Stop Facebook recording your chats

Chatting on Facebook is great, but has one major drawback: Facebook records and keeps everything you say. If you think that’s not a problem (e.g. because you subscribe to the “I have nothing to hide, therefore I have nothing to fear” camp), you can stop reading here.

But…

  • If you believe privacy is a basic human right
  • If you are discussing business confidential information
  • If you are a journalist having a confidential discussion with a source
  • Or if you’re just having an intimate conversation with a family member

… and you’re not comfortable with Facebook, Facebook’s partners and law enforcement agencies around the world being able to read your conversation at their leisure (even years after it happened!), please read on.

“How can I have a private, unrecorded conversation on Facebook?”

By not using the built-in chat feature from within the Facebook webpage. Instead, we’ll use software that encrypts your messages, so that even Facebook cannot read them.

To do this, you need to know your Facebook username. Note that this is different from your real name, or your Facebook “screen name” (i.e. the name your friends see). If you already have a Facebook username, you can see it by clicking on this link (you need to be logged in to Facebook). If you haven’t set one up, you will see this message:

Facebook General Account Settings: You have not set a username.

Don’t worry – you can get a username right away!

Click on the “Edit” link on the right. It will ask you which username you would like to use, and confirm your Facebook password:

Facebook: Setting up a user name

After clicking “Save Changes” you should be all ready to go with  your shiny new Facebook username:

Your Facebook username

Your Facebook username

Please note it down – you will need to use your Facebook username (just once!)  it in a bit.

To make sure your new Facebook username is activated, do the following:

  • Log out of Facebook (closing the window does not automatically log you out!)
  • On the Facebook login page, type your new username instead of the email you have been using for the “Email or phone” field
  • Type your usual password for the “Password” field.
  • Click “Log In”

I don’t understand why Facebook force people to do this, but this logout & re-login seems to be required to get your new username activated.

You are now ready to setup a private chat system.

Before you continue, please understand:

  1. To have a private chat, both you and the person you wish to privately chat to, need to follow these steps.
  2. If you use multiple computers to chat (e.g. a work computer and a home laptop), you have to repeat these steps in every computer before you use it to chat. You will only have to “prepare” every computer once.

First, download and install the Pidgin instant messaging software

Get the software from http://pidgin.im and install it on your computer.

Done installing Pidgin? Great. Continue to the next step.

Download and install the OTR plugin

The Off The Record (OTR) plugin allows Pidgin users to encrypt their communications. Get it from http://www.cypherpunks.ca/otr/ and install it on your computer.

Configure Pidgin for Facebook

The first time you start Pidgin you will see this:

Click on “Add…” – a new window comes up.

Adjust the settings as shown, using your Facebook username (Don’t know your username? See above) and password:

Click on the “Advanced” tab and fill in the “Connect Server” field as shown:

Almost there! Now click on “Add” to complete setting up your account.

You may receive a prompt to accept a certificate from chat.facebook.com – this is normal, since it’s the first time Pidgin connects to Facebook from your computer. Accept it:

You should now be connected to Facebook chat! A list of your online friends will come up right away:

If you see something like the above, congratulations – you are successfully connected to Facebook chat. If you get any error messages, modify your account settings and make sure you have typed everything as shown above. Remember, your Facebook username is not your real name!

Activate and configure the OTR plugin

From the Pidgin “Buddy List” window go to Tools -> Plugins as shown here:

Scroll down the list until you find “Off-the-Record Messaging”. Tick the box next to it – this will enable the plugin:

Now click on the “Configure Plugin” button:

In the new window that comes up, configure the default OTR settings as follows:

Congratulations! You can now chat privately with friends who also use the OTR plugin.

You have just made it very difficult for Facebook or anyone else to eavesdrop or record what you say. Just point your Facebook friends to this page and get them using the OTR plugin!

Start a private conversation with Pidgin and OTR

You can communicate privately only if the Facebook friend you’re communicating with has followed the above steps, or is using other software that uses the OTR plugin.

Double-click on their name to bring up the Conversation window. Notice the “Not private” button on the bottom right?

This means you have not activated the privacy features yet. But you’re about to!

Click on “Not private” and ask Pidgin to “Start private conversation”:

“Start private conversation” with OTR on Pidgin

Pidgin will now attempt to create a secure channel and should display the following:

This is the result we want. “Unverified” is not a problem (but see “Improvements” section below). Pidgin tells us that it has established a secure channel to the other end, and you can already use to chat if you wish.

Is this not working? Does your request to “Start private conversation” seem to do nothing? Here is a possible reason. You may need to “enable apps” on your Facebook profile.

Improvements (optional)

With an “Unverified” OTR status you can not yet be 100% certain that the person you are talking to, is indeed your friend and not an impostor, pretending to be your friend.

To rule out this possibility you should always verify the people you chat with. You only need to do this once for every friend you wish to chat with.

Verify the identity of your chat friends

For technical reasons Facebook users have to verify the identity of their friends manually, by comparing so-called “fingerprints“.

On the main “buddy list” Pidgin window, go to Tools -> Plugins, then select “Off-The-Record Messaging” and click “Configure Plugin”. (Yes, you were here earlier)

In the “Off-the-Record Messaging” window click on the second tab “Known fingerprints”.

Then select your unverified friend and click the “Verify fingerprint” button.

You will now be presented with both yours and your friend’s fingerprints. After you have verified that you both see the same fingerprints on your screens, you can change this to “I have…”

This is annoying, as it requires you to use another communication channel with your friend (perhaps telephone or email, depends on who your enemies might be) to confirm each other’s fingerprint, but as of April 2012 this is the only option Facebook users have.

That was the hard part done.

After you click “OK”, you don’t have to worry about this again. Next time you wish to talk to this friend, you will just need to click on the OTR button on the bottom right and the conversation will immediately switch to “Private”.

A private & authenticated conversation over Pidgin. You know the person you’re talking to is who they say they are, and you know that noone else can eavesdrop on your conversation.

Optionally, you can tell that your messages are encrypted by having the Facebook chat window open in your browser. You should only see messages like these:

Congratulations!

Now the only thing Facebook knows is

  • Who you chat with
  • When you chat with them

…which is a significant improvement from before.

What, you still don’t like that? What are you doing chatting on Facebook then?! Go use CryptoCat over Tor, or if your enemies are pros (and you trust your hardware), TAILS.

8 thoughts on “Stop Facebook recording your chats

    • Hi Pavel

      If the spooks can subpoena Facebook to hand over the contents of our chats, they can probably do that to you too. Assuming you’ve done everything right (crypto, implementation, hardening of server, authentication, backups, physical attacks etc) and you don’t actually have access to your users’ plaintext chats, do you really want to be the next Ladar Levison?

      OTR has been around for a while and is considered robust in the privacy community. It also takes you out of the firing range when people come asking for your users’ data. Re-inventing such protocols is a dangerous undertaking. Would you consider making your plugin “speak” OTR? That would get rid of the middleman (your server) and give FB users serious privacy properties.

      See https://otr.cypherpunks.ca/

      • Hello again and thanks for the reply.

        I wasn’t aware of OTR but will take a look at it. I don’t have a problem removing the middleman (the server).

        But the whole point of the project is not to make MY service popular to use but for others to install their own servers. That is the main reason the whole project is open source and easy to install (I hope it’s easy to install :-))

        If anyone could install Taniger and use it I don’t think anyone would subpoena tens of thousands server administrators.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s