Facebook has demonstrated as well as any company could that sometimes the left hand does not know what the right hand is doing. Take the news that Facebook is now supporting strong encryption in the emails it sends.
Yes, this from the company that broadcasts user location data within a meter in Facebook Messenger and requires the use of real names.
Facebook now lets users to add OpenPGP public keys to their profile, and to sign up for encrypted Facebook notifications.
PGP, or Pretty Good Privacy, is a program that lets people encrypt and decrypt emails, and allows users to authenticate messages with digital signatures. It was once banned by the US government as a “munition.”
Though legal for decades now, intelligence agencies have warned that widespread use of strong encryption could endanger their data-gathering efforts. For Facebook, which has felt burned by revelations about government snooping on its users, that’s kind of the point.
See also: Understanding Encryption—Here’s The Key
Here’s how it works: Facebook now allows users to upload their public keys onto their profile, where they can be made visible to friends or to the public, just like other contact information is. Facebook further offers the option of encrypting notifications it sends to your email account. This provides some added protection, and also prevents your email provider from learning what you’re doing on Facebook.
You can read more about the tool in the PGP section of Electronic Frontier Foundation’s Surveillance Self-Defense Guide, along with installation instructions for Linux, Windows, and Mac OS X.
“If you use Gmail and have configured Facebook to send you all the notifications you can possibly configure in your Facebook settings to your Gmail account, obviously Facebook would be feeding Google … lots of interesting information that Google could stuff into [its] database,” says security adviser Per Thorsheim, founder of the Passwords hacker conference. Encrypted notifications prevent that.
Using this feature further means that if your email account is hacked, or messages intercepted in transit, your Facebook notifications will be safe from prying eyes. Thorsheim believes that password reset requests are where this is most important.
“The inbox has for a long time been a weak spot in attacking someone’s digital life,” he points out.
PGP to the Masses?
Will Facebook enabling encrypted notifications lead to widespread adoption of PGP?
“I would love to say that the answer is yes, but we all know that PGP is really difficult to use compared to the other tools that are out there,” says privacy and security researcher Runa Sandvik.
Critics are quick to point out that if a user is not paying for a product, they are the product, and of course encrypting notifications from Facebook won’t stop the social media behemoth from accessing all the data itself. The only way to protect one’s data from Facebook is to stop using Facebook.
But encrypting notifications, and perhaps accessing Facebook over its Tor onion service, provides safer alternatives for those who won’t heed the rallying cry.
“It’s important to remember that we can’t tell people not to use Facebook because they’re going to use Facebook regardless,” said Sandvik. “That’s just the way it is. What we can do and what Facebook can do and is doing is making it safer and easier for people to securely use the platform.”
Despite its addition of this feature, it’s worth pointing out that Facebook in itself is far from being a secure platform. For example, Facebook Messenger does not offer end-to-end encryption, lagging behind companies like Open Whisper Systems and Silent Circle. Even Apple’s iMessage offers encryption, as Apple CEO Tim Cook recently pointed out at EPIC’s Champions of Freedom event.
In addition, just because Facebook notifications sent to you are encrypted in your inbox, your responses to them can leak into your friends’ inboxes if they do not have the feature enabled. And even if your contacts have private key listed, this doesn’t mean they’ve signed up for encrypted notifications.
Who’s Next To Encrypt?
Google announced that it was working on a Chrome extension called End-to-End around a year ago. Twitter, in the past, was working on encrypting direct messages, and then halted the program for no apparent reason. But perhaps this development will encourage other companies to step up their game.
“I believe that companies are now slowly starting to realize how much privacy means to the public, and how privacy and security done right can actually be a selling point,” Sandvik says. “I don’t know how many will actually follow suit and enable [encrypted] email notifications, but I do believe that more will actually start to consider privacy from the get-go as opposed to trying to sprinkle it on top when it suits them later on.”