Facebook Kills PGP-Encrypted Emails (techcrunch.com) 37
An anonymous reader quotes a report from TechCrunch: In 2015, as part of the wave of encrypting all the things on the internet, encouraged by the Edward Snowden revelations, Facebook announced that it would allow users to receive encrypted emails from the company. Even at the time, this was a feature for the paranoid users. By turning on the feature, all emails sent from Facebook -- mostly notifications of "likes" and private messages -- to the users who opted-in would be encrypted with the decades-old technology called Pretty Good Privacy, or PGP. Eight years later, Facebook is killing the feature due to low usage, according to the company. The feature was deprecated Tuesday. Facebook declined to specify exactly how many users were still using the encrypted email feature.
So? (Score:5, Insightful)
Re: (Score:2)
There's a difference between knowing you're ending up in some company's database, and knowing anyone on the internet can read your interactions with said company.
For the longest time the greater concern was not that people were using Facebook or that marketing companies were involved, it was that the government wanted to snoop on what you liked and didn't like before granting people visas.
People care about what impacts them. Someone showing me an advert is very frigging low on the list of things qualifying
Re: (Score:2)
Privacy is half the value of PGP. The other half is about authentication: knowing who sent the email. It's arguably useful (within the hypothesis that Facebook is useful) to know that an email which claims to come from Facebook, actually came from Facebook.
But wait .. about that privacy thing. I have no idea how a person decides to trust Facebook, but if we ass/u/me they do, then this allows Facebook and a person to communicate without others being able to read it. Lots of people choose (for whatever reason
Re: (Score:2)
Re: (Score:2)
Businesses use Facebook to advertise and interact with customers.
People don't care about privacy (Score:3)
Sorry, but it's true, they just want free stuff and convenience. Start talking about privacy and rights, see how fast they start ignoring (and avoiding) you.
Re:People don't care about privacy (Score:5, Insightful)
People care about privacy when something like the Snowden revelations, or the Cambridge Analytica scandal, are making headlines. They get really mad at how they have been spied on and betrayed.
But the very instant they must expend a modicum of effort towards protecting their privacy, they stop caring. They want their government and corporate providers to do all that for them and have it all be automatic so they don't have to think about it.
And the next time something like this makes headlines, they will get really mad again that their government and/or corporate providers have been spying on them, and yell a lot about how wrong this is and how it should be fixed.
And then go right back to doing nothing. It won't even occur to them that the people they expect to be protecting their privacy are the very people who have the most to gain from violating it. They find it a lot easier to just assume that someone else is handling it, and stop thinking about it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
But the very instant they must expend a modicum of effort towards protecting their privacy, they stop caring.
You're conflating all privacy as being equal. That's just not the case. People gave a shit about the Snowden revelations and the Cambridge Analytica scandal because it actually had the ability to affect them. On the flip side Facebook selling likes in some aggregated database to an advertisement company, doesn't qualify as something that most people give a shit about.
It is perfectly reasonable to give one person some information but want to protect it from another. Incidentally this is why I have three pass
Re:People don't care about privacy (Score:5, Interesting)
The next time I would see maybe 90% of my clients, they'd have random spam popups and a shitload of trojans/viruses/worms... And would have turned off all the security settings i set for them. Asking why, they would say it was too much hassle, couldn't I just 'secure' it for them?
Of course I would try to explain it to them again... but eyes glaze over after 30 seconds and they'd just act like i should be able to wave my magic wand and poof! they are safe.
Re: (Score:2)
Why would you recommend a VPN?
Unless you're trying to hide your torrent box (and yes, that's a valid reason for one, but most home users don't do that much torrenting) or connecting to a business network, a VPN has no value for most users.
All one of those stupid VPN services does is change who can sniff your traffic from your ISP to a VPN provider.
I'm not a fan of Brave. I recommend Firefox with uBlock, Facebook Container, and if they're at all capable of handling it, NoScript. And DDG should be used as a
I used it (Score:4, Insightful)
I got the notification it was going away the other day. I liked it simply for the fact if other MFA logins were bypassed, and they had access to my email, they still couldn't reset my password without my PGP key. One extra layer.
Re: (Score:1)
Definitely makes sense, especially if one was all in on FB authentication for a bunch of other sites.
Thie is the wrong move! (Score:4)
Every single bleeping company cries and waxes poetic about how much they “deeply” and “critically” care about security, but then have standards that amount to a broken screen door and stuck open window on their infrastructure. I don't care if you're dealing with the DoD, DoJ or Little Jane's Cookie Company, ran by the 75-year-old woman as a sole venture. PGP is essential, and there is no excuse for not using it. If you don't use PGP, or another open comparable solution, you don't care about security, period!
