Facebook moves to encrypt the emails it sends users
Naked Security Naked Security

Facebook moves to encrypt the emails it sends users

The new feature lets users add OpenPGP public encryption keys to their profiles that can be used to encrypt notifications Facebook sends to users' email accounts.

Facebook moves to encrypt the emails it sends usersFacebook announced that it’s introducing an experimental new feature that lets users add OpenPGP public encryption keys to their profiles so that Facebook can encrypt the email notifications it sends them.

From the post:

Whilst Facebook seeks to secure connections to your email provider with TLS, the stored content of those messages may be accessible as plaintext (with attachments) to anyone who accesses your email provider or email account.

To enhance the privacy of this email content, today we are gradually rolling out an experimental new feature that enables people to add OpenPGP public keys to their profile; these keys can be used to "end-to-end" encrypt notification emails sent from Facebook to your preferred email accounts.

PGP is a form of end-to-end encryption for email that could be the answer to one computer security’s longest standing problems.

As Naked Security’s Chester Wisniewski noted last year when Google made OpenPGP easier for Gmail users, for messages to be truly protected, they have to be enciphered by the sender before they get to the email provider.

It’s a great idea but unfortunately almost nobody does it. Those who do though have tended to favour something compatible with OpenPGP.

Users who use PGP to encrypt their email have two keys. One is a private key that they keep to themselves and the other is a public key that’s given to anyone who wants to send them encrypted mail.

Messages are encrypted using the public key but they can only be decrypted using the private key. So long as you keep your private key private anyone can send you an end-to-end encrypted email that only you can read.

If you want to know more about OpenPGP technology an introduction to PGP is available from the Electronic Frontier Foundation.

With anti-surveillance, kill-that-damn-Patriot Act fever rising, both US and UK governments and law enforcement agencies have been gnashing their teeth over strong encryption, given that it scrambles communications for those who don’t have the correct key to decrypt them.

For example, Apple and Google both annoyed US law enforcement by updating their mobile devices to have encryption turned on by default – a move that went “too far,” FBI Director James Comey said.

With OpenPGP, Facebook aligns itself with all those annoying tech companies opting for strong encryption on their users’ communications.

In October, Facebook also launched a .onion address to enable users to connect via the anonymised Tor network.

By the way, if you want to know what Tor is and if you should use it, Lifehacker has an article that might come in handy.

Facebook also turned on https by default for all Facebook users in 2013, enabling them to automatically encrypt their communications with Facebook and preventing hackers and attackers from sniffing sensitive data while using unencrypted WiFi hotspots.

Facebook contact preferences

With OpenPGP now in test mode – it was gradually rolling out as of Monday – users will be able to update their own public key with a desktop browser, through their contact preferences account tab.

Facebook is also looking into the possibility of public key management on mobile devices somewhere down the line.

Users may also choose to share OpenPGP keys from their profile, with or without enabling encrypted notifications.