Why Google Should Encrypt Our Email
from the it's-good-for-everyone dept
Julian Sanchez has put forth an interesting and compelling proposal: if Google really wanted to take a stand in favor of user privacy, it should encrypt all our emails.
Google is in an ideal position to overcome these difficulties, and finally make strong e-mail encryption a mass phenomenon. Their Gmail service—the one David Petraeus was using to exchange steamy messages with his biographer and lover, Paula Broadwell—has some 425 million active users by last count. Many of those users access the service through a Web interface, which Google can change and update for all users simultaneously. That means we could all wake up tomorrow to find a handy new “Encrypt Message” button included in the familiar Gmail interface we’re already using. Meanwhile, Google (along with Facebook) has rapidly become a kind of universal Internet identity provider, with the Google Account used as a key not only to access Google’s own myriad offerings, but many other independent online services as well.
Because truly strong encryption is “end to end”—meaning the end-users generate, store, and have sole access to their own private encryption keys—a robust content encryption system may require users to have appropriate client software installed on their own machines. Here, too, Google is well positioned to provide a solution: They already make a widely-used browser, Chrome, and a popular operating system for mobile devices, Android, which could be updated with the necessary functionality built-in, eliminating the need for a separate browser plug-in.
Of course, as Julian notes, one reason why Google is resisting this is that it would make it more difficult to scan your emails and offer contextual advertising based on what’s in those emails. He notes that Vint Cerf more or less admitted this last year, in noting that it would be a challenge to their business model. But Julian notes that there are other ways to target advertisements (some of which might be more effective) than keying them directly off each email — for example, it can still use your search history, social profiles, Youtube videos, etc. For what it’s worth, in all the years I’ve used Gmail, I don’t recall ever looking at the ads they display — though, obviously, some people out there must click. Also, a point worth noting: Microsoft’s new Outlook.com email system does not scan each email for contextual advertising purposes. If they can do it, it seems silly to argue that Google needs to scan each email. More importantly, Julian isn’t saying that every email should be encrypted — so plenty of messages will still be sent in the clear, and those can be used for contextual ads. And the benefits may outweigh the negatives:
Meanwhile, Google would garner enormous goodwill from privacy advocates, reams of free press coverage, and an attractive new selling point, not only for Gmail but for Chrome and Android as well. Encryption would likely be a particularly appealing feature for Google’s paying enterprise customers, whose messages may contain information that is not only private but highly valuable. At the very least, it’s worth running the numbers again to see whether offering strong encryption might now be a net boon to the company’s bottom line.
Furthermore, he notes that Google can use this to take a real stand against efforts by law enforcement to build wiretapping into email. Those efforts have been going on for a long time, and Google has fought against them in the past. But, he notes, getting people up in arms about the feds taking away something that people already have is a much more powerful motivator than getting them worked up about the feds making it impossible for Google to offer that feature in the future.
Because people are loss-averse, taking away something people already have and value can be all but impossible—while preventing them from getting it in the first place is far easier. By rolling out e-mail encryption now, Google can ensure that ordinary users see myopic efforts to regulate secure communications infrastructure as something that affects all of our privacy and security—not just that of faceless crooks or terrorists.
For what it’s worth, Ed Felten responded to Julian’s proposal by noting a few potential issues with it: (1) managing the crypto keys and cyrpto code would be an issue (would Google also store your key? if so, many of the benefits go away) and (2) there are features that rely on Google being able to see your email. For that latter issue, he notes that beyond just the question of contextual advertising, it could make things like filtering messages more difficult — and that includes for more important filters like spam.
Julian responds by noting that these are not insurmountable issues. The management of the crypto keys could be handled by Google if people are okay with it, or they could offer up third party options (whether local, or some other “cloud” provider, such as Dropbox).
