Google trumpets extra encryption for Gmail, but stays mum on other apps

While touting an additional security layer to protect Gmail users against snooping, Google remains vague on its other apps

Google recently trumpeted that it now encrypts Gmail messages while shuffling them among its data centers, an extra security layer aimed at thwarting government and criminal snoops, but didn't say if it applies this protection to its other applications.

Asked for clarification, the company declined to comment. "We don't have more details to share beyond the Gmail news, but we're always working in strengthening and encrypting across more services and links," a spokeswoman said via email.

Google's reluctance to clarify the scope of its internal encryption is baffling and does a disservice to enterprise customers who rely on the Apps suite for workplace communication, cloud storage and collaboration, according to analysts.

"When confronted with the evidence of a compromise, and asked for an explanation as to how it happened and what they are doing about it, Google is dissembling. This is no basis for trust," said Jay Heiser, a Gartner analyst.

At issue are reports from last year, based on leaks from former National Security Agency (NSA) contractor Edward Snowden, that the agency snooped on users of online services in part by intercepting data Internet companies transmitted unencrypted in "plain text" among their own servers and data centers.

Back in September, Google officials told The Washington Post that the company was accelerating efforts to encrypt communications between its data centers as a result of these reports.

"It's an arms race," Eric Grosse, vice president for security engineering at Google, said at the time.

About two weeks ago, Google announced it had turned on this "internal" encryption for Gmail, but glaringly neglected to address if and when this will be done for its other services and applications.

"Every single email message you send or receive -- 100 percent of them -- is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers -- something we made a top priority after last summer's revelations," the Google post reads.

The Google spokeswoman declined to provide an update on the efforts described in The Washington Post article in September, in which Google officials were quoted as saying the "end to end" internal encryption project would be completed "soon." The spokeswoman also declined to say exactly when this encryption was turned on for Gmail, acknowledging only that it was first announced in the March 20 blog post.

The situation is a model case for why enterprise cloud-service buyers need more transparency from their providers, according to Heiser. "Not only did nobody expect their data would be vulnerable to surveillance in this way, but nobody outside of Google knows what question to ask to determine if that's been fixed," he said.

"Without knowing how data is transferred between Google servers, nobody has any basis for knowing if risk still exists. We all now know that there is a hole, but without knowing more details, vague assurances from Google do not constitute reliable evidence that the hole has been plugged," he added.

Google's vague response suggests that the company hasn't completed the major undertaking Grosse referred to in September, and customers should take note of this, Heiser said.

"This is an instance in which the extreme size and complexity of Google should be a matter of suspicion for its users. Is the traffic or infrastructure supporting their search and advertising business a factor that inhibits the implementation of encryption between their sites?" Heiser said.

Peter Firstbrook, another Gartner analyst, was also unimpressed with Google's lack of response.

"As usual, Google gives no real information here," he said via email, referring to the March 20 blog post. "It is another 'trust us, we're doing the right thing.' No hyperlink into a fuller explanation. There may be a weakness in the new encryption scheme. We just don't know."

The lesson for buyers of software-as-a-service (SaaS) products is clear, according to Heiser: Demand clear, granular explanations from vendors about their security technology and policies.

"No amount of 'we have the following features' can ever help a SaaS buyer fully understand where a particular service might have undesirable vulnerabilities, if you don't have full details on the technology and topology of that service," he said. "SaaS is the digital equivalent to sausage: Mystery meat is not necessarily bad for you, but if you don't have full knowledge of the ingredients, you can never fully understand the health hazards."

Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesGooglesecurityMailencryptioninternet

More about GartnerGoogleIDGNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Juan Carlos Perez

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts