Despite a series of privacy stumbles, Facebook is forging ahead with plans to debut a new cryptocurrency called Libra. To bring the idea to fruition next year, the social network has created a new subsidiary called Calibra that will offer digital wallets designed to hold, send, and receive the virtual coins.
But just how well will Libra, and Facebook’s Calibra, protect people’s privacy? And should consumers be worried about using the new services?
Facebook knows it has lost trust with consumers over its repeated snafus, and is therefore being careful with what it says about its new products. In short, the company is pleading: Trust us this time.
“There will be separation of data,” David Marcus, Facebook’s lead blockchain executive, stressed to Fortune. “People don’t want their financial data and social data commingled.”
Let’s take a look at the reality of the situation.
Balancing the scales
People already familiar with Bitcoin and Ethereum will recognize the basis for Libra’s blockchain, the underlying accounting ledger that tallies virtual wealth across a distributed network of computers. Libra’s version, built on a new open source codebase, has the same privacy properties as those predecessors, says Kevin Weil, Calibra’s vice president of product.
At a technical level, this means the Libra blockchain will rely on pseudonyms in the form of strings of letters and numbers that represent people’s identities. To drill down deeper: These strings are known as a public and private key pairs. People can use the public key as a shareable destination address for money, while the private key is a secret, like a passcode, that people can use to sign and validate transactions as authentic.
Libra’s blockchain does not offer anonymity. The setup is not as privacy-protective as other specialized cryptocurrencies, such as Zcash and Monero, strive to be. Zcash includes an advanced cryptographic option to keep people’s financial details—including their pseudonymous identities even—hidden from public view. Monero, meanwhile, mixes and scrambles details related to people’s transactions to obscure them.
But security experts warn that no known privacy system is bullet-proof.
Does this mean that Facebook or others could inspect the blockchain, or public ledger, at the system’s core, and thus see everyone’s payment histories? Answering this question requires some subtlety.
In a paper released Tuesday morning, Facebook assures people that its products will not source account information or financial data from Calibra “without customer consent.” Neither will it share the any of this information with third parties, except in cases involving potential fraud, criminal activity, legal compliance, or product performance. (Facebook must also share certain information with vendors and payment processors to make sure people get paid.) Any shared information “will not be used to improve ad targeting” without permission, the document specifies.
If Facebook’s legalese is to be believed, then the default setting for Calibra will require people to opt in for data-sharing. The wallet service will be available as a standalone app on iOS and Android, but also as a service integrated with WhatsApp and Facebook Messenger. Presumably, if someone were to explicitly agree to link their Calibra account to another Facebook product—importing their WhatsApp contacts, say—then this would open up the data pipe for sharing.
Calibra is what cryptocurrency professionals call a “layer two” technology. This means that Facebook will settle accounts on its own internal ledgers and later record the end results, in aggregate, on the wider Libra blockchain. This affords an extra level of protection. Outsiders should be generally unable to inspect individuals’ payments, transaction timestamps, and aliases. Instead, they will see bigger, batched moves reflecting the state of Calibra’s systems. This helps prevent attackers from untangling the data and figuring out people’s real identities and purchasing proclivities.
People who use Calibra will have to trust Facebook’s internal firewalls and security measures, of course. And there’s a lot of data here that hackers and snoops might like to access. In order to abide by standard “know-your-customer” and “anti-money laundering” laws, Calibra will have to verify people’s identities through a thorough process, collecting government-issued IDs and other personal details and documentation. It will be incumbent upon Calibra to keep this data confidential and secure.
Placating the Faceboycotters
For people who still don’t trust Facebook, even after all the company’s assurances, they may opt to use another wallet provider.
Because the Libra codebase is open source, any other company or ideologically motivated set of programmers will be able to create their own wallets, managed however they please and bearing whatever properties they wish. Libra’s blockchain and codebase is slated to be governed by a Swiss nonprofit, the Libra Association, which includes corporate giants such as Visa, Mastercard, PayPal, and Uber. One might expect Coinbase, PayPal’s Venmo, and others to develop their own virtual wallets, or add Libra integrations, before the cryptocurrency’s expected premiere in 2020.
Facebook, for its part, doesn’t plan on tweaking regulators as Bitcoin’s most fervent supporters have. “A new form of digital currency is bound to happen whether we do that or not,” Facebook’s Marcus says. “Either it happens in a way that’s antagonistic to governments and banks, or it can be done by a number of trusted organizations that will definitely play by the rules.”
That “definitely” will be a tough sell for some consumers who are fed up with Facebook’s litany of security missteps and privacy abuses. But for other people, the convenience of Facebook’s coming cryptocurrency business, entwined with its super popular chat apps, may lure them yet.
More must-read stories from Fortune:
—Project Libra: Facebook’s wildly ambitious plan to bring cryptocurrency to the masses
—5 things to know about Project Libra
—How cord-cutting is driving big changes across the media landscape
—Andreessen Horowitz’s Scott Kupor demystifies the VC funding process
—To break up Facebook, here’s where the government might start
—Listen to our new audio briefing, Fortune 500 Daily
Follow Fortune on Flipboard to stay up-to-date on the latest news and analysis.