In response to Edward Snowden’s mass surveillance revelations, Google is working to make complex encryption tools, such as PGP, easier to use in Gmail.
PGP, or Pretty Good Privacy, is an encryption utility that historically has been difficult to break. But Google has “research underway to improve the usability of PGP with Gmail,” according to a person at the company familiar with the matter.
About PGP Encryption
- Created in 1991, Pretty Good Privacy (PGP) is an end-to-end encryption program.
- End-to-end encryption means only the sender and receiver of a message can read it.
- PGP uses keys, one public and one secret, in order to help protect digital communications
- Ideally, even Google wouldn’t have access to your secret key, making it impossible for them to access your emails.
VentureBeat’s source at Google acknowledged that “end-to-end encryption is the best defense for message protection, though it comes at considerable cost in functionality.” PGP is currently compatible with Google’s Gmail service, although it’s widely regarded as unapproachable to a majority of Internet users — like the Tor project. Third-party services, including GPG Tools and Mailvelope, have worked to make such encryption more approachable but have largely failed to reach a mainstream audience.
GPG Tools, maker of an extension for Apple Mail, tells VentureBeat that it saw a surge of downloads in July following the first NSA reports. Yet, that spike didn’t last: “The number went down quickly and was back to normal in September,” the company told us. GPG Tools says it sees around 13,000 downloads per month — with spikes following new releases.
Google has a fighting chance of significantly boosting PGP’s adoption if it can pull off integrating it into Gmail. It’s currently unclear how such an integration will take place and whether such a solution will end up buried behind a settings menu.
The Electronic Frontier Foundation (EFF) tells VentureBeat that PGP “offers stronger protection than SSL/TLS because private user data cannot generally be decrypted by the company or by any third parties, including government agencies.” The EFF notes that Mozilla has struggled to make key-based, end-to-end encryption tools more approachable with Firefox Sync:
Services such as Firefox Sync sometimes frustrate users who lose their passwords and then expect that the service provider can recover their data. This turns out to be impossible if the service provider doesn’t have access to the user’s decryption keys. End-to-end encryption necessarily creates this usability problem, but companies can make it better by:
1. Make it extremely clear to users that there is no password recovery option and encourage them to write their password down on paper temporarily if they need to.
2. Use a cryptographic technique known as key stretching to make a short password stronger so that users have less to remember.
Don’t expect Google to set up site-wide end-to-end encryption, however. For Google to monetize Gmail, it must be able to scan messages in order to serve targeting ads to users. It’s an advertising business, after all.