Facebook announces experimental implementation of PGP, the cryptographic encryption and authentication tool used by Edward Snowden, into its social media empire.
Pretty Good Privacy
The Silicon Valley giant announced the new feature on its security blog, which allows users a specific place to publish their PGP keys on their Facebook profile. In addition, users can also request all notifications and sensitive emails to be encrypted using Facebook’s publicly posted PGP key.
PGP stands for 'Pretty Good Privacy' and it is public-private key pair cryptographic technology -similar to Bitcoin's – that has been praised by security experts for over 25 years. The PGP standard was used by Snowden to coordinate the release of the top secret international surveillance documents with Glen Greenwald and Laura Pointras, back in 2013.
PGP allows not only end-to-end encryption of emails, but authentication of the sender, meaning that you are fairly certain that the sender is indeed who they claim to be, since they need their own private keys to sign the communications. If someone steals your private key, you can (assuming you have another copy) publicly denounce the associated public key or “certificate” as void.
This is particularly important since Facebook servers were reportedly being impersonated by the NSA, in order to infect target with malware. The use of PGP secured emails prevents this impersonation by attackers, though it’s not perfect.
Other protocols such as Off-The-Record encrypt each communication with a new key, so that even if one key is compromised, all communications can not be decrypted and then used against you with cryptographic certainty.
PGP, however, is renowned not only for its security but for how difficult it is to use. So much so, that Greenwald admitted in his book (Nowhere-to-hide) that he avoided setting up his private and public keys for months and struggled with Snowden's tailored tutorial, which almost lost Greenwald the story.
Nevertheless, the proper implementation of PGP is perhaps the gold standard of peer to peer encrypted email.
Tech giants and the privacy crowd
And Facebook is not alone in their move towards PGP. Google and Yahoo are also working on implementations, one of them to come as a Chrome extension.
Facebook's move comes amidst a turbulent international debate on privacy spawned by the Snowden leaks and which have lead to massive market pressure on US tech companies to the tune of up to US$180 billion projected losses of revenue or about 25% of their market, according to a report by the Forrester.
Tech giants such as Google, Facebook, and Yahoo among others have reportedly stepped up their security game, including implementing SSL and HTTPS connections between themselves and users and between their own servers. Facebook's move towards PGP however suggests a future where end-to-end communications on major social media may be encrypted, though we are far from there yet.
While users will be able to find each other's PGP keys on their friend's profile pages, a very useful option. Users will still need to set up the special software needed with their email providers. In other words, it will be difficult and many are unlikely to do it. Nevertheless, as security researcher Eleanor Sait points out in a Wired interview:
“Even if only a thousandth of a percent of Facebook’s users end up using it [...] that’s still 15,000 people.”
Imagine however if PGP came as a default in Facebook's chat feature, or Skype's. Or if the social network's privacy was enforced through the sharing of specific public keys with your friends ensuring that only they could read your public posts. That is the kind of world we need if we really want to stop mass Internet surveillance.
Until then, Facebook -- who has been widely criticized as a corporate arm of the US intelligence industry -- could continue to be seen as playing a game of public relations, appeasing the privacy crowd with a relatively small step towards end-to-end encryption.
To top it off, Facebook faces a much greater challenge in the face of the market's demands for privacy, given that its business model as an advertisement delivery platform operating around it ability to access your personal information.
Similar to Google, trying to turn an advertising empire - whose business model is based on data mining and surveillance - into a privacy centric communications platform is like trying to turn water into wine: it's going to take a miracle.
In the meanwhile, here are some excellent guides on 'Surveillance Self Defense' including one on how to get set up with PGP, brought to us by the EFF.