We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Privacy Plug-In Fakes out Facebook

FaceCloak lets users hide sensitive updates from prying eyes, including Facebook’s.

Social networks are rife with examples of users failing to understand the privacy implications of posting sensitive information online.

In February, for example, school officials in Wisconsin suspended a teacher who posted on Facebook a picture of herself pointing a gun at the camera. In April, the Swiss insurance company Nationale Suisse fired an employee after she called in sick and then posted updates on the same site. Others have raised concerns about users handing so much personal information to social-networking companies themselves.

Now, researchers at the University of Waterloo in Ontario have developed a browser plug-in to help users keep their information private from prying eyes and from social-network providers as well. Urs Hengartner, an assistant professor of computer science, and his colleagues say the plug-in replaces sensitive information in a user’s profile and news feed with meaningless text that can only be unscrambled by trusted friends or contacts. Dubbed FaceCloak, the tool assures its users that sensitive data stays private, Hengartner says. “If you have a particular illness, you might want to allow only your friends to see that,” he says. “This leaves it up to the user to decide what information to keep away from Facebook.”

The tool is the latest shot in a battle between social networks and privacy-conscious users. Most users of Facebook, MySpace, and other social networks remain unaware of the privacy implications of posting personal information to such sites, says Alessandro Acquisti, an associate professor of information systems and public policy at Carnegie Mellon University.

In 2005, Acquisti and fellow CMU researcher Ralph Gross showed that nearly 80 percent of Facebook users revealed their birthday publicly and the majority provided public access to their real-world addresses–information that could be used to commit identity theft. “You feel like you are talking to a friend casually in a conversation, but in reality you are publicizing information in a forum where it will stay for a long time,” Acquisti says. “Privacy is not the first thing you think of when you use a social network.”

Nowadays more people appear to be privacy conscious. In a more recent study, Acquisti’s group found that 30 to 40 percent of users change the default privacy settings to take greater control of their information. But social networks themselves have not been good protectors of privacy, Acquisti says, because monetizing personal information is a potential gold mine. This is demonstrated by Facebook’s Beacon advertising service, which allows affiliates to tailor advertising according to users’ activities on Facebook and beyond.

Private updates: A user (John Doe, in this case) can specify that his name and birth date should be hidden by tagging the data with ”@@.” FaceCloak then populates drop-down menus with private versions of the information.

FaceCloak, implemented as a plug-in for Mozilla’s Firefox browser, allows a user to designate–using two “at” signs (“@@”), by default–what information should be encrypted and only made available to friends. A FaceCloak user holds a secret access key but also sends two other keys to her friends. Those keys are then used to access the real information, which is held on a separate server. While the same concept could be used on other social networks–such as Twitter and MySpace–Hengartner and his colleagues focused on the largest provider.

Similar tools are being developed by other academic teams to address the privacy issues plaguing social networks. A group of researchers from Cornell University created another Firefox plug-in, called None of Your Business (NOYB), that encrypts profile information so that it can only be read by a small group of friends. And two researchers from the University of Illinois at Urbana-Champaign have developed a Facebook application called flyByNight that encrypts users’ data.

Unlike those projects, however, FaceCloak works with any number of contacts and does not rely on the cooperation of the social-network provider. The University of Waterloo researchers attempt to hide which users are encrypting their data with FaceCloak by replacing the hidden data with arbitrary text taken from sources on the Internet. “Users who submit encrypted information stand out, both to Facebook and to other users who can see the profiles, and therefore might raise suspicion,” Hengartner says. “By using fake information, we can avoid this problem.”

There are still some major issues, however. Images are not yet supported by FaceCloak and the third-party hosting server used could potentially be compromised. Moreover, a FaceCloak user still has to be careful, Hengartner says. “The same problem arises in real life,” he says. “When you tell a friend some personal information about you, you need to trust your friend to deal with this information responsibly. If she misbehaves, you can’t erase the information from her brain.”

Keep up with the latest in Privacy at EmTech Digital.
Don't be left behind.

March 25-26, 2019
San Francisco, CA

Register now
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.