Starting Monday, Facebook will begin rolling out OpenPGP functionality for members who use the social network’s e-mail functionality. The experimental new feature will allow users to add OpenPGP public keys to their profiles to establish end-to-end encryption for notification e-mails sent by Facebook to users' e-mail accounts.
People may also choose to share OpenPGP keys from their profiles, with or without enabling encrypted notifications, the company said in a statement. Users will be able to find their public keys in the Contact and Basic Info screen under the About menu heading.
Moving Toward Greater Privacy
The world’s largest social network has taken several steps in the last year to provide greater security and privacy functionality for its users. In October, Facebook announced the creation of a new URL for users who wanted to access the site directly using the Tor Onion browser. Connections to the Facebook page have been secured using HTTPS with HSTS by default since 2013. And more than 95 percent of Facebook’s notification e-mails are encrypted with both perfect forward secrecy and strict certificate validation.
But the company has also frequently run afoul of privacy advocates for many of its past actions, including the decision to prevent drag queens from accessing the site using their stage names, and using cookies to track the browsing habits of users even when they are not connected to the service.
“It's very important to us that the people who use Facebook feel safe and can trust that their connection to Facebook is secure,” the company said in its statement.
Open Privacy Standard
OpenPGP is one of the most popular available standards for protecting e-mail with public key encryption. The standard is based on the PGP (short for pretty good privacy) core technology that helps protect the content of e-mail messages, texts and files from being read by surveillance programs.
PGP, and by extension, OpenPGP, uses a double-key system to encrypt a user’s communications. Users have both private keys, which they keep to themselves and do not give out, and public keys, which they provide to anyone who wants to communicate with them. That way, a sender can encode a message using the recipient’s public key, and that message can only be decoded by the matching private key, which only the intended recipient can access.
When users enable the encrypted notification option on their profiles, Facebook will sign outbound messages using its own OpenPGP key, according to the company. That way, users will be able to verify that the messages do, in fact, come from Facebook.
The company said it has chosen to use GNU Privacy Guard (GPG), a widely used and free implementation of the OpenPGP standard, for its implementation. Facebook said its key consists of a long-term primary key and short-term subkeys so the company can frequently rotate its operational keys.
The version of GPG Facebook is using supports encryption with the RSA and ElGalam algorithms. The company said it is also investigating additional support for newer algorithms.
Posted: 2015-06-03 @ 1:32pm PT
(1) Please disclose your relationship to ChiaraMail before promoting it.
(2) ChiaraMail's ECS is just a fancy label for something very simple that predates your patent: instead of sending an e-mail to a recipient, send a URL.
@Montello: you're 100% right. It will be interesting to see if Facebook's initiative will help PGP to a bit more popular. It has been around for more than 20 years and is still not sufficiently well known by the mainstream population.
Posted: 2015-06-02 @ 12:27am PT
ChiaraMail provides stronger security and there's no passcode to worry about forgetting. Check it out on Google Play.
Posted: 2015-06-01 @ 1:12pm PT
Greater security? Yes. But not necessarily the privacy you might expect. Facebook knows your identity; while it can't read the actual content, metadata can be just as private. If you're concerned about privacy, using Facebook seems to be an odd choice. Same with WhatsApp, btw. Messages are encrypted, but WhatsApp (i.e., Facebook) knows who's talking to whom. Opt for a service that can be used anonymously.