The move toward encryption is driven by many factors, some logical and some emotional. I suspect that this move by Google is much more on the emotional side of the ledger, largely in response to the NSA revelations from the Edward Snowden affair. The everyday consumer’s false sense of email privacy has been shattered, prompting providers like Google to scramble to respond to this new sense of mistrust.
To those of us in the IT security business, it is easy to treat the Google announcements as marketing hype to shore up concerns over security. Their messaging leaves some questions. The Google announcements prior to June 3 speak almost entirely about data in transit, but make no mention of data at rest. Therefore, the generally accepted truth is that your emails still sit on Google servers in unencrypted form where they can be scanned to gather information that Google sells for advertising purposes.
It is important to remember that Google is not a philanthropic organization; selling advertising data is a significant component of their revenue stream. Google makes noise about protecting data in transit even between their data centers, but we need clarity on what happens when that data is at rest.
End-to-End reads like Google is closing the gaps, but this is not my first rodeo. I went to the fine print on the Google site. The product is a Google Chrome extension and will therefore require Chrome on both ends. Given that Chrome represents 40%-45% of browser usage (depends on where you pull the stats) that leaves a lot of gaps. End-to-End only enables the encryption of the email body, and not attachments. I find most sensitive data resides in attachments so I consider this a significant gap. Since mobile versions of Chrome do not support extensions, End-to-End is not supported on mobile devices.
The unanswered question is whether Google will still have access to the message body to scan for advertising purposes. Based on what I have read in the available information, the answer for that is no. I assume that Google is willing to trade what they would lose in encrypted data to retain customers in the Google ecosystem by appearing to be concerned with their email privacy. Google may also see End-to-End driving broader adoption of Chrome. More to the point is the sentiment found in a quote from the Google Online Security blog post:
“We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection.”
Google is basically betting that most people won’t use the encryption. They get the best of both worlds: the appearance of being security conscious for customers while losing minimal access to scan emails for advertising information.