Still responding to the National Security Agency surveillance revelations, Google is reportedly preparing to help users beef up Gmail security with end-to-end encryption. The search giant is working on a way to make Pretty Good Privacy (PGP) encryption easier to use for Gmail fans, according to a report by Venture Beat.
The idea that Google would be working on email encryption is surprising since that would threaten the company's ability to scan email messages for keywords to insert ads — a fact the Venture Beat report acknowledges.
Perhaps the company merely wants to make PGP easier to use for the small sliver of people who might actually want more privacy with their email. But as a regular feature for all? Not likely.
PGP relies on public-private encryption key pairings that make it all but impossible for someone other than the intended recipient to read an encrypted message.
Say Sally wants to send Bob a message. Once she's done composing it, Sally uses Bob's public encryption key to encrypt the message turning it into a bunch of garbled nonsense. Then only Bob can decrypt the message using his private key.
An attacker would have to spend an impossibly long time guessing combinations to decrypt the message, making it, as we said, nearly impossible.
There are ways around decryption such as stealing private keys or hacking into a PC once the message has been decrypted. But for the most part, public-private keys offer a reasonable amount of privacy.
PGP problems explained
The only problem is that employing PGP — or its open source alternative GNU Privacy Guard (GPG) — is not at all user friendly.
There are attempts to make encryption easier already such as the Thunderbird extension Enigmail and the browser plug-in Mailvelope. But so far only a relatively small number of users have been willing to try these easier solutions.
With millions of Gmail users, Google could widen the PGP/GPG user base considerably if it wanted to — but end-to-end encryption offers some big problems for a mainstream service like Gmail.
The biggest difficulty for any user, whether novice or advanced, is to keep your private key secure. If your hard drive containing your keys crashes, for example, there goes your private key along with the hope of ever reading messages encrypted with it.
If you're trying to manage encrypted email on your PC, smartphone, and a tablet, that means your private key will have to reside on all those devices. Transferring a key around could result in losing control of it if you send the key to yourself via email, your device gets hacked, or you lose an unencrypted flash drive containing the secret data.
Sign up for Computerworld eNewsletters.