Facebook is rolling out a a new feature starting today: its users now have an option in their account settings that will protectively encrypt all their Facebook activity as it travels over the Internet. Flipping the switch won’t change much about how you use Facebook, but you’ll see Facebook web addresses will always start with “https”: and no-one between Facebook’s servers and your own computer will be able to see what you say and do on the service.
This is a significant step for protecting journalists who use the social networking site for communication or publishing. We’ve had reports on attacks on journalists, notably in Iran, that depended on intercepting communications on Facebook. Turning on https will make such surveillance – by rogue governments, ISPs or common criminals – far harder. Additionally, censorship that attempts to block individual Facebook pages (rather than Facebook as a whole) will be difficult to implement.
The system behind https encryption isn’t perfect. The recent password-stealing attack on Facebook and Gmail in Tunisia was designed to beat encrypted communications. Many states, include those with poor track records in protecting Internet users’ security, could use their access to “certificate authorities” to intercept encrypted communications without that attack being obvious. But these attacks require far more technical complexity than current strategies, and there are solutions already being worked on by browser manufacturers.
You do still have to turn the feature on to get the benefit. (It’s listed as “Secure browsing” under “Account security”.) An important next step for Facebook would be to do as Google did with Gmail, and enable encryption for everybody, by default. That’s a big step, however, and one that could take some time.
Hopefully, Facebook will continue down the secure path, and that other companies like Yahoo!, whose unencrypted email and messaging services are still woefully vulnerable to spying, follow their lead.