Google researching ways to add PGP encryption to Gmail

In the post-Snowden era the need for consumer level encryption is being seen not only as a necessity but also as a way to attract customers. For maybe the first time non-technical end-users are asking questions about security and it can be a factor in deciding which services users pick. According to people familiar with Google’s plans for its Gmail service, the search giant is looking into ways to add better encryption options to its email service.

The problem with many forms of symmetric encryption is that the service provider has access to the “master key” which allows the messages to be decrypted. Famously Snowden used the Lavabit encrypted email service which was forced to shutdown about a year ago. The service voluntarily ceased operating because the founder was probably being asked by the US government to hand over all of Snowden’s emails along with the necessary keys for decrypting them.

There is another type of encryption which is called public key cryptography or asymmetrical encryption which uses two keys, one for encryption and one for decryption. The idea is that the first key (used for encryption) can be published freely and publicly, while the second key (used for decryption) remains secret. This form of encryption is end-to-end in that it is the users who perform the encryption and decryption before the message enters into the email system. The most famous implementation of public key cryptography is Pretty Good Privacy, or PGP for short. It was created by Phil Zimmerman back in the early 1990s and although there are free and open source versions available (most notably GnuPg, or GPG for short), the system has never gained widespread acceptance.

The reason is that in its simplest form an email message needs to be typed up and then the text copied into the PGP/GPG program. The text is then encrypted (using the public key) and then the encrypted version is copied back into the email client and sent to the recipient. At the other end, the recipient copies the encrypted text into PGP/GPG and uses the private key to decrypt the message. This process isn’t streamlined and the extra steps needed to perform the encryption/decryption deter users from adopting the system widely. There are a variety of services, browser extensions and plugins which try to make the processes easier, however their adoption has never reached a critical mass.

There is also the problem of public key distribution. I can easily give someone my email address but for them to send me an encrypted email they need my public key. This can be transmitted in plain text, but the various means of distributing public keys have never gained popularity. One problem is that if I have someone’s email address then I need to get hold of their public key. I can get it by emailing them or by searching on their blog or on social media, but it requires users to make a conscious effort to publish their public keys and for others to find them. A directory of public keys where you can look up keys sounds like a good idea, but there is the problem of misuse and problems with spam etc.

VentureBeat has published  a quote from a Google employee who has let it slip that Google is researching ways to streamline the use of PGP/GPG with Gmail. Google has “research underway to improve the usability of PGP with Gmail,” said the employee who is familiar with the matter.

If Google develops a way to integrate PGP/GPG with Gmail, where it never has a copy of the private key, then Google won’t be able to decrypt emails for any government agencies as they simply don’t have the key.

However the negative side for Google is it can’t scan encrypted messages in order to display the appropriate adverts. Since Google is probably using user profiles more to display adverts then this might not be an insurmountable problem, however it will be interesting to see what Google can come up with.