Google says half of email is sent unencrypted

Filed Under: Cryptography, Featured, Google, Privacy

Open padlock. Image courtesy of Shutterstock. Google says that in spite of its encryption efforts, 40 - 50% of emails sent between Gmail and other email providers still aren’t encrypted.

When emails are sent unencrypted they can be read by any bad actors or governments with access to the networks they travel through.

Gmail uses Transport Layer Security (TLS) to create an encryption 'tunnel' between its own mail servers and everyone else's. When emails are in the tunnel they can't be spied upon.

But hey, a tunnel has two ends. Or, as Brandon Long, Tech Lead of Google's Gmail Delivery Team, puts it:

The important thing is that both sides of an email exchange need to support encryption for it to work; Gmail can't do it alone.

To help people understand whether their email is actually protected with encryption, Google on Tuesday launched a new section in its Transparency Report that shows which email providers are doing what with encryption.

Many providers have switched on encryption, while others have pledged to do so, Long said. As they do, we'll see an increasing amount of email that's shielded from interception.

Google said that fewer than half of the messages it swapped with Microsoft's Hotmail servers were encrypted.

In December, as part of its pledged anti-NSA-level encryption, Microsoft said it's working with email providers to make sure messages remain encrypted.

But encryption between mail servers is only part of the story when it comes to keeping emails secure from prying eyes.

There are two kinds of encryption used with email; the encryption 'tunnels' that protect emails on the move and end-to-end encryption which protects emails both in transit and at rest, and which can only be decrypted by the intended recipient.

On Tuesday, Google acknowledged that end-to-end encryption is great in theory but tricky to implement.

Encrypting traffic between mail servers is much more widely used because it puts the tricky, technical implementation into the hands of system administrators.

So, alongside its efforts to increase encryption between mail servers, Google is also trying to grease the wheels of end-to-end encryption with a prototype Chrome extension called, appropriately enough, End-to-End.

Right now the extension is only available as code so that the computer security community can help to test it. Google says once it's ready for general use it'll appear in the Google Chrome store.

EFFThe Electronic Frontier Foundation (EFF) is taking credit for lighting the fires that have sparked much of the encryption advances in recent months.

As Technology Projects Director Peter Eckersley said in a post on Tuesday, the group has been working for the past few years to promote the universal use of encryption for internet protocols.

In November, the EFF also launched its Encrypt the Web Scorecard, which, in addition to web encryption, added a second focus on securing transmissions between mailservers.

That was an important element in protecting against non-targeted dragnet surveillance, Eckersley wrote, but there's still work to be done:

More mail operators need to implement STARTTLS, and some of those that already support STARTTLS need to upgrade their servers to support modern ciphers and forward secrecy.

But however slowly, however painfully, it sounds like we just might be getting somewhere.

That's good news for those of us who are wary of snooping - whether it's by the government, crooks or garden-variety creeps.

And, if you want to know what else you could be doing to improve your privacy by using and demanding more encryption then you're in good company.

Today the internet is engaging in world-wide campaign aimed at doing exactly that; it's called Reset The Net.

Image of open padlock courtesy of Shutterstock.

, , , , ,

You might like

10 Responses to Google says half of email is sent unencrypted

  1. Tirekyll · 485 days ago

    so don't email anything that contains personal information you don't want on the internet, not exactly rocket science.

    Btw, I didn't read a word past the title. People do stupid shit on the internet, better security shouldn't be the solution for idiocy.

    • The principle of least privilege has it that if people don't need access to something they shouldn't have it.

      It's easier to determine the narrow set of use cases that are OK (the recipient can read my email and nobody else can) than the infinite number that aren't OK.

      Without it you have to decide if your email contains information you don't want others to have.

      Without it you have to decide, each and every time you send an email, how somebody or some organisation with bad intentions might be able to use the information in your email, either today or in many years time, in isolation or combined with other of your emails or with other data that you don't know about or which might not even exist yet.

