Why Google Should Encrypt Our Email
from the it's-good-for-everyone dept
Julian Sanchez has put forth an interesting and compelling proposal: if Google really wanted to take a stand in favor of user privacy, it should encrypt all our emails.Google is in an ideal position to overcome these difficulties, and finally make strong e-mail encryption a mass phenomenon. Their Gmail service—the one David Petraeus was using to exchange steamy messages with his biographer and lover, Paula Broadwell—has some 425 million active users by last count. Many of those users access the service through a Web interface, which Google can change and update for all users simultaneously. That means we could all wake up tomorrow to find a handy new “Encrypt Message” button included in the familiar Gmail interface we're already using. Meanwhile, Google (along with Facebook) has rapidly become a kind of universal Internet identity provider, with the Google Account used as a key not only to access Google’s own myriad offerings, but many other independent online services as well.Of course, as Julian notes, one reason why Google is resisting this is that it would make it more difficult to scan your emails and offer contextual advertising based on what's in those emails. He notes that Vint Cerf more or less admitted this last year, in noting that it would be a challenge to their business model. But Julian notes that there are other ways to target advertisements (some of which might be more effective) than keying them directly off each email -- for example, it can still use your search history, social profiles, Youtube videos, etc. For what it's worth, in all the years I've used Gmail, I don't recall ever looking at the ads they display -- though, obviously, some people out there must click. Also, a point worth noting: Microsoft's new Outlook.com email system does not scan each email for contextual advertising purposes. If they can do it, it seems silly to argue that Google needs to scan each email. More importantly, Julian isn't saying that every email should be encrypted -- so plenty of messages will still be sent in the clear, and those can be used for contextual ads. And the benefits may outweigh the negatives:
Because truly strong encryption is “end to end”—meaning the end-users generate, store, and have sole access to their own private encryption keys—a robust content encryption system may require users to have appropriate client software installed on their own machines. Here, too, Google is well positioned to provide a solution: They already make a widely-used browser, Chrome, and a popular operating system for mobile devices, Android, which could be updated with the necessary functionality built-in, eliminating the need for a separate browser plug-in.
Meanwhile, Google would garner enormous goodwill from privacy advocates, reams of free press coverage, and an attractive new selling point, not only for Gmail but for Chrome and Android as well. Encryption would likely be a particularly appealing feature for Google's paying enterprise customers, whose messages may contain information that is not only private but highly valuable. At the very least, it's worth running the numbers again to see whether offering strong encryption might now be a net boon to the company's bottom line.Furthermore, he notes that Google can use this to take a real stand against efforts by law enforcement to build wiretapping into email. Those efforts have been going on for a long time, and Google has fought against them in the past. But, he notes, getting people up in arms about the feds taking away something that people already have is a much more powerful motivator than getting them worked up about the feds making it impossible for Google to offer that feature in the future.
Because people are loss-averse, taking away something people already have and value can be all but impossible—while preventing them from getting it in the first place is far easier. By rolling out e-mail encryption now, Google can ensure that ordinary users see myopic efforts to regulate secure communications infrastructure as something that affects all of our privacy and security—not just that of faceless crooks or terrorists.For what it's worth, Ed Felten responded to Julian's proposal by noting a few potential issues with it: (1) managing the crypto keys and cyrpto code would be an issue (would Google also store your key? if so, many of the benefits go away) and (2) there are features that rely on Google being able to see your email. For that latter issue, he notes that beyond just the question of contextual advertising, it could make things like filtering messages more difficult -- and that includes for more important filters like spam.
Julian responds by noting that these are not insurmountable issues. The management of the crypto keys could be handled by Google if people are okay with it, or they could offer up third party options (whether local, or some other "cloud" provider, such as Dropbox).
...lots of cloud services that offer encryption let the user choose whether or not to let the provider keep a backup copy of the user's keys. The more paranoid could sacrifice some mobility and convenience—and risk losing access to some of their messages if their local copies of the key are destroyed—by opting not to let Google keep even an encrypted copy of their key. Or, as a middle ground, a user could always store an encrypted backup copy of her key with a different cloud provider, like Dropbox, which need not even be known to Google. That provides all of the advantages of storing the key with Google at a relatively minor cost in added hassle, but substantially raises costs for any attacker, who now must not only crack the passphrase protecting the key, but figure out where in the cloud that key is located. Assuming it's accessed relatively infrequently (most of us read our e-mail on the same handful of devices most of the time) even a governmental attacker with subpoena power and access to IP logs is likely to be stymied, especially if the user is also employing traffic-masking tools like TorAs for the filtering option, he notes that you can still filter based on other metadata, and that most of the encrypted notes are less likely to be spam, since they're more likely to be used between people who know each other. To avoid the problem of spammers suddenly jumping on the encryption bandwagon, he suggests an option where you might only accept encrypted mail from white-listed addresses.
