For Facebook, delivering the strongest security would be a challenge

Facebook cites third-party services for users seeking end-to-end encryption

If you're a Facebook user and you want the best form of encryption to keep hackers and spies out of your posts and chats, you don't have a ton of options now.

Facebook has gradually amped up its security protocols and encryption methods over the years. This includes its "bug bounty" program that pays outsiders to uncover security holes, as well as HTTPS encryption, which encrypts people's communications in transit but still decrypts it at data centers before re-encrypting it.

However, end-to-end encryption, which holds promise as the best way to secure users' posts, is not in any of Facebook's major products by default. The technology is meant to encrypt people's communications at their client devices so that governments and others must target the person and not Facebook's data centers.

Facebook has been able to deploy end-to-end encryption for a long time, Chief Security Officer Joe Sullivan said on Tuesday. It hasn't rolled the technology out across its services partly due to its complexity. The company has also held back because, when end-to-end encryption is done right, it's hard for the average person to communicate, he said.

"If you use end-to-end encryption on email, you realize how hard it can be," Sullivan said during a talk with the press at Facebook's headquarters in Menlo Park, California. End-to-end encryption can be hard for people to use and understand because it typically requires a manual process of exchanging public keys between the sender and receiver whenever they send an email or any other type of message.

If Facebook users want that type of security, there are some third-party apps they can use to add end-to-end encryption to Facebook's services, Sullivan said.

Facebook has tried to support end-to-end encryption as a concept, Sullivan said. "At a minimum, we want to support third-party initiatives," he said.

One such messaging app is Pidgin, which provides end-to-end encryption and can be used to apply its encryption to chats carried out over Facebook's Messenger app, Sullivan said.

Sullivan would not comment on any plans for Facebook to incorporate end-to-end encryption into Messenger itself.

Talk of encryption -- and its effectiveness -- has risen over the past year due to disclosures over government surveillance, as well as a spate of cyberattacks allegedly carried out by the Syrian Electronic Army and other groups.

Edward Snowden, the former National Security Agency contractor who leaked the surveillance documents, called attention to the issue last week at the SXSW Interactive technology festival in Austin, Texas.

Snowden endorsed encryption during a panel discussion at the show. But he said the protocols currently employed by services such as Facebook, Google and Skype still leave consumers vulnerable to mass surveillance because they do not provide end-to-end encryption.

Facebook wants to be a responsible steward of its users' private communications, according to Sullivan. "We need to make sure our systems are robust enough to have [governments] come in through the front door with the legal process, and not any other way," he said.

Facebook's security measures, which also include an advanced encryption technique called "perfect forward secrecy," are likely to evolve as governments and outside groups enhance their counter-measures.

"In an Internet context," Sullivan said, "security is in a constant state of improvement."

Zach Miners covers social networking, search and general technology news for IDG News Service. Follow Zach on Twitter at @zachminers. Zach's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicespidginsocial networkingsocial mediadata protectioninternetmalwareprivacyFacebookGooglesecurityDesktop securitydata breachencryption

More about FacebookGoogleIDGInteractiveMessengerNational Security AgencySkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zach Miners

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place