Facebook Inc. has developed a new approach to detecting online fraud that it said could provide more privacy for consumers than the techniques companies employ today.

The social network detailed the method this afternoon at its @Scale engineering conference in San Jose, California. The problem it addresses is that web companies, including Facebook itself, need to collect large amounts of data about users’ activity to tell if their actions are legitimate or fraudulent. This data collection raises obvious privacy concerns even when the information is utilized strictly for fraud prevention.

A hypothetical example is a banking app that needs to verify login attempts are made by real customers and not bots. As part of the process, the app might record the amount of battery charge in the user’s phone or readings from the phone’s accelerometer, which is the kind of data that bots have an extremely hard time faking. The downside is that this data ends up in the hands of the banking app’s developer.

Facebook’s approach to making the process more private is to perform verification with digital signatures instead of raw user information. Digital signatures are essentially virtual stamps of authenticity that employ cryptography to prove the file they’re attached to is legitimate. In this case, Facebook wants to harness them to prove that an action like a purchase or an ad click comes from a legitimate user.

It proposes to implement the approach by leveraging a modified version of a blind signature. It’s a cryptographic technology that allows a company, say the hypothetical banking app developer, to attach a digital signature to a user activity log without viewing its contents. That log’s authenticity can later be likewise verified in a way that doesn’t require the developer to check the user data inside, thus preserving privacy. 

Facebook’s method would have the added benefit of making it difficult for cybercriminals to forge signatures and pass off fraudulent activity as legitimate. One way the technique makes that possible is by having the user’s browser or operating system handle a part of the verification procedure. As a result, the data involved in the process never leaves the user’s device, which makes it that much harder for hackers to intercept it.

Facebook’s researchers said that this technique can be combined with even more advanced security methods. Companies could add a unique identifier to each digital signature, so to prevent reuse, and block signatures from being hijacked to verify an event chain (such as a website visiting session) other than the one for which they were originally generated.

Facebook hopes to work with outside companies such as browser makers to develop an industry-standard implementation of its method. To that end, the social network has started soliciting feedback from the business and academic communities through the W3C internet standards body. 

Image: Pixabay