    • Thomas · 484 days ago

      True! People do stupid shit everywhere, all the time. To illustrate your point, does anyone remember when step ladders didn't have a warning not to stand on the very top of them? So many idiots did that, and fell, that the government mandated warnings. The cost of step ladders went up far beyond slapping a couple of stickers on the top rung and the very top. But all it did was protect the manufacturers of step ladders from lawsuits. The idiots didn't pay any attention to the warnings. Go to a website called "The Darwin Awards" if you want to read about really, really stupid shit people do.

      Protecting idiots from their own stupidity is an exercise in futility.

    • Steve · 484 days ago

      "People do stupid shit on the internet". Yeah, like commenting on something when they "didn't read a word past the title". Well, I guess your comment was informative: now the rest of us, when reading comments, will know not to read a word past your name.

  2. Once again, Google trying to distract us from the real issues here.

    NSA is almost certainly NOT monitoring me. They haven't the resources to monitor all the people that actually are a threat, let alone people like me sending emails about what size gloves I want from an online retailer.

    Meanwhile google really is monitoring every email, every web search, every location fix, every instant message and - if you are crazy enough - your pulse and the temperature of the room you are in at your home.

    Google offering encryption to keep the NSA out of our emails is like my local burglar selling me a door lock he has a key for, and telling me it is to keep the police out of my house. The police don't want to come in my house, and if they ever do they will knock the whole door down: the burglar is the threat, not the police.

    Let's see google offer encryption that keeps GOOGLE out of our email.

    • Tirekyll · 485 days ago

      Well...don't use gmail. Hell for just $20 a year you can have your own email with a custom domain. I say if Google wants to read the numerous porn adverts I get, and the amount I pay to my ISP, please do.

  3. The easiest solution to both the issue of keeping Google out of your email, and keeping unwanted third parties out of your email (including the NSA) is to use something like Thunderbird with GPG encryption. This can run over a gmail account and will encrypt your email so no-one but the intended recipient can see it.

    The issue here is not Google, or the receiving email servers. It's users who are programmed to rely on companies and government to solve their problems for them, rather than actually taking control themselves. If you don't take control of the situation, you get exactly the security/privacy you request.

    • Gavin · 484 days ago

      Very well said, Paul -- hence the importance of initiatives like "Reset the Net". It just makes sense to try to be secure as an individual, no matter what your views are on dragnet surveillance, giant search engines, social media megaliths and so on.

      The added advantage of increased awareness and adoption of individual encryption solutions is that they will become ever-more accessible to the non-tech masses as more and more people guide their development, demand ease-of-use and so on.

      I downloaded and installed Thunderbird and Enigmail last night, generated OpenPGP keys and successfully sent a test encrypted email. It took me about 20 minutes. That's not bad, and certainly didn't require a high level of expertise; but it's not totally transparent and convenient yet.

      When that process becomes, "download this app, enter your email address, click this button and you're all set in 3 minutes", or even better, when end-to-end encryption and keypair generation/management is a default part of setting up a new device then we will see mass adoption.

      That's the future I'm looking forward to.


  4. Barney Laurance · 485 days ago

    Thunderbird and GPG are not really either 'easiest', or a complete solution. They're not easy for most people to properly understand and use. They only work if the people you're writing to are also using similar software. They don't protect the headers such as To, From and Subject, which can carry very sensitive information. You need TLS or similar to protect those.

  5. LindaB · 484 days ago

    I still want to hear what we as ordinary users should be doing to use encryption systems so that everything we send and receive is as protected as currently possible.
    It's all very well those in the know saying use this, that or the other but how do we ordinary mortals go about protecting ourselves, our data and our systems? A decent AV suite is a start, I use Sophos and Avast, but what about all the emails? I use Yahoo as do others and some friends use hotmail, but what are we to do if neither MS nor Yahoo have proper encryption in place yet?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.