Some Google haters will insist that Google will never do this because it might diminish the contextual ad business, but as Julian explains (in both links!) that's not necessarily the case. Furthermore, Google has, in the past, shown that it recognizes that making a goodwill gesture in terms of increasing privacy or better protecting its users can often pay off in much more usage and public goodwill in the long run. As Julian notes: it seems that it's at least worth running some numbers to see how it might make financial sense to better protect user emails.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: email, encryption, gmail
Companies: google
Reader Comments
Subscribe: RSS
View by: Time | Thread
Encrypted spam prevention
To spam an encrypted message to millions of users, the spammer's computer would have to encrypt each of millions of copies separately using the individual target's public key. This would be slow and expensive and destroy the economic reason for spamming in the first place. Spammers would thus avoid encryption, even if it meant the likelihood of being caught and blocked by filters at many destinations.
[ link to this | view in chronology ]
Re: Encrypted spam prevention
[ link to this | view in chronology ]
Re: Re: Encrypted spam prevention
[ link to this | view in chronology ]
Re: Re: Encrypted spam prevention
[ link to this | view in chronology ]
Re: Re: Re: Encrypted spam prevention
Second part is a strawman and not worth responding to
[ link to this | view in chronology ]
Re: Encrypted spam prevention
Unfortunately for your theory, "the spammer's computer" is in reality, often 10's of thousands of other peoples' computers (i.e., botnet).
Ah, the nostalgia for the "why your idea to prevent spam won't work" form letter (the one with the checkboxes)...
As Mike points out repeatedly, the real (and mostly only) way to solve problems is economics --- i.e., spam will not disappear until user education/cultural evolution has made it unprofitable.
[ link to this | view in chronology ]
"the more paranoid"
But giving Google the keys? #samesame
[ link to this | view in chronology ]
Re: "the more paranoid"
[ link to this | view in chronology ]
Re: "the more paranoid"
[ link to this | view in chronology ]
Re: Re: "the more paranoid"
Unfortunately, here in the real world, I don't know the best answer.
However, if we are talking proper encryption here, then it's not handing the keys over to anyone - it's letting me have the keys, Google providing a place to store things that even they can't access, and the govt can go sit in a corner and cry about it.
[ link to this | view in chronology ]
Re: Re: "the more paranoid"
Neither. Corporations and the government are equally trustworthy. Meaning they're not at all. You have to watch them like a hawk at all times.
It also helps to remember that every interaction with them is an exchange. You're giving up something to get something. The trick is to make sure that what you're getting is worth at least as much as what you're giving up.
[ link to this | view in chronology ]
Re: "the more paranoid"
[ link to this | view in chronology ]
Simple explanation
[ link to this | view in chronology ]
Re: Simple explanation
[ link to this | view in chronology ]
Re: Gmail ads
[ link to this | view in chronology ]
I admit I have looked at the ads once or twice and I clicked them one of the times out of curiosity. Most of the time I ignore them. Now we have those annoying videos on Youtube where you can skip in like 5 seconds. I always skip when I can and I find those completely and utterly annoying. And I'm not alone, 100% of my friends also think this way.
But I'm straying from the point of the article.
The management of the crypto keys could be handled by Google if people are okay with it, or they could offer up third party options (whether local, or some other "cloud" provider, such as Dropbox).
lastpass.com comes to mind. So far they are doing a wonderful job and I'm using insane passwords everywhere with no fear (including for the master key). And they offer several multi-factor options which I gladly use.
In any case I'm strongly in favor of Google enabling encryption in multiple levels. The article says it all, it's a huge act of goodwill that will certainly help the fight for privacy in the long term. And truth be said, Google has served as a driving force for many improvements in the competition services. They offered shitloads of space the competition followed the path, they offered a clean, easy and intuitive interface and competition followed, they offered labels and the competition followed...... You know what I mean ;)
[ link to this | view in chronology ]
Re:
It's as if companies know they are doing [Skip Ad >>>] ads, and go out of their way to make them quality so that I don't skip them.
[ link to this | view in chronology ]
I REALLY wish this would be automatic for everyone, to get everyone to use encryption, but even offering it as an "option" would be a GREAT addition. We should really push Google to do this.
