Facebook reports enormous uptick in use of snoop-proof email

The social network sends billions of emails to users daily and says adoption of the encryption standard it uses has skyrocketed among webmail providers.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
3 min read

This Facebook chart shows how the number of emails protected by encryption by both the sender and the receiver has flipped in only a few short months. Facebook

Keeping email safe from prying eyes is a joint effort, with both the sender and receiver needing to implement encryption technology. And Facebook -- which sends its user base billions of notification emails every day -- says things have gotten significantly more secure because of changes made by popular webmail providers such as Microsoft and Yahoo.

The percentage of outbound notification emails sent from Facebook that are received by email services which support encryption has jumped from less than 30 percent in May to 95 percent by mid-July, according to a Facebook blog post published Tuesday.

That rate of adoption is exceptionally rare, said Jim Fenton, formerly the chief security officer at password replacement firm OneID and now an independent Internet technologist.

"Facebook's measurement is probably as favorable as it can be," Fenton said, pointing out that Facebook's unique situation -- outgoing email only, measured by volume, to large webmail providers for personal use more than work email accounts -- allowed Facebook to achieve such a rapid turn-around.

The change comes amid a growing effort by webmail providers to better support encrypted email. That's a reaction to National Security Agency snooping revealed by whistle-blower Edward Snowden, and it's a necessity at Facebook, where notification emails about posts and comments made by users' friends often contain snippets of private or semi-private content from the site.

The kind of basic webmail encryption Facebook refers to in its blog post is provided by a technology called STARTTLS, which uses Transport Layer Security encryption to make it harder to spy on email. The challenge with keeping email secure is that it requires both the sender and the receiver to support the same encryption technology -- otherwise messages remain unprotected. Though Facebook has supported STARTTLS for several years, of the three biggest webmail providers, only Google's Gmail had adopted it.

Facebook said in its post that now that Microsoft and Yahoo are on board with STARTTLS, the majority of the social-media site's notification emails are encrypted with two common encryption techniques. One is Forward Secrecy, a technique that prevents the same numeric encryption keys from being used more than once, which would make messages easier to crack. The other is strict certificate validation, which is a high standard for ensuring that a digital authentication certificate -- which email systems check to verify who's sending a message -- has not been forged.

A Facebook spokesman told CNET that the company is working on getting the other 5 percent of webmail providers to use encryption. "All major providers we've talked to are either using STARTTLS or are actively working on deploying it," he said.

A Microsoft representative noted during a previous interview that webmail encryption efforts are tricky because of the two-way-street situation involving sender and recipient.

Yahoo declined to comment.

Facebook sends billions of notification emails to millions of domains every day, Facebook email engineer Michael Adkins said in a blog post last May. While that represents only a fraction of all email sent daily, the move to STARTTLS by webmail providers represents a quick victory in the wake of the outcry over NSA surveillance.

Other encryption-related efforts include initiatives from Google, Yahoo, and Ladar Levison, whose now-shuttered company Lavabit was suspected of being Snowden's webmail provider. Google and Yahoo are working on a webmail encryption setup that would hide the contents of an email even from the email service provider. Levison is working on a similar project to simplify email encryption so that it becomes a one-click operation.

Update, August 20 at 10:57 a.m. PT: Clarifies what STARTTLS is and adds response from Yahoo.