By Tom Lowenthal, CPJ Staff Technologist
On June 1, Facebook announced on its blog a new set of features adding support for the PGP email encryption system. The changes allow users to post their public email encryption key to their Facebook profile, inviting others to encrypt future emails. In a move that significantly bolsters security, it is also now possible to request that all email notifications from Facebook be encrypted with a user's public key.
This experimental new option comes just months after the social networking site introduced another security feature: making Facebook accessible via a Tor onion service. The experimental Tor access point was introduced in October last year and makes it markedly easier for users of the widely used anonymity tool to access the site.
Facebook profiles now have a field for PGP public keys--just like for phone numbers or email addresses. Uploaded keys can be shared as widely or narrowly as desired, just like other information on a Facebook profile. For journalists who use Facebook to connect with sources and disseminate, share, and comment on news, their profile will now indicate that they are available for encrypted emails. The new feature will also make it easier to securely contact potential sources.
Demonstrating proficiency with secure communications off the bat could make all the difference for the next big story. As Laura Poitras' Academy-Award-winning documentary CITIZENFOUR, about U.S. whistleblower Edward Snowden, revealed, the ability to communicate securely can make the difference between the story of a lifetime and a source simply passing you by. Snowden initially approached Glenn Greenwald with his trove of surveillance-related documents. When Greenwald wasn't available via secure channels such as PGP, Snowden took his story to Poitras.
The second part of Facebook's new feature allows the site to encrypt email notifications. Facebook already protects outbound email notifications using the STARTTLS standard. STARTTLS is a server-to-server encryption system: It protects messages being sent from Facebook to an email provider (like Gmail or Yahoo), but the provider still has the unencrypted notification. PGP is an end-to-end encryption system: The message delivered to the email provider just looks like gibberish. The only way to decode the message is with the recipient's PGP private key.
For journalists and other vulnerable groups, end-to-end encryption is the gold standard. Email providers can be hacked or coerced. End-to-end encryption ensures that nobody can access sensitive messages without the private key.
This is a solid step by Facebook and one that CPJ recommends for any online service provider. For anyone sending out notification emails, STARTTLS encryption is the bare minimum. Offering PGP encryption is a step beyond that--giving peace of mind to those using a provider's service.
PGP is the prevailing encryption standard for email, but Facebook--and other online services--also send text messages and other notifications. Text messages are often used for important two-factor-authentication codes: Protecting them with robust encryption would materially improve the security of such systems. SMS-encryption tools Signal and Textsecure, which are developed by Open Whisper Systems, an open software development team, are endorsed by U.S. whistleblower Edward Snowden and cryptographer Matt Green. Their open-source protocol would be an excellent way to protect the near-limitless stream of notifications from any online service.
Note: CPJ Staff Technologist Tom Lowenthal assisted Facebook in testing and planning the PGP encryption features prior to their launch.