I would love if someone made a Chrome extension that encrypted all the posts and messages you put on Facebook. That is, any post you made would be made as a ciphertext, the extension would swap keys with all your friends in the background, and would decrypt their posts when displaying them to you.
Sure Marky Mark still sees when you post, who you send messages to, etc. but it's a much better situation than what's going on now. Plus it would probably put a dent in their bottom line, and so send them the message that privacy matters to people.
You're so close to what I am currently building that I feel like I have to chime in. I left Apple's security team a few months ago to go solo and build an app that is similar to Facebook/Instagram and Snapchat in terms of functionality and UX but uses the Olm protocol (similar to Signal) to protect all content. So, fear not - something is being done, and I'm sure I'm not the only one working in this problem space. I think it's ripe for innovation, counter to popular belief; the trick is to do it in a way that doesn't require a PhD in computers to operate the damn thing, as was the issue with previous attempts.
I'm skeptical as to how worthwhile your effort is as long as the outcome is just another alternative to FB. We've seen countless examples of how these alt-social nets failed. But I do see a lot of value in the tech you might be developing, and if in some way we could embed it into existing social nets, that would be amazing. Fingers crossed!
How easy would it be for Zuck to just update the TOS to say "encrypted content is against our TOS" and ban you?
Zuck can't add any encrypted content to your personal profile, which means he doesn't make any money off you. And Zuck can do pretty much whatever he wants in his castle, I'd say.
Content is mostly irrelevant, metadata is way more interesting. In other words they do not care what you say, but who you say it to, when you say it, from where, at what time, and so on.
I run design collective (group of designers and design students) we have been looking for social media projects to help. Is your project aimed to be opensource or it is comercial bussiness?
We could might be able to help. Even just with small things like design analisys and testing.
You just killed your project. Nobody is going to use a security centric product littered with ads. Ads are exactly what people should be worried about, tracking their tabs and browsing activities.
> the trick is to do it in a way that doesn't require a PhD in computers to operate the damn thing, as was the issue with previous attempts
This sounds similar to the story of PGP. Many attempts have been made to get people to use it, but it just didn't catch on (on a big scale). So I'm curious: how will it be different this time?
I see the problem with this is gaining traction. With no users on board you'll have no users on board.
Unless ofc you're just building this for yourself and your friends, which is something I thought about doing myself but then realized that even my friends cba to install yet another chat app.
> I see the problem with this is gaining traction. With no users on board you'll have no users on board
That's the same reason Facebook would never beat MySpace and MySpace would lose out to Friendster.
Metcalf's Law and initial traction are real challenges to achieving critical mass of users, but it has been done. I'm biased to hope for @ghughes success and that enough people care about privacy to give it or similar services a shot.
How are you going to recreate the main selling point of facebook, i.e. the Newsfeed ? If things are encrypted, how are you going to determine relevance, etc.
> How are you going to recreate the main selling point of facebook, i.e. the Newsfeed ?
When you post, the content is sent as an encrypted message that can only be decrypted by people who should be able to see it (either all of your friends or just a subset of them). The client automatically takes care of key management and is responsible for keeping track of sent & received posts, comments, etc; it renders a news-feed-like UI on top of that data. The end result is a familiar UX on the surface, but the underlying mechanism for transmitting data between users is far more secure than the traditional approach of using a monolithic database that contains everyone's data in plaintext.
> If things are encrypted, how are you going to determine relevance, etc.
The client is solely responsible for that. For now the "news feed" is strictly chronological, but I plan to augment it later by prioritizing posts that might be particularly interesting to the user. There are plenty of ways to make those decisions locally.
hey, im going to implement something similar as well, and your idea gave me an idea - id 'like some help getting started - grappling with crypto since im new.
can we get in touch somehow ? too bad hn doesn't allow private messages.
Exactly. I also think that encrypting data is a smokescreen to gain brownie points. Yes, it is more secure than not encrypting messages but the effect of message encryption on your privacy is very low.
If you have out-of-band connections with all your friends and you have friends who are willing to jump through weird, nerdy, technical hoops, what do you need Facebook for?
There would be no out-of-band connections. The extension uses Diffie Hellman or something to swap keys with your friends over Facebook (or maybe through a server run by the extension provider.)
This is missing the point as metadata is way more sensible than actual message content. Besides, being contrary to ToS you'd get your facebook account blocked or banned.
Look at how fast AdNauseam got the boot from google to get an idea.
Don't know how many will read this now, I'd just like to point out that since you can only message addresses/accounts you're "friends with" on Fb AFAIK, you can effectively broadcast to all your friends without Fb knowing the plain-text recipients.
It is simply necessary to have the plain-text in a publically known format, e.g. prepended with date or name or whatever. Then you post the cypher-text to your "timeline" (or whatever it's called) and try decrypting all your friends' posts to find which one is meant for you.
To get around Fb-imposed usage restrictions use a steganography or obfuscation tool. https://seecret.io is already linked to somewhere on this thread.
I agree strongly with you that the direction to be taken is independent messaging clients for existing messaging channels as long as those channels allow third party API use.
What channel would you use to share the keys on FB? The Facebook API simply will not let you do that anymore. Direct messages have a character limit and you can't just post to someone's wall anymore.
I tried working on something like this for seecret.io but was confounded by the Facebook API's limitations.
Twitter is much better for that. Probably other network too.
You use Diffie–Hellman. "Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel." (https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange)
I had thought something similar, but with Google drive instead of Facebook. To create a rogue client that encrypts my files, uploads them to Drive encrypted, but presents them nicely unencrypted in my local machine. That way I get the free (as in beer) cloud storage, but google doesn't spy on my files.
How would you finance and support this endeavor? Also, why wouldn't Facebook ban all such users? Facebook is a private platform and they make the rules on how you get to play with it.
Sure Marky Mark still sees when you post, who you send messages to, etc. but it's a much better situation than what's going on now. Plus it would probably put a dent in their bottom line, and so send them the message that privacy matters to people.