Facebook encrypts data links to hinder government intrusion
Facebook is working to have end-to-end encryption across the company and its network, including encrypting the links between its datacentres, in a move to keep government coming in the front door, rather than the back door, the company has said.
The social network's head of security infrastructure, Gregg Stefancik, has been brought to Australia this week as part of the Commonwealth Government's Stay Smart Online initiative designed to raise user awareness about online privacy and security issues.
But Stefancik told journalists this morning that the information leaked by former NSA contractor Edward Snowden, indicating that the US security agency had back door access to data stored by companies including Facebook, Google, Microsoft, and Apple, confirmed the company's security team was already "wearing our tin foil hats correctly" when it came to concerns about government intrusion.
He said the company worked to begin encrypting the links between datacentres a number of years ago.
"Snowden validated a lot of the things we knew we needed to protect against," he said.
"Encrypting data and exchanges over our private leased lines is something that is on our roadmap and something we were working on pre-Snowden," he said.
"It's also complicated. It's actually more complicated than dealing with consumer devices and the web front-ends, as we call them. This threat is very different because it comes from our network-level provider. The complexity of our infrastructure means that sadly we're not completely there yet. We've prioritised encrypting the traffic that is most sensitive at Facebook, and we're working aggressively to get to the point where we can tell you we'll have it all encrypted between datacentres."
But encryption of those links may not be enough if the Attorney-General's Department gets its way. As part of a parliamentary review into telecommunications interception, the department proposed that service providers should be required to assist with decrypting encrypted communications intercepted under a warrant.
Stefancik said that Facebook has Perfect Forward Secrecy, which makes it impossible to decrypt old traffic using stolen keys, he said.
"If someone comes into possession of our private keys after a conversation has occurred, they can't pull apart conversations in the past," he said.
"It's harder to deploy, it's more sensitive to infrastructure variations because it's newer, but it is out there; it's on Facebook."
He said Facebook would fight attempts by the government to obtain encryption keys.
"Handing over encryption keys is something that we would fight," he said.
Law enforcement agencies generally seek subscriber details from Facebook, but occasionally seek content, too. Stefancik said Facebook determines whether the request is valid, then pulls content in according to law only, and delivers the bare minimum, and only historical content, usually in the form of a screenshot.
Getting encryption across Facebook was important, but not an easy task, Stefancik said.
"We like encryption because it is mathematically strong, we understand its properties, it's easier to control, but that said, it is really hard to deploy. It's not like we wake up one morning and flip a switch. It has performance implications, there's still compatibility issues between devices," he said.
But the benefits were good, and Facebook as a site was encrypted 100 percent on by default for all interactions with users as of last year, he said.
Facebook has four teams responsible for security: technical security, security infrastructure, site integrity, and safety, but Stefancik said that everyone in Facebook was taught to keep security front and centre in mind.
The company routinely conducts fake security incidents with penetration testers, and attempts at social engineering, with the learning shared amongst all staff, Stefancik said.
The company has also paid out over $2 million as part of its Whitehat program since 2011, and $1.5 million to 300 researchers in 2013. There were 687 valid reports from this program in 2013, and $20,000 went to Australian researchers. Stefancik said the industry had come a long way in rewarding those who find and report flaws to tech companies.
"You don’t want to be locked into an 'us vs them' mindset. If you go back 10 years ago, we [the industry] were throwing these people in gaol, or threatening them with lawsuits," he said.
"Over the past several years it has gone from 'we'll give you a t-shirt' to 'hey, we'll pay you money'," he said.
Additionally, Stefancik said that in the wake of the OpenSSL Heartbleed flaw that affected Facebook, along with thousands of other sites, the company had put its money where its mouth was and donated a "large sum of money" to the Core Infrastructure Initiative that is working to ensure the security and stability of open source projects such as OpenSSL, OpenSSH, and OpenBSD.
"We're funding people in the community to make these building blocks, which everyone is building on, more solid," he said.