Google's End-to-End Encryption Isn't What It Seems
Google tries to make end-to-end email encryption simple to use. It will be, but there are caveats.
Calling it FUD might be a bit strong, but there certainly is a great deal of confusion about the Google Chrome extension announced June 3, 2014, called End-to-End. When released, the extension will allow the end-to-end encryption of email messages. Sounds simple enough, right? But that’s where the confusion starts, because most people were under the impression that Gmail messages were already encrypted. And, they are. Well, kind of ...
Isn't Gmail Already Encrypted?
The simplest way to explain Gmail’s current encryption is to think about the email message traveling from the sender’s computer to the intended email recipient. During the transit, digital messages are encrypted via Transport Layer Security (TLS), a protocol that provides security between the client/server applications that communicate with each other over the Internet.
The misconception comes into play when the message is at rest at the sender, intermediary servers or the recipient. At those points, the message is not encrypted. Another time the message is not encrypted is if the recipient’s email program does not accept HTTPS (using TLS) messages. That is why experts say current Gmail encryption is not "end-to-end."
Google tracks the number of sent Gmail messages that are encrypted while in transit as well as the number of messages received by Gmail users that are also encrypted in transit. As shown in the report below, up to 50 percent of Gmail messages are not encrypted.
End-to-End Encryption Isn't New
Interestingly, there are true end-to-end email encryption applications, but they are by no means popular. Two examples are PGP and GnuPG. PGP is especially interesting in that its creator, Phil Zimmermann, got into serious trouble with the U.S. government when he first created PGP. The reason? PGP was too effective.
The question is, if it’s possible to encrypt email end-to-end, why aren’t people using it? The answer: when convenience and security clash, convenience usually wins. And currently, email encryption is complicated to set up and a pain to use. Also, until recently, people weren't that concerned about encrypting their email. (Learn more about privacy and security in What You Should Know About Your Privacy Online.)
Another complication with end-to-end email encryption is that both parties need compatible encryption software. If the programs are not compatible, the email message will not decrypt. So, rather than risk not having an email read, most senders do not bother with encryption.
What Is Google End-to-End?
Google developers are well aware of the above issues, and have created an encryption process that is user-friendly, "a Chrome extension that helps you encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP." This would then place Google’s new version of email encryption in the "end-to-end" category.
Google’s encryption extension immediately garnered interest from the privacy community. If End-to-End does what Google says, the extension will prevent Google from scanning the message body, something Google does now, and considers a revenue stream. In a June 11 blog post, Jim Ivers, chief security strategist for Covata, offers and explanation.
"I assume that Google is willing to trade what they would lose in encrypted data to retain customers in the Google ecosystem by appearing to be concerned with their email privacy," Ivers writes.
What Google End-to-End Is Not
Encryption experts have already been kicking the extension’s tires, and several potential issues have surfaced. Because it's a Chrome extension, the encryption process will require both the sender and recipient to use Chrome Web browsers. Last time I checked, Chrome was being used by less than 50 percent of those on the Internet.
Other issues are that Google End-to-End is not supported on mobile devices; it appears that attachments will remain unencrypted for now as well. All in all, there are enough negative points to give pundits reason to doubt a large-scale adoption.
Some Useful Tips About Encryption
The whole idea behind encryption is to maintain privacy between the sender and recipient. One thing the sender should take into consideration is, what if the person who receives the encrypted email forwards it without encryption? If the message is important enough, the sender may want to instigate certain controls that only allow the recipient to view, but not print, copy, or save the message.
"The lessons are clear: beware of large ecosystem vendors bearing gifts, read the details carefully for the numerous caveats and exceptions, and take a holistic view of encryption," Ivers writes. It's good advice, especially when you consider how much is missing in Google's new encryption extension. Of course, the biggest thing that's missing when it comes to adopting any kind of end-to-end encryption is convenience.
Convenience Is the Key
Google is hoping its new Chrome service will make end-to-end encryption an easy option for its users. Even so, Google is realistic. Stephan Somogyi, product manager, security and privacy said, "We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection."
Google says that End-to-End was still an alpha build, and only available to the developer community. The company said once they feel the extension is ready and bug-free, they will make it available in the Chrome Web store. It's an imperfect solution to security, but it's still more secure. The question is, will anyone bother to install it?