Google researching ways to add PGP encryption to Gmail

April 22, 2014
95 364 6

gmailIn the post-Snowden era the need for consumer level encryption is being seen not only as a necessity but also as a way to attract customers. For maybe the first time non-technical end-users are asking questions about security and it can be a factor in deciding which services users pick. According to people familiar with Google’s plans for its Gmail service, the search giant is looking into ways to add better encryption options to its email service.

The problem with many forms of symmetric encryption is that the service provider has access to the “master key” which allows the messages to be decrypted. Famously Snowden used the Lavabit encrypted email service which was forced to shutdown about a year ago. The service voluntarily ceased operating because the founder was probably being asked by the US government to hand over all of Snowden’s emails along with the necessary keys for decrypting them.

Google has research underway to improve the usability of PGP with Gmail.

There is another type of encryption which is called public key cryptography or asymmetrical encryption which uses two keys, one for encryption and one for decryption. The idea is that the first key (used for encryption) can be published freely and publicly, while the second key (used for decryption) remains secret. This form of encryption is end-to-end in that it is the users who perform the encryption and decryption before the message enters into the email system. The most famous implementation of public key cryptography is Pretty Good Privacy, or PGP for short. It was created by Phil Zimmerman back in the early 1990s and although there are free and open source versions available (most notably GnuPg, or GPG for short), the system has never gained widespread acceptance.

There is also the problem of public key distribution. They can be transmitted in plain text, but the various means of distributing public keys have never gained popularity.

The reason is that in its simplest form an email message needs to be typed up and then the text copied into the PGP/GPG program. The text is then encrypted (using the public key) and then the encrypted version is copied back into the email client and sent to the recipient. At the other end, the recipient copies the encrypted text into PGP/GPG and uses the private key to decrypt the message. This process isn’t streamlined and the extra steps needed to perform the encryption/decryption deter users from adopting the system widely. There are a variety of services, browser extensions and plugins which try to make the processes easier, however their adoption has never reached a critical mass.

There is also the problem of public key distribution. I can easily give someone my email address but for them to send me an encrypted email they need my public key. This can be transmitted in plain text, but the various means of distributing public keys have never gained popularity. One problem is that if I have someone’s email address then I need to get hold of their public key. I can get it by emailing them or by searching on their blog or on social media, but it requires users to make a conscious effort to publish their public keys and for others to find them. A directory of public keys where you can look up keys sounds like a good idea, but there is the problem of misuse and problems with spam etc.

However the negative side for Google is it can't scan encrypted messages in order to display the appropriate adverts.

VentureBeat has published  a quote from a Google employee who has let it slip that Google is researching ways to streamline the use of PGP/GPG with Gmail. Google has “research underway to improve the usability of PGP with Gmail,” said the employee who is familiar with the matter.

If Google develops a way to integrate PGP/GPG with Gmail, where it never has a copy of the private key, then Google won’t be able to decrypt emails for any government agencies as they simply don’t have the key.

However the negative side for Google is it can’t scan encrypted messages in order to display the appropriate adverts. Since Google is probably using user profiles more to display adverts then this might not be an insurmountable problem, however it will be interesting to see what Google can come up with.

Comments

  • Aaron

    That’s good news, this will greatly help when sending sensitive emails.
    I hope we can also exchange public key using G+ or something, people can verify any encrypted contents from Google contacts, not just emails.

    • Guest123

      I would think people by now would fully understand that this is irrelevant where it concerns government spying.

      Google, like every other US company (with the exception of Twitter apparently) will turn over encryption keys, create a backdoor, or whatever the US government tells them to do without saying a word to the public or putting up a fight whatsoever; therefore, there is NO security or privacy when using a US tech company for data transmissions of any sort.

      • Phil Rigby

        Which part of “Google won’t have the keys” don’t you understand? Here, in case you missed it:

        “If Google develops a way to integrate PGP/GPG with Gmail, where it never has a copy of the private key, then Google won’t be able to decrypt emails for any government agencies as they simply don’t have the key.”

        RIM with their BlackBerry implementation of email managed it just fine. RIM couldn’t turn over the encryption keys to the Indian authorities when they demanded them – because the key’s didn’t exist on RIM’s infrastructure. This is a similar thing.

  • Andrew

    I don’t see too much of a problem for Google to be able to utilize advertisement in emails, since most emails received are not personal, but promotions or shipping information.

  • MasterMuffin

    I don’t want pretty good privacy, I want really good privacy! xd

  • Matt Helps

    thunderbird with enigmail makes it pretty easy.