Industry News

Facebook – now with added PGP encrypted notification emails to boost your security

The number of monthly active Facebook users is now close to 1.5 billion, and by my reckoning at least twelve of them are likely to be using PGP.

I’m joking, of course, but it must be a pretty funny Venn diagram seeing how many people are comfortable having an active Facebook account and are also determined to keep their email chats private with PGP.


PGP is, of course, the well-known standard for encrypting email communications. It’s beloved by privacy-conscious neckbeards, journalists and activists around the world, but notoriously painful for the uninitiated public to set up and understand.

But, when used and set up properly, the PGP (“Pretty Good Privacy”) end-to-end encryption standard should make it easy to scramble messages so they can only be read by their intended recipient – and allows the recipient to confirm that it really was you who sent it to them.

And so, for those people who have got their head around PGP, there is some good news from Facebook.

In a blog post, Facebook’s security team has explained that from now on, when the social networking site sends you sensitive emails such as password reset links or other notifications, it can encrypt them using PGP.

The feature, which Facebook describes as “experimental”, means that even if someone manages to access your email account, they should not be able to read the notification emails that Facebook has sent to you. Which means that the notification emails won’t reveal clues about how you might be using Facebook online.

If you wish to make use of the feature, all you have to do is open Facebook on a desktop computer (not on a smartphone), and update your profile’s Contact information:


There you should be able to paste in your PGP public key, and choose if you wish to enable encrypted notification emails.

And, of course, anyone who you are sharing your Contact information with via Facebook will now be able to see your public key, and use it to communicate with you securely via encrypted email if they wish.

Facebook says it is rolling the new facility out gradually to users – so don’t be surprised if you don’t see it on your account yet.

Last year, in another privacy move, Facebook announced it had added a Tor hidden access point to the site, ensuring communications remain cloaked via the anonymising service, and potentially opening up access to the site in countries where it has previously been blocked.

Over its history, Facebook has had a blemished record when it comes to security and privacy, but it’s hard to complain about this development – which can only be viewed as a good thing.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • Big problem here: lose access to your private key and you won’t be able to receive your password reset email.

    Also it’s only Facebook’s messages that are being encrypted and not user-to-user unless both parties independently use PGP.

  • How many private keys do you rekon Facebook will have uploaded to them in error, and will they be kept or rejected I can’t help but wonder..
    Cynical trending leads me to think they will keep the private key, or these will be “accidenly discovered in logs” in a while.

  • Graham,

    Make that thirteen. I hooked it up a few days ago and have been getting the odd encrypted message. But, but, but FB sends the encrypted html text as an ASCII-armored attachment to an otherwise empty email. This seems to me (a proud member of the unwashed masses) to be decidedly unhelpful.

    What’s the best way to read such a message in my local PC installation of Microsoft Outlook — part of Office 365 — without having to cut, copy, paste, launch and on and on?

    Installing the GPGOL part of GPG4win gives me a nice way of en- & de-crypting but not in the manner Facebook has chosen to implement it.

    Life ain’t easy.

    A good HowTo would be absolutely marvelous. Or a pointer to The Answer, perhaps?

    Thanks for your work.