Eventually others will do it anyway, especially when web crypto API's arrive in a little more than a year, and they could gain a lot of positive PR by being the first to do it now, rather than being the 10th to do it later on, when it's not so newsworthy anymore.
[ link to this | view in chronology ]
Google Implementing Encrypted Email...
Jesus HF Christ returns!!!
Women genuinely appreciate your candor when you confirm for them their ass is in fact, fat.
A third political party emerges in the U.S., the leader wins the Presidency and calls a new Congressional Congress and America's Reborn for another hundred years.
Charlie Brown marries the redheaded girl...
[ link to this | view in chronology ]
"Encrypt" is not magic word
Moreover, the whole "why" question left unanswered:
* For Google, it will hurt targeted advertizement.
* Privacy advocates? Who cares about them? I don't. And I do understand what implications are. Most of population don't even know they exists.
What's even more ridiculous, is that if Google whould take every advice techdirt gave, it should just provide service for free, don't look at search history/social profile/etc since that would be "privacy violation", make all software open-source and so on.
Buisness doesn't work like this - you can never please 100% of your customers. If you have 1-5% "privacy advocates", who cry wolf on every attempt to monetize data about users - correct answer is to ignore them.
[ link to this | view in chronology ]
Re: "Encrypt" is not magic word
"...make all software open-source and so on."
To be fair, they do make some of their software open-source:
https://code.google.com/opensource/projects.html
[ link to this | view in chronology ]
Re: "Encrypt" is not magic word
But to be fair, I don't particularly like that email is about as secure as a postcard. I book travel for politicians and celebrities, and its not unusual that they email me their credit card numbers, and I email out their travel itineraries.
On that subject: this same information is passed back and forth when people book on my agency's website. It has strong encryption, and people would freak out if it didn't. Why the double standard?
[ link to this | view in chronology ]
Re: Re: "Encrypt" is not magic word
HTTPS combines strong crypto with a braindead PKI.
For one illustration, remember the DigiNotar incident.
People “would freak out“ if they didn't see the little padlock because HTTPS is a genuine triumph in marketing.
[ link to this | view in chronology ]
Re: "Encrypt" is not magic word
Good thing there are people that care for you. With increasing surveillance you should care.
What's even more ridiculous, is that if Google whould take every advice techdirt gave, it should just provide service for free, don't look at search history/social profile/etc since that would be "privacy violation", make all software open-source and so on.
Read the article again, it says it can still do targeted advertising, it'll just need to adapt.
Buisness doesn't work like this - you can never please 100% of your customers. If you have 1-5% "privacy advocates", who cry wolf on every attempt to monetize data about users - correct answer is to ignore them.
It's not 5%, even I don't know the percentage. But the numbers are growing.
[ link to this | view in chronology ]
Re: "Encrypt" is not magic word
Why is that? Lastpass provides a great experience, and they don't know my encryption key. Why couldn't Google do the same? I hear they employ a few smart developers. Or it could be 3rd-party plugin.
[ link to this | view in chronology ]
Re: "Encrypt" is not magic word
Did you even read the article? This was discussed.
* For Google, it will hurt targeted advertizement.
Did you even read the article? This was discussed.
What's even more ridiculous, is that if Google whould take every advice techdirt gave, it should just provide service for free, don't look at search history/social profile/etc since that would be "privacy violation", make all software open-source and so on.
Can you point to a single citation where we've argued any of those? You can't because we don't actually agree with any of those claims.
Buisness doesn't work like this - you can never please 100% of your customers.
This has nothing to do with pleasing 100% of your customers. Did you even read the article?
[ link to this | view in chronology ]
Re: "Encrypt" is not magic word
Public-key cryptography solves these problems very well. Google holds the public key, you hold the private one. The public key only lets you encrypt, not decrypt.
[ link to this | view in chronology ]
If they're going to encrypt your email, that means that they'll have the keys with them, allowing them to decrypt your email themselves, thus defeating the purpose of encryption.
This is stupid. IF you really want encryption, do it yourself. It is MUCH safer.
[ link to this | view in chronology ]
Re:
Not necessarily. They could deliver the encrypted message to your browser (or mobile app), where it's decrypted on your computer. and likewise your computer could encrypt a message and then send it to the server.
[ link to this | view in chronology ]
Re:
http://en.wikipedia.org/wiki/Public-key_cryptography
Google - and everyone in the world for that matter - can have my public key. They use that key to encrypt something. Once it is encrypted, the only way to decrypt it is with my private key. So long as I'm in full control of my private key, I don't have to worry about everyone knowing the public key, since that only allows them to encrypt something which only I can decrypt.
