How Facebook's Tor hidden service improves safety for journalists

By Tom Lowenthal/CPJ Staff Technologist on November 5, 2014 5:46 PM ET

Facebook announced on October 31 that it has made it easier and safer for users to gain access to its social network by using a dedicated Tor hidden service at https://facebookcorewwwi.onion. A dedicated hidden service access point is a powerful move to protect journalists and anyone else who uses Tor to protect privacy or circumvent censorship.

Tor is a free and open-source software tool for making network connections anonymous. When it is in use local Internet service providers [ISPs] can't see what a user is doing online. Sites or services that are visited can't identify the user or where they are connecting from. In fact, an online service couldn't even tell that a particular Tor connection is the same person who used it yesterday, unless the user deliberately identifies themselves. Since an ISP doesn't know what a user is doing online, it can't censor specific services or publications for a Tor user.

This makes Tor incredibly useful for journalists and sources for whom anonymity is vital for their safety. Tor is one of the most popular and effective censorship-circumvention tools in the world. It can be instrumental in enabling access to news and commentary for readers, or access to sources for journalists.

Facebook has become an everyday feature for the media. Reporters log in to cultivate sources and share work. Readers sign in to discover stories, read articles, and comment on the news. In regions such as China and North Korea access to Facebook is uniformly blocked, according to CPJ research. ISPs in Egypt, Iran, and Syria have all temporarily blocked access to Facebook during periods of unrest. This makes it harder to hear voices from those regions, denies access to a useful journalistic tool in times of crisis, and prevents candid exchange of news and commentary.

Using Facebook via Tor--Tor hidden services are accessible only with a Tor-enabled browser-- provides a substantial usability and security boon for journalists, their sources, and readers. Tor is a critical component of technical security practices used by many reporters. And, for a potential reader for whom Facebook is blocked Tor may be one of the only ways to access the site.

From Facebook's perspective, it is now easier to ensure Tor users can gain access. Connections to a hidden service can be managed individually making it less likely that actions by one user could confuse Facebook's security filters and accidentally trigger a suspicious-activity alert for a different user. Previously, there was the risk that Facebook would lump Tor users together because they appear to be coming from the same place, and bundled activity is more likely to trip the site's suspicious-activity alerts. By having a hidden service, journalists and others using Tor will spend less time dealing with security alerts, passing authentication tests, or being locked out of their accounts.

Facebook is a high-traffic site, and it's reasonable to expect that its hidden service will have a lot of use. The Committee to Protect Journalists hopes that Facebook's moves will encourage the Tor project's upcoming work on improving hidden services. Hidden services are a fantastic tool for journalists and media organizations. Facebook's adoption of a hidden service provides a valuable vote of confidence in their robustness, as well as a test bed to plan improvements.

Accessing Facebook via the Tor hidden service also removes the possibility of network-based interception or attack. Not only is browsing protected with HTTPs -- a security measure all sites should adopt-- the entire connection is encapsulated within Tor's encrypted tunnel. Even the HTTPs connection is never available to an ISP or exit node (the final link between Tor and the regular Internet.) Only Facebook and the user are privy to those communications, or even the knowledge that a user is connecting to Facebook, which will make it safer for journalists and sources connecting over the social network.

A normal browser reveals a journalist's IP address to Facebook when they visit the site, and this can pin down their location to within a fraction of a mile. Browsing Facebook via Tor provides no such information to Facebook. However, Tor does not prevent Facebook from knowing a journalist's name or seeing their activity on the site.

The change was announced at the Facebook London office by the company's software engineer for security infrastructure, Alec Muffett, who credited longtime Tor Protect volunteers Runa Sandvik and Steven Murdoch for their advice and assistance. The Tor Project also published a blog post about the change.

Enabling access for Tor users via a dedicated hidden service demonstrates a commitment to making a service safe and easy to use for journalists and others with significant privacy needs. It is a critical step in preventing censorship of that service. CPJ hopes that other online services and news sites will follow suit.


2 comments

Come on gang, I know you all think that the right to privacy is Sacrosanct. Tell it to the kids being abused in pornography. That is itself is illegal in the US. I have been at the ROAD site and it had links to murder for hire and child pornography. Ergo, what the FBI did was totally legal with or without a warrant. Murder is also illegal in the US. TOR has no redeeming social value. The links on TOR to child pornography, the sale of weapons illegal in the US and the sale of heroin, also illegal in the US, out weigh any legitimate links by 95%. II have tried to find one legitimate political site and could not. They are childish. There are support groups and forums for pedophiles and rapist of children saying what they like to do to kids.

If TOR had any socially redeeming philosophy they would not let child pornographers link up there on the onion. Let them figure out how to do it on their own. One must take the good with the bad. On TOR the bad outweighs the good 95 to 5 at best.

If you want to "blow the whistle" use hard copy mail. Why did the unabomber and bin laden stay free for sooooo long. They eschewed the internet.

GOOD FOR THE FBI .

DO NOT DELUDE YOURSELF THAT PERVS ARE NOT IDENTIFIABLE ON TOR.

TOR has been hacked by the FBI, Anonymous, NSA and law enforcement around the world.

USE Bitcoins at your own Peril!!!

If you really want stuff secure use flash dives, change computers and networks on which you work. Snail mail stuff.

TOR IS NOT SECURE and there are now viruses traveling the TOR network for financial ill gotten gain.

Legitimate data is secure, all you need to do is get encryption on your hard drives, documents, and emails. Meaning encryption keys, public and private. Why would you trust a VPN or TOR. After all they are run by people. People are the weakest link in any security system.

People have the ability to get your MAC addresses on TOR now.

Legitimate people do not need TOR. Pornographers of children and criminals do.

So Facebook will just put tracking cookies on every TOR client that connects to Facebook and that will help the NSA and GCHQ track peoples movements all over TOR.

Wow, how can people be so gullible?

Social Media

View All ›