Google Takes First Step Toward End-to-end Email Security Thumbnail
‹ Back
Open Internet Standards 5 June 2014

Google Takes First Step Toward End-to-end Email Security

Andrei Robachevsky
By Andrei RobachevskySenior Director, Technology Programmes

I was very excited when I read Google’s announcement about their beta release of a Chrome extension that will allow users to encrypt their messages end-to-end. Although Gmail supported HTTPS from the very beginning and now always uses an encrypted connection when you check or send email in your browser, the content of your messages is stored at Google and is accessible to them.

This is not a secret, Google’s terms of service say that “automated systems analyse your content (including emails) to provide you personally relevant product features, such as customised search results, tailored advertising, and spam and malware detection.” Unfortunately, as we read from the documents disclosed by Edward Snowden, this information may also be made accessible to other parties.

What Gmail is missing is the end-to-end email security, where one end is myself and the other end – my recipient, and not Google. Also, very important, is that I and my correspondent keep the secret keys, not a third party. In computer security jargon is is called object security as opposed to channel security (what Google was offering from the beginning), since in email there is no direct channel between me and my correspondent. So Google’s End-to-End seems like a step in the right direction.

It appears to be only a half-step, though. The beta version of the extension only partly integrates with Gmail, and is a bit more than a web interface to OpenPGP. It will let you automatically create new conversations with the encrypted blob copied in. But copy&paste is required to decrypt the message. It also doesn’t allow you to use keyservers making key management difficult.

So it doesn’t really make use of encrypted email easier, or even on par with other existing tools, but I take it as a sign that Google is committed to make its email service end-to-end secure and fully integrate with Gmail at some point. Because that would be a strong response to pervasive monitoring – an attack against Internet privacy, from the IETF point of view.

Speaking of other tools, for those who use IMAP (or POP) instead of webmail, many of the popular email clients support PGP through extensions and plug-ins. I am using Thunderbird with Enigmail and find signing and encrypting of emails pretty straightforward.

Yet, end-to-end encrypted mail is far from being ubiquitous. Is it because it is still too difficult, is there lack of awareness or is it not seen as useful to a regular user? At the end of the day a traditional postal envelope doesn’t offer much protection either.

I think all these factors contribute and that means there is a lot to do before Google’s new feature can become useful and used. But I am glad they are moving in this direction.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Open Standards Everywhere 13 August 2020

Speed Matters: How Businesses Can Improve User Experience Using Open Standards

A recent report – Milliseconds make Millions – commissioned by Google and published by Deloitte, has shown that mobile...

Shaping the Internet's Future 24 July 2019

Hackathon at Africa Internet Summit 2019: Network Programmability, Network Time, IPv6, IPWAVE, and Measurement

The Internet Society and AFRINIC collaborated to organize the 3rd [email protected] in Kampala, Uganda, which took place alongside the...

Events 19 June 2019

2019 [email protected]: Testimonials from the Trainers

What is [email protected]? The Internet, with its endless supply of knowledge and information, has become a strategic element in...

Join the conversation with Internet Society members around the world