…lots of cloud services that offer encryption let the user choose whether or not to let the provider keep a backup copy of the user’s keys. The more paranoid could sacrifice some mobility and convenience—and risk losing access to some of their messages if their local copies of the key are destroyed—by opting not to let Google keep even an encrypted copy of their key. Or, as a middle ground, a user could always store an encrypted backup copy of her key with a different cloud provider, like Dropbox, which need not even be known to Google. That provides all of the advantages of storing the key with Google at a relatively minor cost in added hassle, but substantially raises costs for any attacker, who now must not only crack the passphrase protecting the key, but figure out where in the cloud that key is located. Assuming it’s accessed relatively infrequently (most of us read our e-mail on the same handful of devices most of the time) even a governmental attacker with subpoena power and access to IP logs is likely to be stymied, especially if the user is also employing traffic-masking tools like Tor
As for the filtering option, he notes that you can still filter based on other metadata, and that most of the encrypted notes are less likely to be spam, since they’re more likely to be used between people who know each other. To avoid the problem of spammers suddenly jumping on the encryption bandwagon, he suggests an option where you might only accept encrypted mail from white-listed addresses.
Some Google haters will insist that Google will never do this because it might diminish the contextual ad business, but as Julian explains (in both links!) that’s not necessarily the case. Furthermore, Google has, in the past, shown that it recognizes that making a goodwill gesture in terms of increasing privacy or better protecting its users can often pay off in much more usage and public goodwill in the long run. As Julian notes: it seems that it’s at least worth running some numbers to see how it might make financial sense to better protect user emails.
Filed Under: email, encryption, gmail
Companies: google
Comments on “Why Google Should Encrypt Our Email”
Encrypted spam prevention
It’s even easier to avoid the problem of being unable to filter encrypted spam. Just choose a cryptosystem that’s a) an asymmetric cipher and b) reasonably expensive to encrypt.
To spam an encrypted message to millions of users, the spammer’s computer would have to encrypt each of millions of copies separately using the individual target’s public key. This would be slow and expensive and destroy the economic reason for spamming in the first place. Spammers would thus avoid encryption, even if it meant the likelihood of being caught and blocked by filters at many destinations.
Re: Encrypted spam prevention
Not only that, the spammer’s computer first has to retrieve all the public keys from somewhere. If that’s an email service like gmail, a sudden mass download of public keys for huge numbers of mailboxes there will be a sure indicator of a spammer winding up for a fastball. And it wouldn’t be hard for automation to detect a mass key download and either block it, or (evil!) let it go ahead but silently drop every incoming email from the same IP address for a while. Or, to defeat even a spammer clever enough to grab keys from one IP and send mail from a second, just wait for an encrypted message to arrive at one of the mailboxes whose keys were in the mass download, wait a bit longer, and then see if many or all of the other such mailboxes got mail near the same time and these mails have low diversity in originating IPs. Then dump them.
Re: Re: Encrypted spam prevention
Much easier than that would be a little checkbox that says if an encrypted email comes in from someone not in your contacts, send it to spam. I expect false positives would be rare.
Re: Re: Encrypted spam prevention
Wait a minute…. block? That is censoring free speech!!!! How come you’re willing to impinge on their legitimate free commercial speech but go ballistic when anyone talks about blocking the transmission of illegal copyrighted content?
Re: Re: Re: Encrypted spam prevention
First off, not wanting to recieve something is not censorship. You have a right to shout bullshit from the rooftops but I have a right to cover my ears.
Second part is a strawman and not worth responding to
Re: Encrypted spam prevention
> the spammer’s computer
Unfortunately for your theory, “the spammer’s computer” is in reality, often 10’s of thousands of other peoples’ computers (i.e., botnet).
Ah, the nostalgia for the “why your idea to prevent spam won’t work” form letter (the one with the checkboxes)…
As Mike points out repeatedly, the real (and mostly only) way to solve problems is economics — i.e., spam will not disappear until user education/cultural evolution has made it unprofitable.
"the more paranoid"
We live more of our lives online, and governments and corporations increasingly peak at our private data, so encryption ought to be the order of the day.
But giving Google the keys? #samesame
Re: "the more paranoid"
It all depends on how much you trust them..
Re: "the more paranoid"
See, it’s an interesting quandary: do we hand over the keys to a corporation, or to government? Because we damn sure can’t trust the government to use that power wisely, and I’m highly skeptical of corporations using it wisely.
Re: Re: "the more paranoid"
If things weren’t so friggin screwed up, the answer would be easy – trust the company, and if they do wrong then it’s the government’s job to pound on them.
Unfortunately, here in the real world, I don’t know the best answer.
However, if we are talking proper encryption here, then it’s not handing the keys over to anyone – it’s letting me have the keys, Google providing a place to store things that even they can’t access, and the govt can go sit in a corner and cry about it.
