Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Encryption Facebook Slashdot.org

Facebook Kills PGP-Encrypted Emails (techcrunch.com) 37

An anonymous reader quotes a report from TechCrunch: In 2015, as part of the wave of encrypting all the things on the internet, encouraged by the Edward Snowden revelations, Facebook announced that it would allow users to receive encrypted emails from the company. Even at the time, this was a feature for the paranoid users. By turning on the feature, all emails sent from Facebook -- mostly notifications of "likes" and private messages -- to the users who opted-in would be encrypted with the decades-old technology called Pretty Good Privacy, or PGP. Eight years later, Facebook is killing the feature due to low usage, according to the company. The feature was deprecated Tuesday. Facebook declined to specify exactly how many users were still using the encrypted email feature.
This discussion has been archived. No new comments can be posted.

Facebook Kills PGP-Encrypted Emails

Comments Filter:
  • So? (Score:5, Insightful)

    by dbialac ( 320955 ) on Tuesday December 05, 2023 @04:34PM (#64057915)
    What took so long? I would think anybody interested in privacy probably ditched Facebook a long time ago.
    • There's a difference between knowing you're ending up in some company's database, and knowing anyone on the internet can read your interactions with said company.

      For the longest time the greater concern was not that people were using Facebook or that marketing companies were involved, it was that the government wanted to snoop on what you liked and didn't like before granting people visas.

      People care about what impacts them. Someone showing me an advert is very frigging low on the list of things qualifying

    • by Sloppy ( 14984 )

      Privacy is half the value of PGP. The other half is about authentication: knowing who sent the email. It's arguably useful (within the hypothesis that Facebook is useful) to know that an email which claims to come from Facebook, actually came from Facebook.

      But wait .. about that privacy thing. I have no idea how a person decides to trust Facebook, but if we ass/u/me they do, then this allows Facebook and a person to communicate without others being able to read it. Lots of people choose (for whatever reason

      • Facebook isn't a person. Who knows which employees have access to that secret key? Since there's probably huge number of them it makes risk of compromise higher too.
    • by AmiMoJo ( 196126 )

      Businesses use Facebook to advertise and interact with customers.

  • by VampireByte ( 447578 ) on Tuesday December 05, 2023 @04:35PM (#64057917) Homepage

    Sorry, but it's true, they just want free stuff and convenience. Start talking about privacy and rights, see how fast they start ignoring (and avoiding) you.

    • by Brain-Fu ( 1274756 ) on Tuesday December 05, 2023 @04:46PM (#64057975) Homepage Journal

      People care about privacy when something like the Snowden revelations, or the Cambridge Analytica scandal, are making headlines. They get really mad at how they have been spied on and betrayed.

      But the very instant they must expend a modicum of effort towards protecting their privacy, they stop caring. They want their government and corporate providers to do all that for them and have it all be automatic so they don't have to think about it.

      And the next time something like this makes headlines, they will get really mad again that their government and/or corporate providers have been spying on them, and yell a lot about how wrong this is and how it should be fixed.

      And then go right back to doing nothing. It won't even occur to them that the people they expect to be protecting their privacy are the very people who have the most to gain from violating it. They find it a lot easier to just assume that someone else is handling it, and stop thinking about it.

      • Well said. I think all these partisans just hope that the abusive policies will all get directed at the other side. They fail to see how chipping away at privacy hurts everyone.
      • yep, they care for just as long as their attention span is on the problem, then two minutes later, they are focused on something new and shiny that has nothing to do with security and have forgotten
      • But the very instant they must expend a modicum of effort towards protecting their privacy, they stop caring.

        You're conflating all privacy as being equal. That's just not the case. People gave a shit about the Snowden revelations and the Cambridge Analytica scandal because it actually had the ability to affect them. On the flip side Facebook selling likes in some aggregated database to an advertisement company, doesn't qualify as something that most people give a shit about.

