up the majority of Facebookers. In fact, the typical Facebooker plasters fifty different photos of them, some of which are incriminating (people getting expelled from school for pictures of them with booze, naughty pics, etc) for either the whole world or their friends to see.

    Some Facebookers accept any friend requests they get, no matter who it is or if they know them.

    Some Facebookers ta

  • Fake datas. (Score:4, Interesting)

    by antdude (79039) on Wednesday September 09, 2009 @04:21PM (#29371055) Homepage Journal

    Hmm, I used fake datas like names on FaceBook. Then, a few weeks later, my account got disabled. I e-mailed to ask what's up and the customer support told me that I was using a fake name/datas. They wanted proof like a driver license to get back on. Frak that. MySpace, Friendster, etc. had no problems!

    • by hey (83763)

      You have to be more subtle with your fake info.
      I used all fake info and they didn't complain.
      Instead of saying you name is "Fuck Facebook" try "Joe Smith", etc.

      • People usually realize names like "Joe" or "John Smith" are fake. Try for example Rob Steeves. It's subtle, no?
        • Re: (Score:2, Funny)

          by Anonymous Coward

          Rusty Shackleford.

        • Re: (Score:1, Troll)

          by hey (83763)

          Good point.
          Or non-Caucasian names like, say, "Barack Obama".

        • by mobby_6kl (668092)

          It's subtle, but it's not very funny. I usually try to use something like Mike Litoris, if "real" name is required.

        • Ubeen Hadd was my fave.

          And I still use socks@white.gov as an email.

          I haven't checked lately to see if mail to that address bounces now, or generates an Out of Office message...

      • by antdude (79039)

        I did! It wasn't John Doe, John Smith, etc. Lame. Whatever, don't need it and tired of moving to new social networks!

  • by Monkeedude1212 (1560403) on Wednesday September 09, 2009 @04:22PM (#29371061) Journal

    There are 3 Major flaws in this:

    Those concerned with what strangers see on Facebook don't put information they don't want strangers to see on Facebook.

    Those who use Facebook in such a manner aren't the type who have the time to install tools, run them, send the key to their friends, and then append @@ to everything they want hidden.

    Facebook already provides the means to keep your stuff secret to just your friends, and its easier to close off your profile to the public then it is to Encrypt random Data.

    • Yeah... secret to just your friends or anyone who will pay for it. A lot of big companies these days weed out employees by getting a profile of them from facebook.
  • The sensitive data itself is even stored on an outside server so that even Facebook cannot access it.

    (emphasis mine)

    So... um... if the data's not stored on Facebook, why is Facebook a part of this equation? Why not just advertise a generic centralized cryptographic system they're running and apply it generally? Or do they really need the publicity that badly that they're just whoring on Facebook's privacy issues?

    Come to think of it, if Facebook isn't even involved, why even bother with a central server? I'd think it'd be far more effective to make an interface to some sort of distributed network of enc

  • The sensitive data itself is even stored on an outside server so that even Facebook cannot access it.

    So, Facebook doesn't have access to it but someone else does. Oh yes this is SOOOOO much better.

    • by edraven (45764)

      Obviously, all you have to do is put data in the outside server that's encrypted in some other way. Then Facebook just has a link to data that's really just a link to somewhere else. See? Problem solved.

  • Many people are saying... if you don't want it seen then don't post it. I don't mind my friends seeing my status (or whatever) but I don't want the Facebook Company or their partners (ie Microsoft) seeing my profile. Sounds like this plugin might solve that problem.

    • So don't fill it out. There's no Facebook law saying you have to give them that information - you fill in as little or as much as you want. This is for the diminishingly rare case where you want to post "sensitive" information you want your select friends (with whom you share your crypto key outside of facebook) but which you don't want facebook to know about and you don't want searchable in their database by other users (i.e. where you went to high school so your old buddies can find you).

      I can't really fi

  • I'm sure this is a nice thing for some selected folks (mostly geeks) who know:

    1, What security is.
    2, How to use it.

    For the rest (99.9+%) of the facebook / twitter crowd this will mean nothing, because they can't even understand the first concept, let alone the second..

  • I would be happy if someone would write something to filter the @ and # characters twitter users have some fascination with that have no relevance on non-twitter interfaces. While they are at it, may I go ahead and recommend something to filter, Mafia Wars and Farmville why they are at it. Facebook already has a pretty low signal-to-noise ratio thats only getting worse without people encrypting what little text is still there. </rant> That being said, it sounds very interesting as a practical use of c
    • if you have problems with facebook apps like Mafia Wars and Farmville all you have to do is block the app and then it goes away. Not too hard...
  • isolatr.com [isolatr.com] absolutely never shares your personal information with anyone. I've used it for years, never had any annoying online friends, and never even had to enter any of personal information on the site. One time I stumbled on it, saw that it was perfect, and was done.
    • They can filter out annoying people! Can I get one of those for real life?
      • Re: (Score:3, Funny)

        by Velex (120469)

        They can filter out annoying people! Can I get one of those for real life?

        NO.

    • by russotto (537200)

      isolatr.com absolutely never shares your personal information with anyone.

      Neither does /dev/null, and it doesn't have the network vulnerability.

  • Don't use facebook? And if you do, don't put sensitive information on it?

  • What is the matter with you people? You call yourself nerds? You have no imagination!

    Somebody has come up with cool tech which could let you do things with FaceBook (or any other site) that you couldn't before.

    Imagine posting secret documents in a public place and only letting some people see it. This person has made that easier with an @@ plug-in. I think it's cool.

    (I'll go read the article now.)

The devil finds work for idle circuits to do.

Working...