Re: Re: "the more paranoid"
Neither. Corporations and the government are equally trustworthy. Meaning they’re not at all. You have to watch them like a hawk at all times.
It also helps to remember that every interaction with them is an exchange. You’re giving up something to get something. The trick is to make sure that what you’re getting is worth at least as much as what you’re giving up.
Re: "the more paranoid"
It is safe enough if it only the public part of a public private key pair. Use and management of the private part of the key needs to be dealt with.
Simple explanation
I think the most likely reason Google has not deployed encryption massively is not any of the mentioned. The most likely reason is because they are under heavy pressure from governments which kindly “advise” against it.
Re: Simple explanation
Nah. It’s the money. Google can’t monetize what they can’t read.
Re: Re: Gmail ads
I don’t think Google makes enough money from Gmail ads to even keep the servers on. And before you cry “but then why would they provide a mail service at all”, let me remind you of the dozen other services they offer that don’t even have ads.
For what it’s worth, in all the years I’ve used Gmail, I don’t recall ever looking at the ads they display — though, obviously, some people out there must click.
I admit I have looked at the ads once or twice and I clicked them one of the times out of curiosity. Most of the time I ignore them. Now we have those annoying videos on Youtube where you can skip in like 5 seconds. I always skip when I can and I find those completely and utterly annoying. And I’m not alone, 100% of my friends also think this way.
But I’m straying from the point of the article.
The management of the crypto keys could be handled by Google if people are okay with it, or they could offer up third party options (whether local, or some other “cloud” provider, such as Dropbox).
lastpass.com comes to mind. So far they are doing a wonderful job and I’m using insane passwords everywhere with no fear (including for the master key). And they offer several multi-factor options which I gladly use.
In any case I’m strongly in favor of Google enabling encryption in multiple levels. The article says it all, it’s a huge act of goodwill that will certainly help the fight for privacy in the long term. And truth be said, Google has served as a driving force for many improvements in the competition services. They offered shitloads of space the competition followed the path, they offered a clean, easy and intuitive interface and competition followed, they offered labels and the competition followed…… You know what I mean 😉
Re: Re:
Strangely, the ads I have actually WATCHED on YouTube are the ones with Skip Ad. Some of these have turned out to be beautiful pieces of artwork with great songs and wonderful visuals. Others are highly targeted to my interests (such as the ad for Lego Batman 2 I didn’t skip when I was looking at a solve video for Lego Pirates of the Caribbean–smart move).
It’s as if companies know they are doing [Skip Ad >>>] ads, and go out of their way to make them quality so that I don’t skip them.
I’m mostly a “Google fanboi”, but I agree with this 100%. I want to be able to encrypt not just e-mail messages, but also Google Talk (with OTR) and Google Drive – all from the browser.
I REALLY wish this would be automatic for everyone, to get everyone to use encryption, but even offering it as an “option” would be a GREAT addition. We should really push Google to do this.
Eventually others will do it anyway, especially when web crypto API’s arrive in a little more than a year, and they could gain a lot of positive PR by being the first to do it now, rather than being the 10th to do it later on, when it’s not so newsworthy anymore.
Google Implementing Encrypted Email...
Just off the top… a few things more likely…
Jesus HF Christ returns!!!
Women genuinely appreciate your candor when you confirm for them their ass is in fact, fat.
A third political party emerges in the U.S., the leader wins the Presidency and calls a new Congressional Congress and America’s Reborn for another hundred years.
Charlie Brown marries the redheaded girl…
"Encrypt" is not magic word
How exactly Google should encrypt it? If key will reside on Google side – the whole execrize is pointless. On the other hand, if key is on client – user experience will be awful.
Moreover, the whole “why” question left unanswered:
* For Google, it will hurt targeted advertizement.
* Privacy advocates? Who cares about them? I don’t. And I do understand what implications are. Most of population don’t even know they exists.
What’s even more ridiculous, is that if Google whould take every advice techdirt gave, it should just provide service for free, don’t look at search history/social profile/etc since that would be “privacy violation”, make all software open-source and so on.
Buisness doesn’t work like this – you can never please 100% of your customers. If you have 1-5% “privacy advocates”, who cry wolf on every attempt to monetize data about users – correct answer is to ignore them.
Re: "Encrypt" is not magic word
Just a nitpick:
“…make all software open-source and so on.”
