June 4, 2014
Encryption-Deprived Email Services Criticized By Search Giant Google
Peter Suciu for redOrbit.com - Your Universe Online
Google Inc. called out rival email providers for not providing enough encryption. Apparently those rivals took notice and have started to address the issue. The tech giant's new Gmail data highlighted the rise of backbone email encryption, something that privacy advocates have said was a long-time coming.
On Tuesday Google issued a transparency report, which denoted that email should be protected as it travels across the Internet – yet in most cases protected it is not. It called out the fact that while most of us prefer that only the recipient reads the email prying eyes could see it as well. This could be through so-called bad actors or through government surveillance but one thing was clear – email is anything but truly private or personal.
Encrypting the emails could make a difference according to the search giant. Google compared encryption to "sealed envelopes," while unencrypted emails were little more than "postcards."
"Gmail has always supported encryption in transit by using Transport Layer Security (TLS), and will automatically encrypt your incoming and outgoing emails if it can," Brandon Long, tech lead for the Gmail Delivery Team at Google, wrote on the company's official blog this week. "The important thing is that both sides of an email exchange need to support encryption for it to work; Gmail can't do it alone.
"Our data show that approximately 40 to 50 percent of emails sent between Gmail and other email providers aren’t encrypted," Long added. "Many providers have turned on encryption, and others have said they’re going to, which is great news. As they do, more and more emails will be shielded from snooping."
Google's Gmail service offers encryption from the browser by using the HTTPS, something privacy advocates have called upon for some time.
"For the past few years, EFF has been working on promoting the universal use of encryption for Internet protocols. We started by pushing major sites to switch from HTTP to HTTPS, and gave individual users ways to pull things along," Peter Eckersley of the Electronic Frontier Foundation wrote on the group's Deeplinks blog on Tuesday. "Last November, we launched our Encrypt the Web Scorecard, which in addition to Web encryption, added a second focus on securing SMTP email transmissions between mailservers."
Eckersley added that the EFF believed this to be a "vital protection against non-targeted dragnet surveillance by the US and other governments."
In the months following the scorecard ratings, calling for support for STARTTLS email encryption, the EFF said a number of major sites including Yahoo, Twitter, LinkedIn and Facebook all deployed this form of backbone email encryption.
The EFF also added that Microsoft's deployment has also been in progress.
"We believe that most or all of these companies made these changes in response to EFF's Encrypt the Web report," Eckersley stated.
Other rival email providers took notice of Google's call to action, and Comcast Corp, the nation's largest Internet provider by number of homes and businesses served, said on Tuesday that it would too scramble emails sent by its users. The pay-TV and Internet service provider (ISP) will begin testing encryption methods "within a matter of weeks," Comcast spokesperson Charlie Douglas told the Wall Street Journal. He added that Comcast is "very aggressive about this."
While many email providers are now working to ensure that email is encrypted it won't ensure a "sealed envelope" to return to Google's analogy. The search and tech giant already has estimated that up to half of email sent between Google's Gmail and other sites has remained unencrypted at some point.
"The trouble is that encryption only works if both your e-mail program and your recipient's support it," Brian Fung wrote for the Washington Post. "So if, for example, you're on Gmail, but your friend uses [another] e-mail address, chances are your messages will show up unencrypted at the other end, because [that email provider] doesn't have encryption enabled."
Google's report could help change that, and it could get help from privacy groups.
"Google's naming. We can shame," Christopher Soghoian, a technologist at the American Civil Liberties Union, told the Washington Post. "And we will."