Inside the Briefcase

Augmented Reality Analytics: Transforming Data Visualization

Augmented Reality Analytics: Transforming Data Visualization

Tweet Augmented reality is transforming how data is visualized... Membership! Membership!

Tweet Register as an member to unlock exclusive...

Women in Tech Boston

Women in Tech Boston

Hear from an industry analyst and a Fortinet customer...

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

In this interview, JumpCloud’s Antoine Jebara, co-founder and GM...

Tips And Tricks On Getting The Most Out of VPN Services

Tips And Tricks On Getting The Most Out of VPN Services

In the wake of restrictions in access to certain...

Facebook Abandons PGP Encryption; Should Others Do the Same?

January 19, 2024 No Comments

by Jeff Broth

In December 2023, Facebook terminated the PGP encryption feature for its emails. This was around eight years after the feature was introduced to protect the emails sent by Facebook to its users. Facebook’s reason for this decision is rather straightforward and unexciting: low usage.

From a business point of view, the decision makes sense. Nobody appears to be up in arms over the decision, which suggests that indeed not many are using this feature. It makes no sense to continue offering a function barely anyone is using.

However, just because Facebook justifiably decided to end a security feature does not mean that the feature is not good. PGP encryption is a decades-old technology, but it is not obsolete. It may have not served its intended purpose in one organization, but this does not indicate failure.

Pretty Good Privacy

PGP stands for Pretty Good Privacy, an encryption/decryption program designed to secure data communication. Initially released in 1991, this encryption technology follows the OpenPGP RFC 4880 and PGP/MIME RFC 2015 standards. For more than three decades, PGP has become one of the most popular email security tools. It encrypts data while it is in transit, conducts source verification, and ensures that only the target receiver of an email gets to read its contents.

PGP encryption works through a pair of keys, one of which is public while the other is private. When someone intends to send a confidential or private message, they use the public key of the recipient to encrypt the message. The recipient then uses the corresponding private key to decrypt and access the message. In other words, a specific pair of encryption and decryption keys is used for messages sent between a pair of sender and recipient, unlike in other encryption techniques where there is just one key for all.

Aside from encrypting and decrypting messages, PGP can also be used to sign messages. The private key can be used to create a digital signature which enables the authentication of the sender. This prevents instances of spoofing in emails, wherein messages can be made to appear from a certain sender. Through this authentication, recipients will immediately know if they are communicating with the real person they associate with a specific email address or name. This provides the benefit of establishing a web of trust through which users can verify and endorse each others’ public keys.

The complexities

PGP is a robust way to keep communications private and secure. Also, PGP can be used freely, so it would seem that there are no costs involved in keeping it. So why did Facebook abandon it? The reason is actually more than just low usage. Facebook appears to have decided to reduce the moving parts in its system to lessen maintenance requirements.

The PGP option in Facebook, despite being used very minimally, still entails maintenance costs. It would be irresponsible to exclude it from maintenance just because it appears obscure and seldom used. The management of the PGP keys is not a minuscule task. Regularly updating and maintaining the keys requires a proficient management system. Also, whenever software updates are made, the PGP implementation should be similarly updated. It would be unwise to keep doing all of these when the feature is not widely used.

On a broader discussion, organizations may consider abandoning or not even adopting PGP simply because it is not that easy to deal with. Configuring and using PGP is quite complicated. Simple usage such as the sending of brief emails may be relatively easy, but implementing PGP for large files can be complex.

Using PGP to encrypt large files takes some effort. Instead of encrypting the entire file straightforwardly, what usually happens is that a random, one-time session key for an asymmetric encryption algorithm is generated. The file is then compressed and encrypted using the one-time session key. The session key is then encrypted using the asymmetric encryption algorithm and the recipient’s public key before the message is sent to the recipient. The process is lengthy and not many ordinary users are interested in going through all of it.

Additionally, PGP only works if both parties (sender and recipient) use it. The key-sharing component only makes sense if both parties trust each other. As such, PGP cannot be implemented with everyone. For ordinary users, PGP would seem to be an overkill. There are other solutions that allow them to send relatively secure emails or file transfers without the tedious processes and requirements.

Apt use cases

Listing the drawbacks here does not mean that PGP is not a practical option for secure emails or file transfers. It can be a necessity for certain organizations or operations. There are reasons why cybersecurity firms continue to offer PGP as one of their security solutions.

In the case of government defense and defense contractors, for example, it is crucial to ensure a high level of security for all forms of communications and correspondence. Email exchange leaks involving these organizations have serious and long-lasting repercussions.

The financial services sector can also benefit greatly from the confidentiality and security afforded by PGP. Banks, investment firms, financial institutions, and FinTech firms can use PGP to secure information related to their clients’ identities, transactions, and financial reports more reliably. PGP is one of the go-to security tools for banks to secure their data.

PGP is also an apt solution for securing data in the healthcare industry not only to protect patients but also to comply with regulations. While the Health Insurance Portability and Accountability Act (HIPAA) does not specify PGP as a requirement for data security compliance, PGP is one of the options recommended by the National Institute of Standards and Technology (NIST) to ensure data security and meet regulatory requirements on data protection.

Tech and research firms are also expected to take advantage of PGP to secure the critical and sensitive information they generate. To avoid leaking their intellectual property assets, research findings, trade secrets, and other proprietary information, it makes sense to adopt a powerful communication protection solution like PGP.

Moreover, organizations that integrate blockchain and cryptocurrency into their systems would find it intuitive to use PGP in their communications. Blockchain and crypto are similar to PGP in usability, so might as well bring them together to maximize confidentiality and security, just like what those in darknet markets employ.

A case of case-by-case

Facebook’s decision to kibosh its PGP feature should never be equated to PGP ineffectiveness. As discussed, there are practical reasons for the social media giant to part ways with the encryption technology. PGP continues to be a highly reliable encryption/decryption solution but it may not be practical for certain scenarios, especially if it is being offered as an option and only a very few decide to take advantage of it. There are certain industries or situations where the benefits of PGP can be maximized cost-effectively.

Sorry, the comment form is closed at this time.