Steve Weis and Zac Morris, software engineers for the Facebook Security team in Menlo Park, Calif., and Jon Millican, software engineer for security infrastructure at the social network’s London office, explained the reasoning behind the move in a note on the Protect the Graph page:
It’s very important to us that the people who use Facebook feel safe and can trust that their connection to Facebook is secure; for instance this is why we run connections to our site over HTTPS with HSTS and why we provide a Tor onion site for people who want to enjoy security guarantees beyond those offered by HTTPS.
However these technologies protect only the direct connections people make to Facebook. People also receive information from us over channels such as email. Whilst Facebook seeks to secure connections to your email provider with TLS, the stored content of those messages may be accessible as plain text (with attachments) to anyone who accesses your email provider or email account.
Weis, Morris and Millican also offered the following instructions for users who are interested in encrypting their emails from Facebook:
To enhance the privacy of this email content, today we are gradually rolling out an experimental new feature that enables people to add OpenPGP public keys to their profiles; these keys can be used to “end-to-end” encrypt notification emails sent from Facebook to your preferred email accounts. People may also choose to share OpenPGP keys from their profile, with or without enabling encrypted notifications.
You will be able to update your own public key, using a desktop browser, at https://www.facebook.com/me/about?section=contact-info.
Where encrypted notifications are enabled, Facebook will sign outbound messages using our own key to provide greater assurance that the contents of inbound emails are genuine.
Readers: What are your thoughts on Facebook’s test of OpenPGP public keys?