[ link to this | view in chronology ]
There's also the Communications Assistance for Law Enforcement Act (CALEA), which requires that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time. https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act
Even if Google wanted to encrypt email messages for the masses, law enforcement would have a hissy fit. Governments would cry 'National Security' and demand a back-door be installed, because Gmail is such a huge service provider. Gmail encryption would be dead before it ever left the gate, or it would only provide a false sense of security because there would be back-doors installed.
[ link to this | view in chronology ]
Re:
So I'm a criminal. I want to communicate via postal service. How would I do it? One of the best ways to do so would be to encrypt the message, let's say, store it in a secured usb drive and mail over and just me and the destination have the encryption keys. So what will the Government do to tackle that? I can also install an encryption software on my phone (or drive the line through a computer that will do the job) where just me and the other part have the encryption keys. What will the police do?
The basic answer is to deliver focused investigation efforts and 1- infiltrate people to get a hold of the key, 2- investigations will yield source and destination and even if you can't see what's being communicated you can see from and to (further security measures may make this difficult depending on the platform used for communicating) so you'll be able to FOCUS your efforts in the offline realm to get indirectly to the online contents, 3- smart criminals override back doors so this is just a lame excuse for mass surveillance, 4- etc.
In the end I kind of agree with you but even so I'm all for making their lives even more difficult.
[ link to this | view in chronology ]
Re: Re:
Do you think they'll just give up? Roll over, dead?
Or will they push forward their capabilities for endpoint compromise. Already, the user's own computer is the most vulnerable point. And already, the user's own computer is the most attacked point.
If nation-states lose all capability for attacking message traffic in the channel, then they'll redouble their efforts to compromise endpoints.
From the standpoint of making secure communications possible, I'm all for encouraging governments to waste their budgets on attacking what we already know how to secure—if we want to. Let them spend millions and billions on building wiretaps into routers—waste their resources everywhere except on the vulnerable endpoints.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
During the Cold War, there were many times where we knew something, and we knew the Soviets knew that something too—and further, we knew that they did know, and they knew too that we did know—and we knew that they knew that we knew... and it was nevertheless all very carefully kept very secret. Unmentionable.
From past behaviour, then, we must conclude that governments in the West consider their own citizens a greater threat than the godless commies.
So, if China has full access to all our telecommunications infrastructure, then remember that the really important thing is that the public must never find out.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Secure against what?
Security does not exist in a vacuum—it is contextually dependent on the threat. The threat includes not only the adversary's theoretical capabilities, but the adversary's finite resources and deployed capabilities.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
"A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."
The second part "and the carrier possesses the information necessary to decrypt the communication" allows Google to make gmail encrypted.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I have nothing to hide
[ link to this | view in chronology ]
Obviously the privacy benefits to Google taking this approach are enormous, but they stem largely from the feature becoming ubiquitous and easy. When it is one button click to encrypt your email, what excuse remains not to do it?
[ link to this | view in chronology ]
I'm not sure why the article even suggests to allow Google to manage the key for you, or even other cloud providers. That would totally kill the point of encrypting the message. From that point of view, e-mails are already encrypted like that, and you can't get man-in-the-middle attacks with Gmail, but Google has the keys to them, which means governments have the keys to them.
So the point is to get Google to do it so somehow only you and the recipient can decrypt the e-mail. Nobody else should have access to them, even if they had to give access to them.
[ link to this | view in chronology ]
Re:
So the point is that Google is a magical genie.
“Google, please, make me secure!” Hmmmm... ok.. maybe... “Google sudo make me secure!”
[ link to this | view in chronology ]
Browser plugin not an optional extra
Any solution that involves adding a button to gmail's web interface fundamentally cannot be secure. Even if you did public-key encryption with all the work done client-side in the browser, that still involves downloading the javascript to do it from the server and there's no way to prevent Google from installing a backdoor at any time if they want or are forced to by the government.
Even *with* a browser plugin it's problematic as it's difficult to do it in a way that ensures it cannot be bypassed. e.g. the client-side javascript could request the text you entered to be encrypted by the browser, so you get all the right feedback, then substitute it with the unencrypted version when submitting it to the server.
And let's not forget that if Google have provided the plugin it also might be compromised through the browser's auto-update feature.
