Facebook has surprised usually skeptical security experts by adding an extra, genuinely privacy enhancing feature to its service. Facebook users can now hand over their public OpenPGP keys (warning! never hand over your private keys!) to Facebook, which will then then send all emails using strong PGP encryption.
We have discussed Pretty Good Privacy (PGP) encryption in quite some detail before, taking a close look at its open source incarnation GnuPG. Facebook announced in February that it was now ‘going to sponsor GNU Privacy Guard (GnuPG) development with commitments of $50,000 per year to help sustain the important work of this open source security project.’
This latest move comes on top of adding support for accessing Facebook anonymously via the Tor hidden network, and adding secure open source TextSecure technology from Whisper Open Systems to its WhatsApp text messaging service last November.
‘Together, they provide an effective way to use Facebook without revealing your identity, connecting through Tor and maintaining the account through encrypted emails. Any emails sent under the system will clearly be from Facebook, but won’t reveal which account they’re sent in reference to, allowing the user to receive alerts without breaking anonymity. It’s a potentially crucial feature for activists and journalists in oppressive countries, looking to use Facebook under a pseudonym without revealing themselves to the network.’
‘The advertising business requires that they collect more data than we want. However, their security team wants to work with [the privacy community] and they can make a real difference.’
So what does this actually mean?
PGP works by encrypting messages using asymmetric key pairs generated by individual PPG users. These keys can then be exchanged with other users, and users may add a digital signature to verify the identity of sender and the message’s integrity.
With public-key cryptography, each user has a private key, which they keep secret and use to decrypt emails sent to them using their public key. They also have a public key, which they freely distribute so that other people can use it to send them encrypted mail.
- Public key – distributed so that others can use it to encrypt mail for sending to you
- Private key – kept secret and used to decrypt own mail
Users should be aware that although the contents of emails, together with any attachments, are encrypted when using PGP, headers and metadata (such when, to who, and by whom emails are sent) are not. This is a problem that new services such as ProtonMail and Tutanota are trying to address.
PGP users will, however, benefit from the fact that the contents of all communications outside of Facebook will now be gobbledegook to third party email providers (such as Gmail etc.), and anyone else who intercept emails from Facebook without their private key. All internal Facebook messages and connections are protected using SSL encryption.
Facebook, of course, can read all messages (and can be compelled by the NSA and many national governments to hand such information over), but this could nevertheless the be a godsend for dissidents and whistleblowers in repressive regimes whose governments have no power over Facebook, and where the ability to organize via social media is vital to protecting human rights.
So what do I do if I want it?
- The first thing you need to do is create a PGP key pair. The most secure way to use PGP is with a standalone email client , but the free and open source browser extension Mailvelope is much easier to use, while still providing a high level of security and privacy. Remember that as with all security related software, it is vital to verify the digital signature of any software you download.
We have generated a new key pair using Mailvelope, and are ready to export it using Cut & Paste
- Sign into your Facebook account and head for About -> Contact Basic Info -> Add a public key.
- Paste in your public key (not your private one!) into the box provided, check the ‘Use this public key to encrypt notification emails that Facebook sends you’ box.
It is probably a very good idea to enable some alternative account recovery method before hitting ‘Save changes’.
- Facebook will send you a PGP encrypted email verifying that you want to receive encrypted communications…
This message can only be decrypted using your PGP software and private PGP key
… once you have confirmed, you should only receive PGP encrypted emails from Facebook.
If you leave your public key on the Public privacy setting, then other Facebook users can see it use it to send you securely encrypted emails.