Gmail may be very easy to use, and probably also one of the most used e-mail services out there, but Google has still not made any real effort to help e-mails going proper E2EE for all, despite the technology being available for a very long time.
Gmail’s confidential mode is not E2EE at all. It is merely a self-destruct timer or password to open, type e-mail. The latter probably only works to other Gmail users.
The encrypted offering they have is only for paid Workspace account holders, and seeing Google controls the web interface and services… I’m not sure the NSA will be using it (then again, maybe Gmail at least seems to be hacked less often than Microsoft’s cloud mail service!).
So ordinary users are probably better off adding one of the 3rd party browser extension that allow true OpenPGP E2EE for Gmail. It is free, and you can use your own public private key pair. But although this is free, the barrier for most normal users, is the ‘complexity’. You need to set up a signed key pair, load it into the extension, and of course have friends that are suitably equipped to actually decrypt E2EE e-mail. Unfortunately, the reality here is that both sides of this equation are just not within feasible for many users. There is also no single standard used across all e-mail services for E2EE, and you can forget about sending an encrypted e-mail to 99.999% of business or government departments, and expecting any of them to be able to read it.
Where any e-mail service has a POP3 or IMAP protocol interface (like Gmail has), it is possible to use an offline mail app like Thunderbird, and also add your OpenPGP key in there. But the same barriers to adoption exist for ordinary non-tech users, and it means also taking accountability to backup your own e-mail.
The reality is, most users are going to be far better off with services like Proton Mail, or Tutanota, that make the encryption process about as seamless as it can be (even my own family managed to get Proton Mail right, but only one is bothered to use it, and only with me).
Most people are not bothered, unless there is some very simple one button press to encrypt e-mail. And it seems, sadly, that the world is dependent upon Google to make this happen, mainly because there are so many Gmail accounts. If a Gmail user can’t read an encrypted e-mail, then you can’t send an E2EE mail to them (yes, I know Proton and Tutanota have workarounds where the Gmail user clicks to log in and enters a password to read the mail. But those are great phishing opportunities against non-tech users too).
So, it does come down again to Big Tech, unfortunately, to decide whether average users will ever be able to have truly private and secure e-mail, as well as interoperability between instant messengers (my previous post about WhatsApp is what I’m referring to).
Certainly, all the technology has long existed, but the biggest user bases are ‘stuck’ in Big Tech services, and there is no easy way for them to adopt the alternatives en masse. Whilst they feel (or don’t feel should I say) trapped there, they hold everyone else back too, and your E2EE e-mail is meaningless when you have to still send plain text e-mails to so many Gmail users. E-mail takes two or more parties to send and receive e-mail.
I’m only speculating here, but I’m suspecting Google is in no hurry to provide proper E2EE e-mail for Gmail users as it is a treasure trove of information about travel habits, medical details, banking details (less often now), relationships, and much more that is all open to analysis. Google certainly does scan e-mail as their TOS state they do this to detect viruses and malware, to provide search in e-mail, and ‘to provide you personally relevant product features’. Gmail would likely have to become a paid service to make E2EE worthwhile for Google.
You either have complete privacy and pay for every service, or you lose privacy for those free services. The majority of users are still opting for free services.
See https://www.androidpolice.com/gmail-send-encrypted-emails/
Comments