[ link to this | view in chronology ]
Re: Browser plugin not an optional extra
[ link to this | view in chronology ]
Re: Re: Browser plugin not an optional extra
Therefore you have no real control over anything the code running on your browser is doing, despite the fact that it running on the client rather than on the server.
[ link to this | view in chronology ]
Re: Re: Re: Browser plugin not an optional extra
So you're saying the plugin provider would be distributing malware? Don't you think the privacy/security community would notice something like that?
[ link to this | view in chronology ]
Re: Re: Re: Re: Browser plugin not an optional extra
Several comments have pointed out that it would be a complete joke if you were to give Google your encryption key as it would be no better than not using encryption at all (in fact it would be worse, as you might *think* your email was private).
I was originally trying to make the point that this would be completely insecure even if you were to attempt to keep the private key client-side (or on dropbox etc) and do the encryption locally, which the article implied might be more secure.
While using a plugin is potentially more secure - it's still possible for security to be compromised here too. Suppose the plugin as originally distributed was fine and got the all clear by the security community, but was later compromised by the browser's auto-update feature. How long would it take to be noticed and how much email would be compromised before it was? What if the Feds were targeting you specifically and only you got the compromised plugin, how long would it be before you smelled a rat? Could Google be relied upon to push back against either of these if the government twisted it's arm?
The bottom line is: Do you trust Google? If you do, then HTTPS is all you need to secure your email from everyone else. If you don't trust Google then why would you trust their encryption implementation?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Browser plugin not an optional extra
Are you suggesting a bug, or intentionally malicious code?
What if the Feds were targeting you specifically and only you got the compromised plugin, how long would it be before you smelled a rat?
That is a nasty problem with no clear solution. But I hope a small one.
If you don't trust Google then why would you trust their encryption implementation?
I would trust an open source implementation.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Browser plugin not an optional extra
I was primarily thinking of intentionally malicious alterations.
> I would trust an open source implementation.
So would I, up to a point. It doesn't make security issues magically disappear, but does make things a lot more difficult for a potential attacker.
I'll concede my concerns over plugin security might be overblown, but I stand by my main point that web cryptography cannot be done entirely in javascript without some sort of browser support.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Browser plugin not an optional extra
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Browser plugin not an optional extra
[ link to this | view in chronology ]
Re: Browser plugin not an optional extra
Better security is achieved by exchanging public keys with the people that you wish to communicate with, preferably by real word meetings. Note this means a different public key from every person you wish secure communications with. In this case Google or similar services are only the mailbox, and should have no part in key management.
Note both the Google public key, and managed public keys are useful for different purposes. The first to allow strangers and mere acquaintances to protect messages. The latter for communication between friends, family and associates. In practice most people are not prepared to live with rhe minor inconvenience of using encryption.
[ link to this | view in chronology ]
GOOGLE IS THE ENTITY READING YOUR EMAILS.
Google is literally the FOX guarding the henhouse. It just spends big to plant favorable opinion in tiny minds.
Stunningly stupid, inherently wrong idea.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
And what if the user's computer has been trojaned with a keylogger?
And in case someone wasn't all that familiar with keylogging technology, here's the first non-paid, non-wikipedia result for “keylogger”...
Elite Keylogger - CNET Download.com
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Final Report of the Select Committee To Study Governmental Operations With Respect To Intelligence Activies
United States Senate
April 23 (under authority of the order of April 14), 1976
Supplementary Detailed Staff Reports On Intelligence Activities And The Rights Of Americans, Book III
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
A good compromise might be
This would cause issues with searching as some have mentioned, but as part of the compromise you might store a local cache of your archived messages for searching. Google USED to do desktop search as I remember.
This might be a good solution.
[ link to this | view in chronology ]
If the guvment want to read them they will have to pry them from and I quote "From my cold dead hands".
The government of the United States is way too intrusive and takes way too many liberties. They need to be put on hold and stopped dead in their tracks. No more personal info from a web site with no warrant. You will have to deal with the individual you are trying to bust because we don't have their key. It is encrypted in our database.
If our politicians will not do their job and protect us then we have to take matters in our own hands.
I direct you to the following
http://www.maximumpc.com/article/features/protect_your_privary_how_send_encrypted_emails_ with_linux
[ link to this | view in chronology ]
Think of the user
If you want to encrypt your emails, you can do that now. But if you do that, you probably aren't using Gmail in the first place. People use Gmail because it's dead simple and so easy your grandma can do it. And you want to complicated that with local private keys, that the user has to manage herself? I don't think so.
[ link to this | view in chronology ]
Re: Think of the user
[ link to this | view in chronology ]