Google to enable end-to-end encryption for user emails

Google has just announced two big steps forward for enhancing user security: it will provide key statistics on internet-wide email security in its next transparency report, and the company is working to enable end-to-end encryption standards (using PGP) on Gmail to protect users from unauthorized access.

This afternoon, Google revealed that it will take major steps toward improving the privacy of internet communications. First, Google has released a new section to its transparency report that includes the percentage of internet communications traffic that is encrypted using SSL by each provider. This is a key indicator, because inter-provider communication (e.g., when a gmail user emails a Yahoo! user) often results in emails being sent “in the clear” or unencrypted. A user may send emails through a provider with good internal security practices, but this security is circumventable when emails are sent to a user whose provider does not follow good data security protocols. The new element of the transparency report will provide a window into provider security practices and provide valuable information to users.

Access’ Data Security Action Plan calls for strict encryption measures on all network traffic in order to best protect user data. Transport layer security ensures that traffic cannot be intercepted in the clear as it moves over the internet. Access has long argued that transparency reports help to give users a more complete picture of how their personal data and communications are protected online. This latest innovation in reporting will put needed pressure on those providers who are not currently properly encrypting their users’ data.

Google also announced first steps toward embedding Pretty Good Privacy (“PGP”)—one of the most secure encryption tools currently available—into Gmail. PGP is an end-to-end encryption tool, meaning that emails sent using PGP are encrypted from the time they are sent until they are received, with encryption and decryption typically happening on a user’s computer (rather than a website’s server). According to Google, the plugin will enable “key generation, encryption, decryption, digital signature, and signature verification.” Keeping emails encrypted between sender and receiver prevents third parties from reading the content of these emails while they are in transit, although the metadata (sender, recipient, subject line, etc) is still exposed.

It is currently not possible to use PGP in Gmail’s web interface. Gmail users who wished to protect their communications from third party snooping have traditionally had to use different platforms, like Thunderbird with the Enigmail Plugin, to send PGP emails.

In 2010, Google set the default user option for Gmail to the secure HTTPS connection. Then, earlier this year, Google forced encryption for all email and announced that messages would be encrypted while being transmitted through Google systems. However, this option still gave Google access to user data. The introduction of the PGP would keep Gmail users’ communications secure even as they move through Google’s systems to those of other providers and would theoretically prevent all third parties, including Google itself, from accessing personal communications.

Following security best practices, Google—which created its own plugin to enable PGP in Gmail and other webmail—will be presenting the “End-to-End” source code to the technological community before implementing it. This will allow cryptography experts to interact with and test the new protocol and will allow Google to fix any potential bugs before the general public starts using it, likely later this year.

Enabling Gmail users to easily send their communications using one of the best security protocols available will be a major boon to online privacy. Gmail will join the ranks of other communications services that provide for end-to-end encryption, including Silent Circle, which enables secure voice, text and video on users’ phones and computers, and Startmail, currently in the beta testing phase, which advertises itself as “email encryption made easy.” Both Silent Circle and Startmail have voiced Support for Access’ Data Security Action Plan.

Access applauds Google’s steps to increase transparency and promote online security, and encourages other internet platforms to Encrypt All the Things. Google’s steps represent meaningful progress towards a more secure internet for us all. On the eve of the anniversary of Edward Snowden’s first NSA leaks, Google’s announcements are a welcome reminder that online privacy depends on both government and private sector reforms.

Update: Just hours after Google released its transparency report, Comcast announced that it is testing email encryption and will be implementing it more broadly in the coming weeks. The Google report noted that as of now, fewer than one percent of messages exchanged between comcast.net and Gmail remain encrypted. Access welcomes Comcast’s announcement, and is currently working with other companies to implement the Data Security Action Plan.