Sophos Cloud Optix
Google’s end-to-end email encryption project that it started back in 2014 has left home. But has the Chrome extension really “flown the nest” as Google claimed last week? Or has it simply been abandoned and left to fend for itself?
Turn back the clocks to 2013. Google promises end-to-end encryption in an effort to regain users’ trust following Edward Snowden’s revelations about global surveillance conducted by government law-enforcement agencies.
And Google did made good on that promise in March 2014, switching Gmail to HTTPS only and encrypting emails internally too, shouting from the rooftops that these changes were
something we [Google] made a top priority after last summer’s revelations.
A few months later, in June 2014, Google then announced extension for its Chrome browser called “End-to-End”. Still only in the very early stages of development, the new extension would allow users to send and receive emails securely.
“End-to-end” encryption means data leaving your browser will be encrypted until the message’s intended recipient decrypts it, and that similarly encrypted messages sent to you will remain that way until you decrypt them in your browser.
Google promised to make the extension available in the Chrome Web Store once it was “ready for primetime”.
Yahoo quickly jumped on board, announcing its support for the project at the Black Hat security conference in Las Vegas in August 2014.
Later that year, Google revealed that it was making the source code for the Chrome extension open source via GitHub, while proclaiming it still intended one day to release the extension on the Chrome Web Store:
We’re excited to continue working on these challenging and rewarding problems, and we look forward to delivering a more fully fledged End-to-End next year.
After that, however, everything went quiet. Google’s commitment to the project became questionable.
An article in Tom’s Hardware points out that “Yahoo even demoed a preview version of the extension ahead of Google” – in spring 2015. A full year later, the project still remained a work in progress. Motherboard sums the progress up well:
Google and Yahoo’s projects on secure end-to-end encrypted email have yet to see the light of day. That’s why some are starting to question how much Google and Yahoo really care about making this happen.
Neither Google nor Yahoo’s project managers for the email encryption project responded to Motherboard’s request for comment. But Yan Zhu, a former lead developers on the end-to-end project at Yahoo told Motherboard that engineers at both Google and Yahoo were “all really committed to it”.
Last Friday, Google quietly announced that End-to-End was no longer a Google effort.
E2EMail is not a Google product, it’s now a fully community-driven open source project, to which passionate security engineers from across the industry have already contributed.
Careful to make it clear that it’s not completely giving up on the project, which is now called E2Email, Google added that was looking forward to “working alongside the community to integrate E2EMail with the Key Transparency. If you’re interested, you can check out the e2email-org/e2email repository on GitHub.server, and beyond.”
Talking to Wired, Google’s Somogyi explained the reasons for the move:
We want to put this into the open-source community is precisely because everyone cares about this so much. We don’t want everyone waiting for Google to get something done.
Not everyone’s convinced. Matthew Green, a cryptographer and computer scientist at Johns Hopkin University who has closely studied tech firms’ messaging encryption products, told Wired:
The real message is that they’re not actively developing this as a Google project any more. It’s definitely a bit of a disappointment, given how much hype Google generated around this project.
The University Herald fears that without Google’s backing, the project might now simply go nowhere. Highlighting the uphill battle that the project now faces, it notes:
The open source environment is known for being littered with abandoned software and coding projects due to lack of developers’ interest, strong backings, and last, project goals.
Three years on and with no easy-to-use extension available, only time will tell whether or not the open-source community has enough interest to keep this project alive. This project is full of technical challenges that need to be overcome.
Yet it offers so much opportunity too. As ZDNet points out, the open source community has been given the project “with no strings attached”. The primary goal for now, according to the description on GitHub, is to “improve data confidentiality for occasional small, sensitive messages”, where “even the mail provider, Google in the case of Gmail, is unable to extract the message content”.
The question has to be: is there the will and the leadership needed to make it happen?
Google has an obvious interest in reading the content of messages sent and received via Gmail. Wouldn’t developing this technology therefore be at cross-purposes with generating ad revenue?
And then there’s the ability of Google to sort and otherwise act upon the content of messages, in accordance with all of Gmail’s advanced features. I mean, they’re displaying information culled from your messages — without being prompted — right in your browser’s search results!
So has Google concluded that — given all their other revenue streams, and e-mail’s decreasing importance — that the money made from data-mining it is now negligible and therefore expendable, in the name of advancing (and selling) privacy, security, and their brand? What am I missing here?
I suspect the missing link is that google will still see all your data and be able to use it for marketing. Once it’s “in transit” (click send) it becomes secure.
For that matter, the program that does spelling/grammar checking has access to all your text too.