To be fair, they do make some of their software open-source:
https://code.google.com/opensource/projects.html
Re: "Encrypt" is not magic word
Well, it’s true that there are some super-paranoid privacy freaks out there (what are you hiding??!!).
But to be fair, I don’t particularly like that email is about as secure as a postcard. I book travel for politicians and celebrities, and its not unusual that they email me their credit card numbers, and I email out their travel itineraries.
On that subject: this same information is passed back and forth when people book on my agency’s website. It has strong encryption, and people would freak out if it didn’t. Why the double standard?
Re: Re: "Encrypt" is not magic word
HTTPS combines strong crypto with a braindead PKI.
For one illustration, remember the DigiNotar incident.
People ?would freak out? if they didn’t see the little padlock because HTTPS is a genuine triumph in marketing.
Re: "Encrypt" is not magic word
Privacy advocates? Who cares about them? I don’t. And I do understand what implications are. Most of population don’t even know they exists.
Good thing there are people that care for you. With increasing surveillance you should care.
What’s even more ridiculous, is that if Google whould take every advice techdirt gave, it should just provide service for free, don’t look at search history/social profile/etc since that would be “privacy violation”, make all software open-source and so on.
Read the article again, it says it can still do targeted advertising, it’ll just need to adapt.
Buisness doesn’t work like this – you can never please 100% of your customers. If you have 1-5% “privacy advocates”, who cry wolf on every attempt to monetize data about users – correct answer is to ignore them.
It’s not 5%, even I don’t know the percentage. But the numbers are growing.
Re: "Encrypt" is not magic word
On the other hand, if key is on client – user experience will be awful.
Why is that? Lastpass provides a great experience, and they don’t know my encryption key. Why couldn’t Google do the same? I hear they employ a few smart developers. Or it could be 3rd-party plugin.
Re: "Encrypt" is not magic word
How exactly Google should encrypt it? If key will reside on Google side – the whole execrize is pointless. On the other hand, if key is on client – user experience will be awful.
Did you even read the article? This was discussed.
* For Google, it will hurt targeted advertizement.
Did you even read the article? This was discussed.
What’s even more ridiculous, is that if Google whould take every advice techdirt gave, it should just provide service for free, don’t look at search history/social profile/etc since that would be “privacy violation”, make all software open-source and so on.
Can you point to a single citation where we’ve argued any of those? You can’t because we don’t actually agree with any of those claims.
Buisness doesn’t work like this – you can never please 100% of your customers.
This has nothing to do with pleasing 100% of your customers. Did you even read the article?
Re: "Encrypt" is not magic word
Public-key cryptography solves these problems very well. Google holds the public key, you hold the private one. The public key only lets you encrypt, not decrypt.
“Why Google Should Encrypt Our Email”
If they’re going to encrypt your email, that means that they’ll have the keys with them, allowing them to decrypt your email themselves, thus defeating the purpose of encryption.
This is stupid. IF you really want encryption, do it yourself. It is MUCH safer.
Re: Re:
If they’re going to encrypt your email, that means that they’ll have the keys with them, allowing them to decrypt your email themselves, thus defeating the purpose of encryption.
Not necessarily. They could deliver the encrypted message to your browser (or mobile app), where it’s decrypted on your computer. and likewise your computer could encrypt a message and then send it to the server.
Re: Re:
Please read a bit about asymmetric key encryption. This relies one two keys – a public key, and a private (or secret) key.
http://en.wikipedia.org/wiki/Public-key_cryptography
Google – and everyone in the world for that matter – can have my public key. They use that key to encrypt something. Once it is encrypted, the only way to decrypt it is with my private key. So long as I’m in full control of my private key, I don’t have to worry about everyone knowing the public key, since that only allows them to encrypt something which only I can decrypt.
Hushmail stores their encryption keys locally, and all it took was a subpoena to get access to user emails. http://www.zdnet.com/blog/threatchaos/hushmail-betrays-trust-of-users/487
There’s also the Communications Assistance for Law Enforcement Act (CALEA), which requires that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time. https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act
Even if Google wanted to encrypt email messages for the masses, law enforcement would have a hissy fit. Governments would cry ‘National Security’ and demand a back-door be installed, because Gmail is such a huge service provider. Gmail encryption would be dead before it ever left the gate, or it would only provide a false sense of security because there would be back-doors installed.
