Why Egypt Needs Facebook’s Privacy Protection

Facebook’s moves to protect privacy with SSL authentication could be vital to political activists around the world, says Peter Judge

Facebook’s introduction of SSL encryption is a long overdue upgrade to underlying security on the site. It is crucial to the social networking site’s emergence as a tool for political discussion – and it seems to have been introduced in response to events in Tunisia.

In democracies, Facebook users indulge in “clicktivism”, clicking Like on groups and fan pages, for issues such as fuel tax and the price of cider, instead of more active social involvement.

Meanwhile, however, the site has become a major tool in events such as the current protests in Egypt, and the earlier revolution in Tunisia. The changes to its privacy provision are therefore a long-overdue upgrade to support this fact.

When the chips are down, we need privacy

A year ago, Mark Zuckerberg more or less dismissed users’ expectations of privacy. Since then, the site has rocketed to 500 million users and become a channel for online social engagement.

But it is not a very good tool if it is not secure. Mark Zuckerberg had his page hacked in January, and Facebook has spent a large part of the year tweaking its privacy settings, trying to find a balance which satisifies users’ privacy expectations, and also gives the giant some leeway to exploit its customers’ personal info.

“Over-sharing” personal details with people you don’t realise can see them is still endemic, even though it was exposed last year by a security consultant scraping Facebook. A European project called ABC4Trust may help with this general issue though it will probably not touch Facebook.

SSL is a basic requirement

Facebook’s security upgrade, however, is a much more basic requirement, and it appears to have come about partly in response to events in Tunisia, where during the early stages of protest, the government actually attempted a wholesale identity theft on all Facebook users in the country.

“The country’s Internet service providers were running a malicious piece of code that was recording users’ login information when they went to sites like Facebook,” reports Alexis Madrigal in The Atlantic. Government-installed keystroke loggers recorded password details.

This sort of “man-in-the-middle” attack is easy to do when a site does not use HTTPS – the secure version of the HTTP protocol, which uses SSL (secure sockets layer) to authenticate users. Google has been offering SSL for search for some time, and Gmail uses HTTPS by default.

The Tunisian government’s attack was ironic, says Madrigal: “the very tool that people are using for their activism becomes the very means by which their identities could be compromised”.

Facebook’s security people routed all Tunisian traffic to servers which would apply SSL, and forced people to re-register when they signed out. This level of security has now been enabled for other Facebook users, according to an announcement last Wednesday.

Of course, when a county manages to hit a kill-switch and cut off the Internet, as Egypt has done, SSL-based online privacy can become academic.

However, Internet messages are still trickling out of Egypt, using connections to out-of-country services. Given the ongoing uncertainty about the government’s reaction, when these peope use Facebook, they need to know their identities are safe.