All around the world, human rights defenders, activists, journalists, and others use Facebook to express themselves and organize. That is why we’re glad to see Facebook make security and privacy enhancements to its platform, implementing strong encryption for its email notifications.
Facebook began the process in June of this year when it enabled users to upload their PGP public encryption key to their profiles. Now the company has made a further improvement, upgrading this encryption to include Elliptic Curve Cryptography (ECC).
This is good news for everyone who uses Facebook, especially in cases when you’re sending sensitive information — or communicating with someone who is.
When an email is sent “in the clear,” anyone with access to any of the computers through which that email passes could get access to the contents. Now, if you upload your public encryption key, Facebook encrypts the message with your unique key, and when you receive it, you decrypt it on your computer.
This is the standard of PGP encryption functionality that every platform should meet. Now that Facebook has implemented this functionality on one of the most popular and most used platforms in the world, it’s much less likely that we’ll hear companies claim that there’s “no demand” for encryption at this standard, or that it’s simply too hard to implement.
It is worth also noting that Facebook has made it that so a user’s PGP public key can be retrieved using an API call. This allows for interesting possibilities for third-party developers to integrate the use of PGP into any add-ons they build. It also opens up the possibility for Facebook to become a public PGP keyserver, which could contribute to wider adoption of the strong PGP cryptosystem.
We applaud this demonstration of leadership by Facebook, which also created a .onion site where you can log in through Tor, another good thing for privacy. We hope that the company continues with its commitment to further enhancing the security and privacy of the platform. We have one caveat, and some suggestions for further improvement.
In the same blog post that Facebook announced its implementation of ECC, it also promoted the use of the Proton email provider, for use with Facebook and PGP. Unfortunately, Proton — along with some other secure mail providers such asMailvelope — implements PGP with the openpgp.js javascript library. While this makes for seamless and easy-to-use PGP encrypted email in the browser, we do not recommend this implementation of PGP for people who require a high level of security. Implementing cryptographic functions in javascript, and keeping the code secure from compromise in transit or in the browser, is a challenging prospect.
You can use ProtonMail if strong encryption is not a requirement for you. The more that people use any form of PGP email, the more we help the most at-risk users.
This is true for all encryption. The higher the volume of encrypted traffic, the better. While state adversaries have some capability to crack encryption, this does take effort, and we don’t want a situation where the only people using PGP are those that have a strong need to keep their communications confidential from those state adversaries. When the volume of encrypted traffic on the internet increases, so too does the difficulty for those state adversaries. For people with a need for strong encryption, we recommend PGP using Thunderbird and Enigmail.
With that said, we’ve developed some further suggestions for security improvements to the platform. The hard-working security team is likely thinking of these ideas already. We know that digital security is an evolving endeavor, and constant testing, improving, and innovation are required as threats emerge and change shape. Here are some ideas for further consideration:
PGP encryption for user-to-user emails and messaging
Facebook could encourage and help people use strong encryption when they send messages to each other, or contact organizations via Facebook. One way to do this would be to help people use PGP when communicating with each other. Facebook could also implement Off The Record (OTR) encryption in its messaging applications, just as WhatsApp has done with its Open Whisper Systems encryption.
Encourage and promote use of PGP
Facebook could promote its PGP encryption features to users in ways that encourage adoption of PGP, such as prioritizing the reach of posts from profiles that have uploaded a PGP public key. Approaching PGP in this way would motivate people to overcome the barriers — such as the learning curve — to adopting strong encryption. This would benefit every user of these cryptosystems. People complain that a PGP cryptosystem is “too hard” for users to get their heads around. However, a big part of that problem is that we don’t give people the motivation or opportunity to do so.
PGP signatures
Facebook could enable people to sign their profiles and posts with a PGP private key. This would give other people the ability to verify cryptographically that those profiles or posts are authentic. This would mitigate the problems posed when accounts are hacked and fake posts are published. Friends or followers would have the ability to detect those fake posts.
Automatic PGP prompting in Facebook
Facebook could build the technology to perform an automated lookup to public PGP keyservers to determine whether a Facebook user’s email address is associated with a PGP key. Facebook could include a prompt to encourage the user to upload the public key to Facebook. This would likely encourage use of PGP encryption within Facebook among people who are already familiar with the cryptosystem outside of Facebook. Facebook could also prompt users to update their keys when they expire, encouraging ongoing use of the cryptosystem.
Enable encryption for email to Facebook
In some cases, Facebook asks for sensitive information, such as when it requests documents for verifying identity pursuant to its authentic identity policy (also known as its “real name policy”). Any sensitive information sent to Facebook should be encrypted using PGP or another common form of encrypted communication. Facebook could give people an easy way to do that, so they may protect their identity information during the submission process.
Again, these are great steps in the right direction taken by Facebook for the security of users, and we look forward to further improvements as the platform develops.
Photo Credit: Ksayer1