Google End-to-End: The encryption silver bullet?
by Jim Ivers - Chief Security Strategist for Covata - Wednesday, 11 June 2014.
The world seems to be turning its attention to the notion of data encryption, and Google is the latest to jump on the bandwagon. On June 3rd, Google announced that it would be offering a Chrome extension called End-to-End that provides end-to-end encryption of email. Comcast immediately followed with an announcement that they were aggressively pursuing adding encryption to email.

The move toward encryption is driven by many factors, some logical and some emotional. I suspect that this move by Google is much more on the emotional side of the ledger, largely in response to the NSA revelations from the Edward Snowden affair. The everyday consumer’s false sense of email privacy has been shattered, prompting providers like Google to scramble to respond to this new sense of mistrust.

To those of us in the IT security business, it is easy to treat the Google announcements as marketing hype to shore up concerns over security. Their messaging leaves some questions. The Google announcements prior to June 3 speak almost entirely about data in transit, but make no mention of data at rest. Therefore, the generally accepted truth is that your emails still sit on Google servers in unencrypted form where they can be scanned to gather information that Google sells for advertising purposes.

It is important to remember that Google is not a philanthropic organization; selling advertising data is a significant component of their revenue stream. Google makes noise about protecting data in transit even between their data centers, but we need clarity on what happens when that data is at rest.

End-to-End reads like Google is closing the gaps, but this is not my first rodeo. I went to the fine print on the Google site. The product is a Google Chrome extension and will therefore require Chrome on both ends. Given that Chrome represents 40%-45% of browser usage (depends on where you pull the stats) that leaves a lot of gaps. End-to-End only enables the encryption of the email body, and not attachments. I find most sensitive data resides in attachments so I consider this a significant gap. Since mobile versions of Chrome do not support extensions, End-to-End is not supported on mobile devices.

The unanswered question is whether Google will still have access to the message body to scan for advertising purposes. Based on what I have read in the available information, the answer for that is no. I assume that Google is willing to trade what they would lose in encrypted data to retain customers in the Google ecosystem by appearing to be concerned with their email privacy. Google may also see End-to-End driving broader adoption of Chrome. More to the point is the sentiment found in a quote from the Google Online Security blog post:

“We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection.”

Google is basically betting that most people won’t use the encryption. They get the best of both worlds: the appearance of being security conscious for customers while losing minimal access to scan emails for advertising information.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th