Cloud Security, Compliance Management, Privacy

Google transparency report outs providers lacking email encryption

Google's transparency reports will now provide a snapshot of which service providers do and don't dutifully encrypt email communications to and from Gmail.

In a Tuesday announcement on Google's official blog, Brandon Long, tech lead for the Gmail delivery team, wrote that the new section in its transparency report had already been published as of last week.

In late 2013 and early this year, both major tech companies like Apple and smaller service providers began releasing transparency reports that included details about government requests for customer data. The move followed the public outcry over Edward Snowden leaks.

“Gmail has always supported encryption in transit by using transport layer security (TLS), and will automatically encrypt your incoming and outgoing emails if it can,” Long wrote. “The important thing is that both sides of an email exchange need to support encryption for it to work; Gmail can't do it alone.”

Furthering this concern, Google found that 40 to 50 percent of emails sent between its email service, Gmail, and other email providers, weren't encrypted, Long said.

The transparency report's new section reveals the top domains that support, or lack, email encryption. The “top domains” were accumulated based on the volume of email coming to and from Gmail users, according to Google.

Of note, less than one percent of worldwide emails from Gmail to Comcast.net were encrypted, the data revealed. As well, less than one percent of inbound correspondence from Groupon domains were protected.

On Wednesday, Sebastian Munoz, CEO of California encryption and digital signature solutions provider Realsec, told SCMagazine.com in an interview that Google's move would make everyone “a bit more conscious, and aware that we need a better [data security] understanding, since there are no standards as to the right way to use cryptography for emails.”

To further its mission to support data security, Google on Tuesday also released the source code for its new encryption tool called, End-to-End, a Chrome extension that is still currently in the testing phase. The Chrome extension is expected to make encryption easier for the everyday user, as it makes use of OpenPGP, an open standard supporting existing encryption tools, a Google announcement said.

In his interview, Munoz added that, in Google's effort to inform the public about its security practices, it should also provide assurances about its encryption key management process.  

“I would like Google to clarify where are they safely storing the [encryption] keys,” Munoz said. “Keys are the most important part of any encryption process, [for instance] if you store the keys on your hard drive than anybody could have access to them, and access to the whole encryption system.”

In a Wednesday interview, Mayukh Gon, CEO of Toronto-based startup PerfectCloud, an IDaaS and data encryption provider, told SCMagazine.com that Google's new measures would help educate people who “are not cognizant of privacy and security,” but that there is “much more to privacy,” including proper management of encryption keys.

“The question becomes, are the keys to the data being stored properly?” Gon said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.