Re: Re:
Governments would cry ‘National Security’ and demand a back-door be installed, because Gmail is such a huge service provider.
So I’m a criminal. I want to communicate via postal service. How would I do it? One of the best ways to do so would be to encrypt the message, let’s say, store it in a secured usb drive and mail over and just me and the destination have the encryption keys. So what will the Government do to tackle that? I can also install an encryption software on my phone (or drive the line through a computer that will do the job) where just me and the other part have the encryption keys. What will the police do?
The basic answer is to deliver focused investigation efforts and 1- infiltrate people to get a hold of the key, 2- investigations will yield source and destination and even if you can’t see what’s being communicated you can see from and to (further security measures may make this difficult depending on the platform used for communicating) so you’ll be able to FOCUS your efforts in the offline realm to get indirectly to the online contents, 3- smart criminals override back doors so this is just a lame excuse for mass surveillance, 4- etc.
In the end I kind of agree with you but even so I’m all for making their lives even more difficult.
Re: Re: Re:
Do you think they’ll just give up? Roll over, dead?
Or will they push forward their capabilities for endpoint compromise. Already, the user’s own computer is the most vulnerable point. And already, the user’s own computer is the most attacked point.
If nation-states lose all capability for attacking message traffic in the channel, then they’ll redouble their efforts to compromise endpoints.
From the standpoint of making secure communications possible, I’m all for encouraging governments to waste their budgets on attacking what we already know how to secure?if we want to. Let them spend millions and billions on building wiretaps into routers?waste their resources everywhere except on the vulnerable endpoints.
Re: Re: Re: Re:
True enough. Except that if you build a backdoor to spy on your own citizens and your enemy, let us say, China, finds out, it will have full access to your communications infra-structure from inside. That doesn’t seem reasonable. I wonder how the Govt will deal with that delicate issue.
Re: Re: Re:2 Re:
During the Cold War, there were many times where we knew something, and we knew the Soviets knew that something too?and further, we knew that they did know, and they knew too that we did know?and we knew that they knew that we knew… and it was nevertheless all very carefully kept very secret. Unmentionable.
From past behaviour, then, we must conclude that governments in the West consider their own citizens a greater threat than the godless commies.
So, if China has full access to all our telecommunications infrastructure, then remember that the really important thing is that the public must never find out.
Re: Re: Re:3 Re:
True enough.
Re: Re: Re: Re:
Let’s not try to become more secure, because that will make us less secure! Great point…
Re: Re: Re:2 Re:
Secure against what?
Security does not exist in a vacuum?it is contextually dependent on the threat. The threat includes not only the adversary’s theoretical capabilities, but the adversary’s finite resources and deployed capabilities.
Re: Re: Re:3 Re:
Secure against any interception, disclosure, and impersonation that takes place without our explicit consent.
It is obvious why you thieves and freetards would want to encrypt your internet so you can steal easier, but you’ll never convince honest joes that they need encryption.
Re: Re:
It’s the honest Joes that are suffering the heaviest surveillance. The hardcore pirate knows how to avoid this. Also, who said they are interested in what is being pirated? Naive, aren’t we?
Re: Re:
It’s mostly honest joes that use encryption right now.
I have nothing to hide
I have nothing to hide which is exactly why there is no reason for anyone to be reading my email but me. So bring on the encryption. I can only hope that Google will do it.
The unfortunate truth of public-key cryptography is that both sides of the communication have to play along, and it is very difficult to convince non-techie, non-privacy-conscious people to adopt the inconvenience of encrypted email for the sake of privacy (the fact that “if you have nothing to hide, you have nothing to fear” is a common criticism of privacy concerns should speak volumes).
Obviously the privacy benefits to Google taking this approach are enormous, but they stem largely from the feature becoming ubiquitous and easy. When it is one button click to encrypt your email, what excuse remains not to do it?
Obviously you should have the key, or they should do it the way Kim Dotcom intends to do it with Mega.
I’m not sure why the article even suggests to allow Google to manage the key for you, or even other cloud providers. That would totally kill the point of encrypting the message. From that point of view, e-mails are already encrypted like that, and you can’t get man-in-the-middle attacks with Gmail, but Google has the keys to them, which means governments have the keys to them.