Maybe you have no idea how email works, and can't understand how SMS and Email are different, but that's where Facebook / Meta can get involve and throw shame on companies like Google and Microsoft. Why doesn't Outlook support PGP by default? Why doesn't GMail? Facebook / Meta shouldn't sunset PGP, they should make it a battle cry.
Re: (Score:3)
Facebook / Meta, should be calling out other companies about not using PGP. PGP is an essential part of email security and identity validation. It's a fair statement to say that any company who won't offer the option to use PGP, and who doesn't sign their emails by default, does not care, even by accident, about cybersecurity.
Except that to avoid getting blocked as spam, Facebook/Meta already has to sign every email sent from their mail servers (Sender ID), which makes PGP mostly moot unless you are either A. using it to encrypt emails or B. using it to sign emails with an on-device mail client to prove that nobody cracked into the user's email account. Neither of those things likely applies to communication sent by Facebook.
Re: (Score:2)
Re: (Score:3)
We're talking about security not spam.
When the messages are being sent by a server process, there's likely to be zero difference in practice. Either the account on the server that sends the message is compromised (in which case the PGP key is also probably compromised) or it isn't.
Re: (Score:2)
What about Microsoft emailing you about support, do you trust those? At what point do you trust email? Best practices already have you load the email client in a container or VM just to isolate it from the host. Email is the mos
Re: (Score:2)
No matter what or how you encrypt, you can't hide the sender or recipient for email to flow.
Re: (Score:3)
Phil Zimmermann, the man who created PGP, does not use PGP [scmagazine.com], or at least did not as of 2015, and had no way of encrypting or decrypting such email. He said at the time that he would try GPG, but it's not clear whether he ever did.
A number of other privacy luminaries have stepped away from it, some doing so publicly. Moxie Marlinspike did so [moxie.org] in February 20
Re: (Score:2)
On this computer I have 3 Q
Re: (Score:2)
Email is so insecure that best practices recommend running your email clients in separate VM's or Containers, just to isolate them from your system.
Who is recommending this? I've been in security for nearly 20 years, and except for ultra-secure environments that 99.9% of users will never see, I've never seen such a suggestion. Further, almost no one is going to implement a VM just for their email client, and forget about an enterprise doing it to any real scale. There's just too much integration between programs for that to happen. They are especially not going to go the route of one VM for each account, and certainly not going to run Qubes.
Re: (Score:2)
Of course a simple workaround that is solid AF, PGP, because then you can verify and validate who is who. If person X from department Y sends me an email, I can look that up and verif
Re: (Score:2)
I greatly respect the work that Joanna Rutkowska put into Qubes, and what her team did when she stepped away from it. But it's not usable as an enterprise platform. It doesn't fit into any remote administration tools that are out there (at least as far as I am aware), and that's a key part of getting enterprises to accept it. Another important thing is, who provides support if something breaks? There was a plan in 2016 to provide commercial support, but I don't believe that ever took off. There are a few sm
Re: (Score:1)
All of them prefer Signal, which has its issues (particularly being tied to a phone number, which is both a strength and a weakness) but which is far, far easier to use,...
Usability is a huge issue for encrypted messaging. PGP is included here. Unfortunately, so is Signal. In a usability study involving Signal[1], 21 out of 28 computer science students failed to establish and maintain a secure end to end encrypted connection. The problem was with identity verification.
...and is probably more secure than PGP/GPG will ever be.
Related to the Signal usability issue related to identity verification, Signal cheerfully allows a user to do messaging without any such verification at all. So that means that Signal, Twilo (the entity that do
Re: (Score:2)
PGP insists that someone signs the identity, not you specifically. I can create and upload a PGP key with your address to a key server and, unless you're monitoring for that, you would never know. If I can intercept your email traffic selectively, then since it's signed, it must be you, right? How many people contact their intended recipient to validate the fingerprint? How many of them know to do that, and of them, how many of them know how to reasonably securely contact you to validate that it's the right
Facebook and privacy (Score:1)
Never used Facebook.... (Score:1)
OK, I tried it for a few days after decades of avoiding it. I felt dirty.....
First I am hearing of this (Score:2)
I didn't know FB allowed encrypted emails. Perhaps the usage was low because the deployment occurred in such a way that ensured its failure ?
Re: First I am hearing of this (Score:1)
ChatGPT already knows everything about you (Score:2)
So why would you need encryption for anything anymore?
Re: (Score:3)
Makes sense (Score:2)
If you still use Facebook, you don't give a fuck about security or privacy.
Re: Makes sense (Score:1)
Re: (Score:2)
Ending up in some aggregated database to sell me ads is different from random people intercepting my data. Privacy is not absolute. Yes there are people who don't give a fuck about Facebook, but do for example want to not have the US Immigration department knowing they follow North Korean groups on it.
Facebuk? (Score:2)
What is fasebook? I never heard of it