New encryption or not: you still have to watch what you say on Facebook
It’s very important to us that the people who use Facebook feel safe and can trust that their connection to Facebook is secure; for instance this is why we run connections to our site over HTTPS with HSTS and why we provide a Tor onion site for people who want to enjoy security guarantees beyond those offered by HTTPS.
I don’t know what a Tor onion site is and I don’t know what HSTS stands for, but it sounds like Facebook is working hard to keep our data safe. Which is kind of odd considering the fact that the social network uses just about everything we say and do on the site to line us up with the right advertisers.
But that’s a question for another day. Today, we’re here to talk about a whole new level of Facebook security; encrypted emails. All of the standards Facebook mentioned in that first paragraph only come in to play when you’re actually exchanging information within the Facebook framework. When you get an email from someone via Facebook, those safe guards don’t apply. To secure that line of communication, you need Pretty Good Privacy encryption.
Silly name, right? Sounds like a form of encryption that is only so-so at keeping you safe. Turns out it’s called that because the creator had a fondness for Garrison Keillor’s Lake Wobegon where you’ll find “Ralph’s Pretty Good Grocery”. (According to Wikipedia, the first version of this code was called BassOmatic.)
Despite the whimsical name, Pretty Good Privacy, or PGP for short, is actually a pretty tight security system for email. It works with a duo of encryption keys. One you make public, the other you keep private. When someone sends you a secure email, they send it using your personal public key, then you decode it using your private key. Very cloak and dagger.
The system is designed to insure that only the intended party can open and read the email. So no spying eyes; hacker, government or snoopy spouse.
Facebook wants in on this and is now rolling out the ability to include your OpenPGP public key in your profile.
This might sound very tempting but there are a couple of problems with this system. First of all, for it to work, the person who sends you the email has to know how to use the encryption key. Unless you’re dealing with very tech savvy or very paranoid people, the percentage of educated users is going to be low.
Even if you get past that, there’s a big issue; trust.
Facebook is rolling out these security options so you’ll trust them with your words and images. But what happens when you feel secure? You let your guard down and suddenly that private complaint you wrote about a company investor has 543 reTweets on Twitter.
Total security on a public website is a myth. Not because of glitches in the security layer but because people are people. If you get used to using the PGP encryption key with your partner, you may forget that your CFO doesn’t use it and suddenly his angry ex-wife is forwarding your private, financial conversations to the IRS.
Also note that if you lose your private decryption key, you won’t be able to read any encrypted emails, including recovery emails from Facebook. Do you want to bet your entire Facebook history on your ability to keep that code somewhere safe?
Law enforcement agencies and the governments of both the US and the UK aren’t happy about this new level of encryption. There are concerns that unless Facebook builds in a backdoor, terrorists will be able to converse online without fear of being discovered. Internet security experts say that building any kind of a backdoor would defeat the purpose of encrypting emails in the first place.
Bottom line for businesses; you may have the right to privacy and the expectation of privacy but you should never post anything to Facebook that must be kept private.
What’s more secure that PGP? Try TBP, aka. Think Before Posting.
