Email security is a concern for many consumers, but it is a crucial issue for the enterprise. Most email clients offer a base level of encryption, but it is worthless if the opposing party (sender or receiver) does not offer a similar level of protection.
End-to-end encryption is considered a stronger, more secure option; but it is often difficult to orchestrate. In a recent Google blog post by Brandon Long, the tech lead for the Gmail Delivery Team, Google announced the availability of the source code for a Chrome extension called End-to-End. The extension, which is currently in testing, will provide an easier way for two independent providers to maintain end-to-end encryption of emails.
“When companies release their code to the public, it enables security researchers and technologists to do an audit to check for misconfigurations or vulnerabilities that might put users at risk. Not only will this tool significantly increase the security of Google’s users, but releasing the code in this way, before it is implemented, is [a] best practice and the responsible thing to do,” said Access Policy Director Jochai Ben-Avie.
Google already automatically encrypts the emails you send and receive using Transport Layer Security (TLS), when it can. But, both sides of the email transaction need to be on board for end-to-end encryption to work. For those interested, you can check the current rates of encryption using Google’s Transparency Report.
Encryption helps to make it more difficult for emails that may be intercepted in transit to be read. According to the blog post, the focus on end-to-end is to help reduce snooping by “by bad actors or through government surveillance.” It’s interesting that they note government surveillance, as Google is often criticized for its supposed cooperation with the NSA and the US government.
The End-to-End source code operates Pretty Good Privacy (PGP) encryption. PGP encryption was created in 1991 and uses a series of keys to encrypt data. Authors have a private key and they give public keys to recipients to decode the data. If properly implemented, organizations such as the NSA would have a far more difficult time trying to view the contents of PGP-encrypted emails.
According to Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, PGP is known to be difficult to implement, especially with Gmail.
“PGP email is notoriously not usable,” Hall said. “It’s very, very secure but, like a lot of things that are very, very secure, it’s real easy to make mistakes where you accidentally send an unencrypted email when you meant it to be encrypted. Then, the cat is out of the bag for whatever the content is.”
There are other concerns for potential users. Encrypted emails would, more than likely, be unsearchable within an inbox, being that the content is hidden. They would also be inaccessible on more than one device as the key is usually stored locally. This is especially an issue for mobile users, as storing storing a key on a mobile device that can easily be misplaced presents an added risk. Because, once someone has access to your private key, they can access and read all of your past sent emails.
While many security pundits are supportive of this move by Google, Hall said that it presents an interesting conundrum for Google’s advertising model.
“They’ve clearly made a decision that they want to support this,” Hall said. “And, for products like Gmail that rely on algorithmically, mechanically analyzed email content to display advertisements, this means for a certain subset of people they are deciding it’s okay if we don’t see that content, it’s okay if we can’t actually support the business model that Gmail has stood up on for those users. If everyone were to do this, you wouldn’t have ads in Gmail.”
Hall noted that there is a possibility that Google can place an advertisement somewhere in the subject line, but that seems unlikely.
The enterprise implications for this announcement don’t end at secure email. Hall said that since PGP can work on any block of text, the source code that Google released could be used to potentially create secure, encryptable versions of some of the Google Apps, such as Docs. If that were to happen, it would be a huge step toward quelling the security concerns enterprise customers have with the Google Apps suite.