It’s been almost three years since Google first announced its intention to add end-to-end encryption to Gmail. However, the free email service is yet to provide users with that feature. Despite the Internet giant insists that it was never a bluff, one of the company’s latest movements has reignited the criticism.
Recently, a spokesperson from Google announced the company’s decision to withdraw from the only project aimed at improving Gmail’s security features: E2EMail, a message encryption and decryption extension, is no longer a Google product. Google has made the program’s source code available to the developer community, effectively turning it into an open-source tool.
Despite this controversial change of plans, Google insists that it hasn’t abandoned the project. However, these explanations have not convinced security experts, who see it as the confirmation that the initiative has definitely fallen through.
A mechanism of end-to-end encryption
When Google first announced that it was working on this encryption tool, back in 2014, many saw it as the company’s response to the shocking revelations that were circulating at the time regarding the NSA’s surveillance program. However, while apps such as Apple’s iMessage, Facebook Messenger and WhatsApp have implemented end-to-end encryption to protect communications, the Internet giant has failed to deliver on its promise regarding Gmail.
The company keeps expressing a strong commitment toward ensuring security, while at the same time warning of the difficulty of protecting email communications. Unlike what happens with modern apps such as those we have previously mentioned, Google’s engineers have to deal with the much older mail protocol, which interacts with millions of clients outside of their control.
According to Stephan Somogyi, Privacy and Security Product Manager at Google, the company’s experts have already taken several steps in the right direction. On the one hand, they have had to build an entirely new library of crypto code in order to be able to develop Web-based encryption tools. On the other, the team has started working on an encryption key management system -the system that makes sure that messages can only be decrypted by senders and recipients- called Key Transparency. This project is being developed along with researchers at Princeton, Yahoo, and Open Whisper Systems (the organization behind WhatsApp’s end-to-end encryption mechanism).
Despite Google already offers end-to-end encryption as an option in its instant messaging service Allo Messenger, everything seems to indicate that we are far from seeing it in Gmail as well.
I think it must be easy for a company like Gmail to implement correctly this, encryption is not a plus is one of the most important things.