Facebook Bolsters Message Security, Adds OpenPGP

Facebook announced early Monday that has adopted OpenPGP encryption and will let users post their public keys on their profile.

Facebook announced early Monday that the social network is in the process of adopting OpenPGP encryption and that it will give privacy conscious users the ability to post their public keys on their profile.

The feature, which is gradually rolling out to users today, should better lock down messages sent through the service to users’ personal email addresses. As the company’s announcement points out, while Facebook secures its connections to email providers via TLS, the messages it sends to users – as plaintext, with attachments – could still technically be accessed by anyone who has access to those email accounts.

Now, if a user elects to, they can add “end-to-end” encryption to the notification emails that the social network sends to their email address.

“Where encrypted notifications are enabled, Facebook will sign outbound messages using our own key to provide greater assurance that the contents of inbound emails are genuine,” Facebook said in its announcement Monday, adding that users can share their OpenPGP keys from their profile.

The announcement claims that Facebook will use the GNU Privacy Guard standard and support encryption with the RSA or ElGamal algorithms.

“Facebook’s OpenPGP key comprises a long term primary key with short term subkeys; this allows us to frequently rotate our operational keys whilst maintaining the web of trust and a consistent identity over time,” two of the company’s security software engineers Steve Weis and Zac Morris, and Jon MIllican, a software engineer for security infrastructure, wrote Monday.

The engineers claim the company will continue to look into some of GPG’s newer elliptic curve algorithms, along with support for mobile devices, which are not yet supported.

The feature, while only several hours old, was championed by privacy advocates on Monday, including The Committee to Protect Journalists, a New York City-based organization that defends the rights of journalists. Representatives with the nonprofit lauded the move, calling it a substantial improvement for the social network in both safety and usability.

“Security tools like PGP encryption are most effective when they are used widely,” said CPJ Internet Advocacy Coordinator Geoffrey King. “Facebook has taken an important step to help protect users’ private communications by default, and make the risky environment in which journalists work a little bit safer.”

Elsewhere, Runa A. Sandvik, a privacy and security researcher who helped beta test the new feature, rationalized that while one of Facebook’s chief interests may be siphoning up data, it doesn’t absolve the company from protecting that information.

“We often get too hung up on Facebook’s business model and seem to forget that, if anything, the company does care about ensuring safe and easy user access,” Sandvik said Monday.

Facebook has gotten a bad rap over the last few years, especially today’s post-Edward Snowden, post-PRISM world but the company has made some strides as of late when it comes to security.

Last year the company made the social network available to users as a Tor hidden service, making it both easier and more secure to access via the anonymization service and earlier this year it launched ThreatExchange, a massive information sharing platform. Powered almost entirely on its infrastructure the platform helps parse threat data for Pinterest, Yahoo, Tumblr, Twitter, and others.

Sandvik, a privacy advocate who also helped advise Facebook on its Tor hidden service, called the company’s PGP feature another important step in the process of making the service safer to use.

“We can’t tell people not to use Facebook, but we can tell them how to use it safely,” Sandvik said.

Suggested articles

Discussion

  • JonnyM on

    That's a bold move from FB
  • Johan on

    Ok, it may be early in the morning, but there is one thing that seems a little off to me... If I have understood this correctly the pgp encryption is going to happen on facebooks servers? becuase in that case it doesn't really protect your info except when it is beeing passed around on the server itself...
    • Ben on

      @Johan - no, the data within the email (contents) is a encrypted so that when it arrives at the recipients email server, it is not stored in clear text. The user has the private key on their endpoint to decrypt the contents or attachment once they download it from the email server. That's how I read it anyway. Cheers.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.