        It is perfectly reasonable to give one person some information but want to protect it from another. Incidentally this is why I have three pass

    • by LazarusQLong ( 5486838 ) on Tuesday December 05, 2023 @04:57PM (#64058001)
      when I did computer consulting people would ask me to 'secure' their computer. I'd make a list of tasks for them to do, things like using a VPN, using Brave, Duck Duck Go, or Tor, setting two factor authentication on everything they log into, using strong passwords, not clicking on links in emails from people they don't know and would show them how to check the message headers so they could see that that email from Google telling them that their account was compromised and they need to "click here for a security upgrade" is really just a means to steal from you. Then I would set up their firewall and such and leave...

      The next time I would see maybe 90% of my clients, they'd have random spam popups and a shitload of trojans/viruses/worms... And would have turned off all the security settings i set for them. Asking why, they would say it was too much hassle, couldn't I just 'secure' it for them?

      Of course I would try to explain it to them again... but eyes glaze over after 30 seconds and they'd just act like i should be able to wave my magic wand and poof! they are safe.

      • Why would you recommend a VPN?

        Unless you're trying to hide your torrent box (and yes, that's a valid reason for one, but most home users don't do that much torrenting) or connecting to a business network, a VPN has no value for most users.

        All one of those stupid VPN services does is change who can sniff your traffic from your ISP to a VPN provider.

        I'm not a fan of Brave. I recommend Firefox with uBlock, Facebook Container, and if they're at all capable of handling it, NoScript. And DDG should be used as a

  • I used it (Score:4, Insightful)

    by WoodburyMan ( 1288090 ) on Tuesday December 05, 2023 @04:36PM (#64057923)

    I got the notification it was going away the other day. I liked it simply for the fact if other MFA logins were bypassed, and they had access to my email, they still couldn't reset my password without my PGP key. One extra layer.

    • by Anonymous Coward

      Definitely makes sense, especially if one was all in on FB authentication for a bunch of other sites.

  • by Murdoch5 ( 1563847 ) on Tuesday December 05, 2023 @05:06PM (#64058027) Homepage
    Facebook / Meta, should be calling out other companies about not using PGP. PGP is an essential part of email security and identity validation. It's a fair statement to say that any company who won't offer the option to use PGP, and who doesn't sign their emails by default, does not care, even by accident, about cybersecurity.

    Every single bleeping company cries and waxes poetic about how much they “deeply” and “critically” care about security, but then have standards that amount to a broken screen door and stuck open window on their infrastructure. I don't care if you're dealing with the DoD, DoJ or Little Jane's Cookie Company, ran by the 75-year-old woman as a sole venture. PGP is essential, and there is no excuse for not using it. If you don't use PGP, or another open comparable solution, you don't care about security, period!

    Maybe you have no idea how email works, and can't understand how SMS and Email are different, but that's where Facebook / Meta can get involve and throw shame on companies like Google and Microsoft. Why doesn't Outlook support PGP by default? Why doesn't GMail? Facebook / Meta shouldn't sunset PGP, they should make it a battle cry.
    • by dgatwood ( 11270 )

      Facebook / Meta, should be calling out other companies about not using PGP. PGP is an essential part of email security and identity validation. It's a fair statement to say that any company who won't offer the option to use PGP, and who doesn't sign their emails by default, does not care, even by accident, about cybersecurity.

      Except that to avoid getting blocked as spam, Facebook/Meta already has to sign every email sent from their mail servers (Sender ID), which makes PGP mostly moot unless you are either A. using it to encrypt emails or B. using it to sign emails with an on-device mail client to prove that nobody cracked into the user's email account. Neither of those things likely applies to communication sent by Facebook.

      • by laktech ( 998064 )
        We're talking about security not spam.
        • by dgatwood ( 11270 )

          We're talking about security not spam.

          When the messages are being sent by a server process, there's likely to be zero difference in practice. Either the account on the server that sends the message is compromised (in which case the PGP key is also probably compromised) or it isn't.

          • Okay, but let's assume your coworker emails you, and that email isn't signed or encrypted, do you trust it by default? Of course, you don't. Now assume a client of a partner emails you, and that email isn't signed, at what point is the chain hilarious insecure and dangerous?