So the point is to get Google to do it so somehow only you and the recipient can decrypt the e-mail. Nobody else should have access to them, even if they had to give access to them.
Re: Re:
So the point is that Google is a magical genie.
?Google, please, make me secure!? ?? Hmmmm… ok.. maybe… ?? ?Google sudo make me secure!?
Browser plugin not an optional extra
The biggest problem is the need for a browser plugin to be able to do this securely, which is much more of a big deal to organize than the article suggests.
Any solution that involves adding a button to gmail’s web interface fundamentally cannot be secure. Even if you did public-key encryption with all the work done client-side in the browser, that still involves downloading the javascript to do it from the server and there’s no way to prevent Google from installing a backdoor at any time if they want or are forced to by the government.
Even *with* a browser plugin it’s problematic as it’s difficult to do it in a way that ensures it cannot be bypassed. e.g. the client-side javascript could request the text you entered to be encrypted by the browser, so you get all the right feedback, then substitute it with the unencrypted version when submitting it to the server.
And let’s not forget that if Google have provided the plugin it also might be compromised through the browser’s auto-update feature.
Re: Browser plugin not an optional extra
How are you envisioning that malicious code getting installed?
Re: Re: Browser plugin not an optional extra
All code running in a browser is downloaded from the server (it can be cached, but you have no control over when it is refreshed).
Therefore you have no real control over anything the code running on your browser is doing, despite the fact that it running on the client rather than on the server.
Re: Re: Re: Browser plugin not an optional extra
All code running in a browser is downloaded from the server (it can be cached, but you have no control over when it is refreshed).
So you’re saying the plugin provider would be distributing malware? Don’t you think the privacy/security community would notice something like that?
Re: Browser plugin not an optional extra
For reasonable security, encryption and decryption of sensitive emails should be carried out as a separate operation to sending and receiving emails, that is use Gmail as a mailbox. Google could be used to make a public key available, to protect incoming emails, and verifying signing of outgoing emails, to the level that the owner of the emal account also has the necessary private key.
Better security is achieved by exchanging public keys with the people that you wish to communicate with, preferably by real word meetings. Note this means a different public key from every person you wish secure communications with. In this case Google or similar services are only the mailbox, and should have no part in key management.
Note both the Google public key, and managed public keys are useful for different purposes. The first to allow strangers and mere acquaintances to protect messages. The latter for communication between friends, family and associates. In practice most people are not prepared to live with rhe minor inconvenience of using encryption.
GOOGLE IS THE ENTITY READING YOUR EMAILS.
Picking up key words, collating those, keeping track of who you send to, and giving all that to NSA.
Google is literally the FOX guarding the henhouse. It just spends big to plant favorable opinion in tiny minds.
Stunningly stupid, inherently wrong idea.
Assuming they overcome all the obstacles with public key distribution and supporting it on several platforms, it would render server side search impossible. Server-side search is what makes Gmail great: no worrying about folders, just search.
Just think too how this would make managing your address book easier. Your public key could be your unique identifier instead of your email address.
Just use Thunderbird with Enigmail PGP with the same Gmail through IMAP.
Re: Re:
And what if the user’s computer has been trojaned with a keylogger?
And in case someone wasn’t all that familiar with keylogging technology, here’s the first non-paid, non-wikipedia result for ?keylogger?…
Elite Keylogger – CNET Download.com
Re: Re: Re:
If the objective is to evade detection by the FBI, secure email is obviously not going to cut it. I don’t think they would have any way to read properly-encrypted email without a warrant, so I don’t see too much of a concern there (assuming the warrant process is working correctly, which is a completely different topic).
Re: Re: Re: Re:
Final Report of the Select Committee To Study Governmental Operations With Respect To Intelligence Activies
United States Senate
April 23 (under authority of the order of April 14), 1976
Supplementary Detailed Staff Reports On Intelligence Activities And The Rights Of Americans, Book III
Re: Re: Re:2 Re:
Ouch. They really don’t give a flying fig about the Constitution, do they? What’s really dismaying is that the courts don’t seem to, either.
A good compromise might be
A good compromise might be to allow me to say that all mail is encrypted with my local key when I tell it to “archive” message.
This would cause issues with searching as some have mentioned, but as part of the compromise you might store a local cache of your archived messages for searching. Google USED to do desktop search as I remember.
This might be a good solution.
