Facebook announced today that the company will let users upload their OpenPGP public keys to the site. This way, the company can encrypt the emails that it sends to its users.
When one of the world’s most-visited websites adds encryption capabilities, that’s normally a cause for applause. But on second thought, there’s very little here that makes Facebook’s users better off.
This change does nothing to protect you from Facebook’s surveillance. The site’s working principle is to maximise the amount of data it sucks in about its users. And it’s not just the site: Through its ubiquitous “Like” buttons and similar tools, Facebook follows you wherever you go on the web, and builds up a detailed profile of your behaviour.
The company then does with its users what the banks did in the years leading up to the 2008 financial crisis: Slice them into ever-finer demographics, parcel them up, and sell them to advertisers. Whether they send their emails to you encrypted, in plain text, by coach or by carrier pigeon doesn’t make any difference.
Adding encryption to the channel between you and Facebook also does very little to protect you from government surveillance. While state actors, and other people tapping your line, might not be able to read the contents of the messages, they have full access to the subject line and the metadata (who sent the message, who received it, when, and so forth). If the US government is in any way interested in what you’re doing on the site, they only need to ask. The same goes for any other government with which, in order to be allowed to operate, Facebook has cut a deal to rat out its users, such as China.
This step doesn’t even really have the benefit of getting more people to use end-to-end encryption. I’d be very surprised if anyone decided to start using GnuPG or similar tools because of this; Facebook provides no real motivation to do so.
The only benefit for users from this step is that things like password reset messages are now better protected from interception.This will somewhat reduce the risk of identity theft via Facebook, though of course it won’t prevent it from happening. Still, this may somewhat reduce disruptions to Facebook’s business. If we let the company get away with it, they might even succeed with their message of “we’re using crypto, so we’re the good guys”.
This isn’t a step to make you better off. It’s a step to make Facebook better off.