Google boosts Chrome encryption amid email warning

Google boosts Chrome encryption amid email warning

Summary: The Internet giant tries to convey to users that many emails are not secure once it leaves Google's hands.


Google routinely publishes reports to establish transparency into how often responds to data requests from law enforcement agencies, but its latest update pertains more to industry competitors.

The Internet giant issued a memo on Tuesday -- a reminder to some and maybe a heads-up to others -- that while Google might promise to keep emails encrypted within its bounds, it can't say the same when messages float beyond its digital grasp.

In fact, Google estimated that between 40 and 50 percent of emails sent between Gmail and other email providers aren’t encrypted at all.

Brandon Long, the tech lead for the Gmail Delivery Team, offered a real world comparison in a blog post on Tuesday to nail home the point for Internet users of all proficiency levels:

When you mail a letter to your friend, you hope she’ll be the only person who reads it. But a lot could happen to that letter on its way from you to her, and prying eyes might try to take a look. That’s why we send important messages in sealed envelopes, rather than on postcards.

Email works in a similar way. Emails that are encrypted as they’re routed from sender to receiver are like sealed envelopes, and less vulnerable to snooping—whether by bad actors or through government surveillance—than postcards.

While acknowledging other email providers to encrypt their emails too (albeit without naming names), Long noted a few public service announcements intended to nudge others to do the same.

That starts with a new section in Google's Transparency Report dedicated to promoting safer email infrastructures.

Google also has a few other security-minded announcements this week, including End-to-End, a new Chrome extension powered by OpenPGP, an open standard touted to be supported by existing encryption tools.

Stephan Somogyi, a product manager on Google's Security and Privacy team, explained in a separate announcement today that this particular extension offers encryption and other security measures (i.e. HTTPS) "beyond" what Google already provides.

Somogyi wrote:

“End-to-end” encryption means data leaving your browser will be encrypted until the message’s intended recipient decrypts it, and that similarly encrypted messages sent to you will remain that way until you decrypt them in your browser.

End-to-End isn't actually available yet, and Google hasn't revealed an exact ship date either. But Somogyi promised when the extension is ready, it can be found in the Chrome Web Store.

Image via Google

Topics: Security, Cloud, Google, IT Priorities, Google Apps

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Google reads customer emails...

    Now they claim that - "many emails are not secure once it leaves Google's hands."...
    • Yes, Larry Page reads our emails

      Every one. All on his own.
      Coz he's got nothing better to do.
    • So did Steve Ballmer.

      Wasn't that why they sacked him? Or was if for paying Burson Marstellar to lie about Google? Who knows?
      Not Owlnet, that's for sure.
    • "Apple sued for collecting and selling customers’ personal info"

      what is the problem that Google's robots read my email for ads to have great services from Google for free?

      the only threat is Apple "Apple sued for collecting and selling customers’ personal info"
      and the NSA ;)
      Jiří Pavelec
  • This is to compete with Exchange on Software as a Service

    Google is playing this well. In 1995, Microsoft introduced an ActiveX control that does basic cryptography. When Internet Explorer gained the ability to run JavaScript, that JavaScript was able to access that DLL, and provide end to end encryption.

    Google has actively and repeatedly blocked all discussion or attempts at discussion about bringing cryptography to the web browsers in a standard an interoperable way -- in the HTML5 working group, in the web application working group -- for over a decade. Now all the sudden they're taking an interest in it with their own, proprietary browser plug in.

    Microsoft Exchange and Outlook Web Access -- the commercial mail servers Microsoft ships -- have done S/MIME and X509 based end-to-end encryption, as mandated by the US Government for some Federal applications, since before 2000. PGP is available as an add on. Many mail programs, including third party clients on Android, have supported encryption using PGP, GPG or X509 -- standard S/MIME messages -- for an extremely long time.

    And so basically, this is Google saying "hey, in order to compete in Software as a Service, we need to provide this service. We can't bid on the contracts otherwise." And then the rest of us get the feature, in browser, on their browser only, via a proprietary add on because they've actively obstructed getting a standard mechanism into the HTML and JavaScript standards.

    On the other hand, this is still better than nothing.
  • Does Google not read Facebook's Blog?

    Facebook pointed out a month and a half ago that using STARTTLS opportunistically worked surprisingly often. I wonder if Google has started doing that yet?
  • Google boosts Chrome encryption amid email warning

    Emails were not secure when they were in Google's hands. Their employees got caught red handed reading emails.