Facebook Will Now Encrypt Its Emails to You, If You Want
Another win for the “encrypt all the things” camp.
To protect you from snoops, Facebook would like to send you encrypted emails.
The social network announced on Monday that it plans to encrypt all its notification emails to users who use PGP or GPG, a technology to secure communications end-to-end that's more than 20 years old, yet has struggled to become widely adopted.
While perhaps few users will take advantage of this new feature, this is another win for the "encrypt all the things" movement, which advocates for widespread adoption of encryption on the internet.
If you use PGP, you can now upload your public key (and please don't make the mistake of uploading your private key) to your Facebook profile, and the social network will then start sending you all notification emails, such as those alerting you of a new private message, a message on a secret group, or account changes and password resets notifications, using the company's own public key.
"That's really important in indicating that these sorts of tools are the everyday bread and butter of safe communication," Tom Lowenthal, a staff technologist at the Committee to Protect Journalists, told Motherboard.
This will ensure that if someone hacks into your email account, or intercepts your emails while they travel across the internet, he or she won't be able to see the content of Facebook's communications to you.
"Given the number of email service providers getting popped these days, it seems prudent," Facebook software engineer Alec Muffet said on Twitter.
"Security tools like PGP encryption are most effective when they are used widely."
For example, imagine you receive a sensitive message, such as a very private note from a friend, on Facebook. That message is encrypted with HTTPS while in transit by Facebook, which makes it harder for snoops to read it. But some email providers still don't support encryption, meaning your emails travel over the internet in plaintext, which makes them more vulnerable.
Another advantage of this feature is that it will make it harder for criminals to take over Facebook accounts by resetting somebody's password, provided they have access to a victim's email account. In fact, this change makes Facebook password reset emails "the most secure in the business," according to Lowenthal.
Facebook's new feature might promote the use of PGP encryption too.
"Security tools like PGP encryption are most effective when they are used widely," Geoffrey King, the Internet Advocacy Coordinator of the Committee to Protect Journalists, said in a statement, highlighting how this feature might help journalists protect their communications with sources.
While Facebook is still rolling out this feature, the plan is to make it available to everyone eventually.
"Although this is still an experimental feature, we've received very positive feedback from beta testers and will be making this feature available to all users who choose to use it," Facebook spokesperson Melanie Ensign told Motherboard.
All users should receive the feature by the end of day, according to Muffett.
Facebook's PGP feature comes seven months after the social network launched its own Tor hidden service, giving users who need more privacy protection a way to connect to the social network through the deep web.
While these features are something Facebook deserves praise for, Trevor Timm, the co-founder and the executive director of the Freedom of the Press Foundation, said that Facebook could do better.
"If Facebook really wanted to make a difference," Timm said in an email to Motherboard, "They would end-to-end encrypt all conversation on Facebook Messenger by default."
This story has been updated to include comments from Tom Lowenthal and Trevor Timm.