Facebook Beats Google And Yahoo To PGP-Encrypted Email

Last year, Google announced the End-to-End project, which was meant to create a browser extension that can allow users to securely send end-to-end PGP-encrypted email to each other. Soon after, Yahoo announced that it will also support the project and will integrate it within its own email service once it is finished.

New cryptographic systems take years to develop and test properly, but it seems Facebook has just beaten Google and Yahoo to the punch by adopting PGP-encrypted email sooner. Technically, Yahoo has already launched its PGP plugin, but it's not available to the public at large yet. Unlike Google and Yahoo, Facebook isn't actually offering a client here, but it is the first major tech company to adopt PGP in such a big way for its users.

Facebook announced that its users can now add their PGP public keys to their profiles, which should make discovery of people who use PGP much easier. Emailing them will still depend on using your own PGP client, such as GNU Privacy Guard (GPG) or Whiteout. That also means that there's no way for Facebook to intercept those messages in an unencrypted form.

Facebook will also start encrypting the notifications it sends to users via email. Facebook itself will be able to see these messages because it is the one encrypting them "end to end" (from Facebook to the user). The main purpose of this wouldn't be to protect the notifications from Facebook itself, but to protect users against phishing emails (where sites impersonate Facebook).

Because the notifications can only be read by Facebook and the user receiving them, it would mean that email companies such as Google can't data mine that information. This is probably another reason why Facebook thought it would be a good idea to implement end-to-end encryption between itself and its users.

Ultimately, this should make PGP a little more popular, especially after Google and Yahoo roll out their own implementations. Increasing PGP adoption means that more people will end up using end-to-end encrypted email even if it will still be too much of a hassle for most people to take advantage of it.

Despite still being one of the companies that collects the most data about us, Facebook has taken some positive steps to increase the security and privacy (from other entities) of its users lately.

It has enabled HTTPS on its site with HSTS protection, it has provided a Tor onion site for its service for those who want to have anonymous profiles on Facebook, and it has enabled STARTTLS encryption for emails going from its own datacenters to other email companies.

If Facebook would adopt end-to-end encryption for its chat, voice and video messages for Facebook Messenger and Whatsapp, it could start earning even more goodwill with those who are more privacy conscious and also the most vocal about Facebook's privacy intrusions.

Whatsapp supposedly already uses end-to-end encryption, but only for chat, not voice, and only between the Android clients. It also doesn't support authentication, and it hasn't been officially confirmed by the company yet. Therefore, it's still nowhere as secure an app as the open source Signal, for instance, which is made by the creators of Whatsapp's end-to-end encryption protocol.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Dylan Orr
    End to end encryption on an already publicly known compromised source is kinda false security. Seamless end to end encryption 'should be' essential for modern day mainstream internet use, however you still have to keep in mind the source. If the source housing the keys is compromised, the encryption is pointless. As with 95% of all failed 'security' attempts by people, specifically encryption, it's implementation and use radically changes the actual security benefit from something. In this case with facebook, it's quite obviously just security theater, with the apparent benefit of being 'more secure' while the root problem, being facebook is the issue, probably not the encryption. If such things were truly encrypted in such a way that facebook couldn't view/distribute it's own content, it would probably bankrupt within a couple years. Facebook is a business; and it's financial holdings is the content it's users personally provide.

    Mark Zuckerburg: They "trust me"

    Mark Zuckerburg: Dumb fucks.

    Quoted from the CEO/founder of facebook in a private chat May 13, 2010.

    I'll pass.

    My thoughts; Not yours.