This week, Facebook unexpectedly announced that it will optionally encrypt all emails sent to users with OpenPGP, and list user’s PGP public keys on their profiles. I don’t think anyone would have seen this coming.
In doing so, Faecbook has not only got around the problem of emails not being encrypted (unlike when you browse facebook.com through a web browser or its app), but has also effectively become one of the largest global directories of PGP public keys.
To enable PGP encryption, you’ll first need to edit your profile and then copy and paste your public key into the relevant field. Provided your key is okay (i.e. not expired, revoked or set to expire within the next 30 days), Facebook will accept it. You can then tick a box to tell Facebook to use your public key to encrypt all its emails to you, such as when you’re tagged in a photo or someone posts a new comment on one of your posts.
Of course, you’ll need an OpenPGP-compatible email program, of which most aren’t – at least by default. On Macs, Airmail 2 has an official plugin (my review here), Enigmail is a well-established addon for Mozilla Thunderbird, and GPGTools includes a plugin for the Mac Mail client. iPGMail is a £1.49 iOS app that I haven’t yet tried myself. On Windows, GPG4Win is a complete toolkit. Webmail users may struggle but there’s at least one Chrome extension for Gmail.
Airmail 2 seemed to handle Facebook’s encrypted emails well; once decrypted, they worked like normal messages with HTML code intact.
How popular this feature will be remains to be seen. PGP still has a rather large barrier to entry, in terms of its overall complexity. Few people use Symantec’s official PGP software, and GnuPG, the compatible open-source project, is mainly based around a command line client with some third-party graphical front-ends. Whilst I’m comfortable using it, I speak from the point of view of someone who has studied a postgraduate diploma qualification in computer security and cryptography. I couldn’t see my wife using PGP, for example. There’s a little more in this blog post that I found on the topic.
And there’s the question about how secure Facebook’s systems are, in light of Edward Snowden’s allegations about the NSA. If they have access to Facebook’s private key for signing these emails, then perhaps they would have the capability to decrypt emails in transit.
Plus, as Facebook warns, if you lose access to both of your Facebook and PGP passwords, then you may struggle to regain control of your Facebook account.
So whilst I’m pleased that Facebook has introduced PGP support, I do wonder just how many people will bother enabling it. As always, my PGP public key is available here.