Facebook may be known as the social network that got everyone to redefine the idea of privacy. But it’s increasingly turning its attention to securing your communications online — if only so you’re more apt to trust the social networking giant with your data. You can now get Facebook to encrypt every email that it sends you thanks to an experimental feature that enables you to add an OpenPGP public key to your Facebook profile.
So what does that mean? PGP, which stands for “Pretty Good Privacy,” is an end-to-end encryption program that was created in 1991. End-to-end encryption ensures that only the sender and the intended recipient of a message can read it, using a pair of keys — one private and one public — to protect the message. And OpenPGP is a widely-used email encryption standard derived from the original PGP standard.
To use PGP, you create a pair of keys — long strings of letters and numbers — to encrypt and decrypt messages. You share one key publicly, and keep the other private; others can then use your public key to create a message that can only be decrypted with your secret, private key. So even if someone else intercepts a message, its contents won’t be decipherable by anyone other than you.
As Facebook’s post notes, the company is technically introducing two separate features: one that enables you to share your public PGP key on your profile, and one that allows you to encrypt the notification emails that Facebook sends you. You can list your PGP key with or without enabling encrypted notifications.
Harrison Weber reports for VentureBeat that Facebook already encrypts everything you do on its social network, though that doesn’t prevent the data that you share with Facebook from falling into the hands of a government surveillance agency. Facebook’s PGP feature simply extends Facebook’s existing security features to your email; if a Facebook friend sent you a message, Facebook would handle the encryption, so it’s not, strictly speaking, end-to-end encryption.
But Weber notes that the most interesting opportunity for the feature lies within the account recovery process. If you turn on encryption for all emails from Facebook, recovery emails will be encrypted by default, which would slow down a court, hacker, or spy looking to compromise your account. Weber notes that while the addition of PGP encryption is a step in the right direction, it can do more. Facebook isn’t the only company implementing PGP encryption, though no major company has yet succeeded in making the feature consumer-friendly.
And that’s the problem with Facebook’s new security features: most people don’t know how public/private key email encryption works, or have any idea how to set it up. TechCrunch’s Frederic Lardinois reports that a number of companies promised to make end-to-end encryption more accessible to the general consumer, but it’s a complex problem to solve from both a technical and user experience standpoint.
To add a PGP key to your Facebook profile, click About, then Contact and Basic Info, and select +Add a public key. If you already have a public and private key, paste the public key in the appropriate field. (If you haven’t used PGP yet, both TechCrunch and Lifehacker have good tutorials for you. And Facebook points users in the direction of the Electronic Frontier Foundation’s primer on PGP.) After you save the changes, Facebook will email you the appropriate warnings and display a confirmation.
Wired’s Klint Finley reports that this is the latest of Facebook’s efforts to “shore up” its privacy and security credentials. Earlier in the year, it announced that it will help fund the development of GnuPGP, an open-source implementation of the OpenPGP standard. It began encrypting all of its traffic in 2013, and last year added support for Tor. Despite the limitations of Facebook’s PGP implementation, private advocates say that it’s an important step toward improving security.
The feature could play the important role of getting more people to use PGP and catalyzing the improvement of the range of tools that support the standard. Finley notes that even if only a thousandth of a percent of Facebook’s users end up using the feature, that would still mean that 15,000 new users will begin using PGP. And by adopting the standard, Facebook will make it more difficult for criminals to steal users’ credentials or read their messages, improving the security of Facebook and of the Internet overall.