            What about Microsoft emailing you about support, do you trust those? At what point do you trust email? Best practices already have you load the email client in a container or VM just to isolate it from the host. Email is the mos
      • No matter what or how you encrypt, you can't hide the sender or recipient for email to flow.

    • PGP is essential, and there is no excuse for not using it. If you don't use PGP, or another open comparable solution, you don't care about security, period!

      Phil Zimmermann, the man who created PGP, does not use PGP [scmagazine.com], or at least did not as of 2015, and had no way of encrypting or decrypting such email. He said at the time that he would try GPG, but it's not clear whether he ever did.

      A number of other privacy luminaries have stepped away from it, some doing so publicly. Moxie Marlinspike did so [moxie.org] in February 20

      • The arguments you're raising are due to complexity and annoyance, not blindness and incompetence. I honestly don't remember if PGP was hard to use in 2015, but in 2023 it's easy and the integrations make it mostly seamless. The only case I'm making is for email, because email is the most insecure point in almost any organization. Email is so insecure that best practices recommend running your email clients in separate VM's or Containers, just to isolate them from your system.

        On this computer I have 3 Q
        • Email is so insecure that best practices recommend running your email clients in separate VM's or Containers, just to isolate them from your system.

          Who is recommending this? I've been in security for nearly 20 years, and except for ultra-secure environments that 99.9% of users will never see, I've never seen such a suggestion. Further, almost no one is going to implement a VM just for their email client, and forget about an enterprise doing it to any real scale. There's just too much integration between programs for that to happen. They are especially not going to go the route of one VM for each account, and certainly not going to run Qubes.

          • Right, and because essentially zero companies take email security seriously, we commonly get to read about company X being hacked or having a data breach, because of an email. It's really simple, you either take email security seriously, or, when you get hacked because your email standards are crap, everyone laughs at you.

            Of course a simple workaround that is solid AF, PGP, because then you can verify and validate who is who. If person X from department Y sends me an email, I can look that up and verif
            • I greatly respect the work that Joanna Rutkowska put into Qubes, and what her team did when she stepped away from it. But it's not usable as an enterprise platform. It doesn't fit into any remote administration tools that are out there (at least as far as I am aware), and that's a key part of getting enterprises to accept it. Another important thing is, who provides support if something breaks? There was a plan in 2016 to provide commercial support, but I don't believe that ever took off. There are a few sm

      • by bwalzer ( 708512 )

        All of them prefer Signal, which has its issues (particularly being tied to a phone number, which is both a strength and a weakness) but which is far, far easier to use,...

        Usability is a huge issue for encrypted messaging. PGP is included here. Unfortunately, so is Signal. In a usability study involving Signal[1], 21 out of 28 computer science students failed to establish and maintain a secure end to end encrypted connection. The problem was with identity verification.

        ...and is probably more secure than PGP/GPG will ever be.

        Related to the Signal usability issue related to identity verification, Signal cheerfully allows a user to do messaging without any such verification at all. So that means that Signal, Twilo (the entity that do

        • PGP insists that someone signs the identity, not you specifically. I can create and upload a PGP key with your address to a key server and, unless you're monitoring for that, you would never know. If I can intercept your email traffic selectively, then since it's signed, it must be you, right? How many people contact their intended recipient to validate the fingerprint? How many of them know to do that, and of them, how many of them know how to reasonably securely contact you to validate that it's the right

  • I reckon that the Venn diagram of Facebook users and people interested in privacy would consist of two separate circles...
  • OK, I tried it for a few days after decades of avoiding it. I felt dirty.....

  • I didn't know FB allowed encrypted emails. Perhaps the usage was low because the deployment occurred in such a way that ensured its failure ?

  • So why would you need encryption for anything anymore?

  • If you still use Facebook, you don't give a fuck about security or privacy.

    • I do and I do. I don't have security or privacy concerns because the data that Facebook have on me is either entirely non-consequential, or wrong, usually both.
    • Ending up in some aggregated database to sell me ads is different from random people intercepting my data. Privacy is not absolute. Yes there are people who don't give a fuck about Facebook, but do for example want to not have the US Immigration department knowing they follow North Korean groups on it.

  • What is fasebook? I never heard of it

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...