It’s just about a year now since former intelligence contractor Edward Snowden confirmed what many suspected already: that governments around the world systematically spy on email.
Ever since, technology companies have been working steadily to develop security apps to prevent or at least minimize the potential for snooping. In two significant announcements this week, Google moved closer to securing Gmail.
According to a blog post by Brandon Long, tech lead at the Gmail Delivery Team, Google is close to releasing new end-to-end encryption standards on Gmail that will effectively stop unwanted and unauthorized access to users’ email.
Sealing the 'Letter'
To explain what Google is doing, Long uses the analogy of a sealed letter. When you send a letter by snail mail, you tend to put those letters in sealed envelopes to prevent the world from reading the letter.
Email, he claims, works in a similar way. When they are routed by the sender to the receiver, email is encrypted — or sealed — in an effort to keep it private.
Long said Gmail has always supported encryption in transit through use of Transport Layer Security (TLS), which automatically encrypts incoming and outgoing email. However, for this process to be effective, both sides of the email exchange need to support encryption.
What Google is Doing
According to Google, end-to-end encryption is currently possible with only about half the email sent from Gmail to recipients using other providers.
To make the encryption process more effective and universal, Google plans to open source the code for End-to-End, a Chrome extension that works with the Pretty Good Privacy (PGP) encryption tool.
Without getting bogged down in the technical details about PGP, Google describes it as a plugin that encrypts email from the time it is sent from Gmail to the time it lands in the recipients inbox.
The new plugin will enable the creation of keys to encrypt and decrypt scrambled emails, as well as digital signatures and signature verification.
While the release and use of this code could make email more secure, it will only work if the recipients email provider also uses the technology.
But Google claims more and more providers are doing just that. The change, however, won't come overnight.
In a related announcement this week, Google said it is adding a new section to its Transparency Report to show what providers are providing what kind of services.
For enterprises looking to protect their email, this is an important indicator. It shows what providers offer good security and which ones are less secure.
While the release of the new plugin will go a long way to reassuring people that Gmail is secured, it is still unclear how much of the information in email is viewable by Google itself.
Last year, Google pointed out that those that had signed up to Gmail mail were informed their emails would be machine scanned and that Google was doing so to provide personalized advertising.
If Google is blocked from scanning these emails, as the PGP tool seems to do, the company appears to be cutting itself off from at least a portion of the data it uses to create advertising. What are the odds it will really do so?