[patzerhacker]

But it does nothing to hide that it is a facebook notification or that it is from facebook because the envelope information is still unencrypted. So the 'From' address and subject are still in the clear, which doesn't prevent overbearing parents and abusive spouses from knowing you received a notification - only from reading the contents of that notification.

[sweis]

Hi. We use a generic subject line "Encrypted Notification from Facebook" and tried to remove fields that leak metadata. The From: field should just say "Facebook".

Please contact me if you do see anything leaking metadata about the plaintext email.

[patzerhacker]

That's not really what I'm taking issue with.

The parent to my post mentioned that this was a win for people with "overbearing parents" or an "abusive spouse". My response is that the message From field still says that this message is from Facebook, and the subject line apparently says "Encrypted Notification from Facebook". So this is not really a win for someone with overbearing parents or abusive spouses because sufficiently overbearing or abusive people will be on the lookout for any communication from Facebook and will assume the mere fact that the message is encrypted is a sign that it's something they would disapprove of.

That is no way meant to say that the feature is useless, rather that the parent to my post is mistaken about who this feature is useful for. More useful would be an option to have the notification message come from somewhere innocuous - to otherwise make it look like spam. If it did, the PGP encryption would allow the recipient to pick it out of the spam and make sense of it while not alerting others to the fact that it's a message from Facebook.

[bigiain]

Even in your scenario, I can see some utility. A paren or spouse who has your email password still can't reset your Facebook password without your PGP keyphrase password as well. That's perhaps not a significant additional barrier, but at least it's a much less commonly used password/phrase than your email account...

[patzerhacker]

Again, the big problem for abuse victims is getting the shellac beat out of them for disobeying their abuser. This encryption does nothing to enable an abuse victim to switch on notifications as the (now grand-)parent post I was responding to was insinuating - abusers on that level don't care what the message says. They are going to interpret any message they can't read as a message that goes against 'their rules'.

[tomjen3]

Yeah but there is a hell of a difference between seeing that you have received a friend request and seeing that you have received a friend request from an agency that helps victims of domestic abuse.

The first is pretty innocent, the other could get you killed.

[patzerhacker]

If someone is suffiently abusive and paranoid then the distinction is meaningless - they will assume that any notification they can't read is one they don't approve of, and somebody in that situation wouldn't benefit from encrypted notifications. They likely wouldn't have notifications on at all, so encrypting them doesn't make them safe to use in this situation.

That doesn't make encrypted notifications useless in general or otherwise bad, but it's an oversell to say this makes them useful for abuse victims. In fact, selling it that way is dangerous given a sufficiently abusive and motivated adversary as it's false security.

[bigiain]

Sure - but we (or Facebook) need to weigh up whether doing this which may (or may not) help in some cases is of greater benefit than not doing this because in some "sufficiently abusive" cases it won't work (or may even me harmful). My gut feel is that it's a good thing, and that the benefits against "snooping grade" abuse is positive and way more common than the potential downside in "sufficiently abusive" cases. It's not a requirement that Facebook fix everything to "worst case abuser" standards before providing additional features or utility to other users of their site. (Lets face it, if your postulated "sufficiently abusive adversary" is the threat model, you've got bigger problems to solve than securing your Facebook account - and Facebook can't help you with those in general...)

[patzerhacker]

It's a good thing. If the take-away from my post was that it wasn't then I'm sorry for not conveying that more up front.

Again, I'm responding to the grand-parent post that said this would be good for abuse victims. It's not all that great, but that doesn't mean it's useless.

[tomjen3]

You are right. I assumed that encrypted notifications would be sufficiently common that they wouldn't raise a red flag, but that is obviously wrong.

[stevejones]

Given that if you turn on all notifications you'll have about a bajillion of them it's a pretty good smokescreen.