Chatting on Facebook is great, but has one major drawback: Facebook records and keeps everything you say. If you think that’s not a problem (e.g. because you subscribe to the “I have nothing to hide, therefore I have nothing to fear” camp), you can stop reading here.
- If you believe privacy is a basic human right
- If you are discussing business confidential information
- If you are a journalist having a confidential discussion with a source
- Or if you’re just having an intimate conversation with a family member
… and you’re not comfortable with Facebook, Facebook’s partners and law enforcement agencies around the world being able to read your conversation at their leisure (even years after it happened!), please read on.
“How can I have a private, unrecorded conversation on Facebook?”
By not using the built-in chat feature from within the Facebook webpage. Instead, we’ll use software that encrypts your messages, so that even Facebook cannot read them.
To do this, you need to know your Facebook username. Note that this is different from your real name, or your Facebook “screen name” (i.e. the name your friends see). If you already have a Facebook username, you can see it by clicking on this link (you need to be logged in to Facebook). If you haven’t set one up, you will see this message:
Don’t worry – you can get a username right away!
Click on the “Edit” link on the right. It will ask you which username you would like to use, and confirm your Facebook password:
After clicking “Save Changes” you should be all ready to go with your shiny new Facebook username:
Please note it down – you will need to use your Facebook username (just once!) it in a bit.
To make sure your new Facebook username is activated, do the following:
- Log out of Facebook (closing the window does not automatically log you out!)
- On the Facebook login page, type your new username instead of the email you have been using for the “Email or phone” field
- Type your usual password for the “Password” field.
- Click “Log In”
I don’t understand why Facebook force people to do this, but this logout & re-login seems to be required to get your new username activated.
You are now ready to setup a private chat system.
Before you continue, please understand:
- To have a private chat, both you and the person you wish to privately chat to, need to follow these steps.
- If you use multiple computers to chat (e.g. a work computer and a home laptop), you have to repeat these steps in every computer before you use it to chat. You will only have to “prepare” every computer once.
First, download and install the Pidgin instant messaging software
Get the software from http://pidgin.im and install it on your computer.
Done installing Pidgin? Great. Continue to the next step.
Download and install the OTR plugin
The Off The Record (OTR) plugin allows Pidgin users to encrypt their communications. Get it from http://www.cypherpunks.ca/otr/ and install it on your computer.
Configure Pidgin for Facebook
The first time you start Pidgin you will see this:
Click on “Add…” – a new window comes up.
Adjust the settings as shown, using your Facebook username (Don’t know your username? See above) and password:
Click on the “Advanced” tab and fill in the “Connect Server” field as shown:
Almost there! Now click on “Add” to complete setting up your account.
You may receive a prompt to accept a certificate from chat.facebook.com – this is normal, since it’s the first time Pidgin connects to Facebook from your computer. Accept it:
You should now be connected to Facebook chat! A list of your online friends will come up right away:
If you see something like the above, congratulations – you are successfully connected to Facebook chat. If you get any error messages, modify your account settings and make sure you have typed everything as shown above. Remember, your Facebook username is not your real name!
Activate and configure the OTR plugin
From the Pidgin “Buddy List” window go to Tools -> Plugins as shown here:
Scroll down the list until you find “Off-the-Record Messaging”. Tick the box next to it – this will enable the plugin:
Now click on the “Configure Plugin” button:
In the new window that comes up, configure the default OTR settings as follows:
Congratulations! You can now chat privately with friends who also use the OTR plugin.
You have just made it very difficult for Facebook or anyone else to eavesdrop or record what you say. Just point your Facebook friends to this page and get them using the OTR plugin!
Start a private conversation with Pidgin and OTR
You can communicate privately only if the Facebook friend you’re communicating with has followed the above steps, or is using other software that uses the OTR plugin.
Double-click on their name to bring up the Conversation window. Notice the “Not private” button on the bottom right?
This means you have not activated the privacy features yet. But you’re about to!
Click on “Not private” and ask Pidgin to “Start private conversation”:
Pidgin will now attempt to create a secure channel and should display the following:
This is the result we want. “Unverified” is not a problem (but see “Improvements” section below). Pidgin tells us that it has established a secure channel to the other end, and you can already use to chat if you wish.
With an “Unverified” OTR status you can not yet be 100% certain that the person you are talking to, is indeed your friend and not an impostor, pretending to be your friend.
To rule out this possibility you should always verify the people you chat with. You only need to do this once for every friend you wish to chat with.
Verify the identity of your chat friends
On the main “buddy list” Pidgin window, go to Tools -> Plugins, then select “Off-The-Record Messaging” and click “Configure Plugin”. (Yes, you were here earlier)
In the “Off-the-Record Messaging” window click on the second tab “Known fingerprints”.
Then select your unverified friend and click the “Verify fingerprint” button.
You will now be presented with both yours and your friend’s fingerprints. After you have verified that you both see the same fingerprints on your screens, you can change this to “I have…”
This is annoying, as it requires you to use another communication channel with your friend (perhaps telephone or email, depends on who your enemies might be) to confirm each other’s fingerprint, but as of April 2012 this is the only option Facebook users have.
That was the hard part done.
After you click “OK”, you don’t have to worry about this again. Next time you wish to talk to this friend, you will just need to click on the OTR button on the bottom right and the conversation will immediately switch to “Private”.
Optionally, you can tell that your messages are encrypted by having the Facebook chat window open in your browser. You should only see messages like these:
Now the only thing Facebook knows is
- Who you chat with
- When you chat with them
…which is a significant improvement from before.