My company already uses GNU Privacy Guard (GPG) which is standard on our CentOS in-house servers. We use thunderbird to send and receive our emails. All in-house communications are encrypted. This is company policy. You send an email to another employee while in the office it is automatically encrypted. We started doing this after a couple of wazoo artists or dev people said “Well you said in your email to SO and SO”. Idiots. Because they got access to text emails in the user dir’s. HOW? They were working on the system, so now everything internal is encrypted.
If the guvment want to read them they will have to pry them from and I quote “From my cold dead hands”.
The government of the United States is way too intrusive and takes way too many liberties. They need to be put on hold and stopped dead in their tracks. No more personal info from a web site with no warrant. You will have to deal with the individual you are trying to bust because we don’t have their key. It is encrypted in our database.
If our politicians will not do their job and protect us then we have to take matters in our own hands.
I direct you to the following
http://www.maximumpc.com/article/features/protect_your_privary_how_send_encrypted_emails_with_linux
Browser plugin not an optional extra
No, I’m referring here to the situation where you’re *not* using a plugin, but where all the encryption is done using Javascript.
Several comments have pointed out that it would be a complete joke if you were to give Google your encryption key as it would be no better than not using encryption at all (in fact it would be worse, as you might *think* your email was private).
I was originally trying to make the point that this would be completely insecure even if you were to attempt to keep the private key client-side (or on dropbox etc) and do the encryption locally, which the article implied might be more secure.
While using a plugin is potentially more secure – it’s still possible for security to be compromised here too. Suppose the plugin as originally distributed was fine and got the all clear by the security community, but was later compromised by the browser’s auto-update feature. How long would it take to be noticed and how much email would be compromised before it was? What if the Feds were targeting you specifically and only you got the compromised plugin, how long would it be before you smelled a rat? Could Google be relied upon to push back against either of these if the government twisted it’s arm?
The bottom line is: Do you trust Google? If you do, then HTTPS is all you need to secure your email from everyone else. If you don’t trust Google then why would you trust their encryption implementation?
Re:
Um, no, CALEA does not require modifications to allow surveillance. 47 U.S.C. ? 1002(b)(3):
“A telecommunications carrier shall not be responsible for decrypting, or ensuring the government?s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.”
The second part “and the carrier possesses the information necessary to decrypt the communication” allows Google to make gmail encrypted.
Browser plugin not an optional extra
Suppose the plugin as originally distributed was fine and got the all clear by the security community, but was later compromised by the browser’s auto-update feature. How long would it take to be noticed and how much email would be compromised before it was?
Are you suggesting a bug, or intentionally malicious code?
What if the Feds were targeting you specifically and only you got the compromised plugin, how long would it be before you smelled a rat?
That is a nasty problem with no clear solution. But I hope a small one.
If you don’t trust Google then why would you trust their encryption implementation?
I would trust an open source implementation.
Re: Browser plugin not an optional extra
> Are you suggesting a bug, or intentionally malicious code?
I was primarily thinking of intentionally malicious alterations.
> I would trust an open source implementation.
So would I, up to a point. It doesn’t make security issues magically disappear, but does make things a lot more difficult for a potential attacker.
I’ll concede my concerns over plugin security might be overblown, but I stand by my main point that web cryptography cannot be done entirely in javascript without some sort of browser support.
Re: Re: Browser plugin not an optional extra
I would say widely used open source crypto
Re: Re: Browser plugin not an optional extra
Yeah oops… widely used open source crypto is the best you could get. If that isn’t secure enough for your private use, you’re in a tiny minority, and your only options would be to code review the oss stuff or write your own. These would only work if you are a very good crypto developer.
Think of the user
As usual, lots of nerds are missing the point. Think of the average user – your parents, say. Would this change create more work for them to access their email? Remember, to do this right you need to make sure Google can’t read the messages. (If they can, you’re just one super-secret-national-security court order away from having your mail read.)
If you want to encrypt your emails, you can do that now. But if you do that, you probably aren’t using Gmail in the first place. People use Gmail because it’s dead simple and so easy your grandma can do it. And you want to complicated that with local private keys, that the user has to manage herself? I don’t think so.
Re: Think of the user
I don’t think anyone is suggesting Google should force users to encrypt their email, but enable them to do so more easily. So no, it would not be a problem for my parents to ignore the feature.