Google reportedly wants to make email encryption easier, but don't hold your breath

Email encryption is a great way to keep snoops out. Too bad it's not a realistic option as a built-in feature for Gmail.

Still responding to the National Security Agency surveillance revelations, Google is reportedly preparing to help users beef up Gmail security with end-to-end encryption. The search giant is working on a way to make Pretty Good Privacy (PGP) encryption easier to use for Gmail fans, according to a report by Venture Beat.

The idea that Google would be working on email encryption is surprising since that would threaten the company's ability to scan email messages for keywords to insert ads--a fact the Venture Beat report acknowledges.

Perhaps the company merely wants to make PGP easier to use for the small sliver of people who might actually want more privacy with their email. But as a regular feature for all? Not likely.

PGP explained

PGP relies on public-private encryption key pairings that make it all but impossible for someone other than the intended recipient to read an encrypted message.

Say Sally wants to send Bob a message. Once she's done composing it, Sally uses Bob's public encryption key to encrypt the message turning it into a bunch of garbled nonsense. Then only Bob can decrypt the message using his private key.

An attacker would have to spend an impossibly long time guessing combinations to decrypt the message, making it, as we said, nearly impossible.

There are ways around decryption such as stealing private keys or hacking into a PC once the message has been decrypted. But for the most part, public-private keys offer a reasonable amount of privacy.

PGP problems explained

The only problem is that employing PGP--or its open source alternative GNU Privacy Guard (GPG)--is not at all user friendly.

There are attempts to make encryption easier already such as the Thunderbird extension Enigmail and the browser plug-in Mailvelope. But so far only a relatively small number of users have been willing to try these easier solutions.

With millions of Gmail users, Google could widen the PGP/GPG user base considerably if it wanted to--but end-to-end encryption offers some big problems for a mainstream service like Gmail.

The biggest difficulty for any user, whether novice or advanced, is to keep your private key secure. If your hard drive containing your keys crashes, for example, there goes your private key along with the hope of ever reading messages encrypted with it.

If you're trying to manage encrypted email on your PC, smartphone, and a tablet, that means your private key will have to reside on all those devices. Transferring a key around could result in losing control of it if you send the key to yourself via email, your device gets hacked, or you lose an unencrypted flash drive containing the secret data.

A simpler solution for Google might be to hang on to everybody's keys on a third-party server. That way, the user doesn't have to deal with private keys and reading email across devices is that much easier.

But once Google has your private key the company can technically read your email, making the whole point of using encryption somewhat pointless, especially if the NSA or other three letter agency comes knocking--see Lavabit's woes.

Follow the money

Then there's the previously mentioned email scanning Google loves to do so it can insert ads based on keywords into your messages.

Perhaps Google could employ some kind of JavaScript magic in the browser that lets it scan messages once they've been decrypted. But Google would still have to send that post-decryption data to its servers to figure out which ads to display.

Once that happens your private messages are landing on Google servers, where they would could once again be available to law enforcement or surveillance agencies with the right paperwork.

Email encryption is nice a dream for Gmail, but the hassles of key management and ad delivery mean PGP/GPG would probably never be more than a feature buried in Gmail Labs, where only the most dedicated advanced users would find it.

If you're interested in trying out email encryption with a public-private key pair, check out our tutorial on how to use the Enigmail Thunderbird extension.

Join the CSO newsletter!

Error: Please check your email address.

Tags GmailNational Security AgencyGooglesecuritynsaencryption

More about GoogleNational Security AgencyNSAPGPPretty Good Privacy

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts