About Google’s New Email Encryption Tool

Ever since former National Security Agency contractor Edward Snowden began leaking government documents, it’s become clear that our email is not safe from the U.S. government’s alarmingly robust surveillance system. So clear, in fact, that Snowden called on technologists to develop more sophisticated encryption systems when he appeared before an audience via livestream at Austin’s South by Southwest festival in March.

So, what does it mean to encrypt an email?

Basically, it means you’re adding an extra layer of security that protects the content of your email from being read by anyone for which it’s not intended. Encryption is meant to protect your messages as they move from Point A to Point B, so no one — not even your email provider — can see their content.

How does it work?

There are a variety of different methods you can use to encrypt an email. But let’s focus specifically on OpenPGP, which is what Google has chosen to power its End-to-End tool.

PGP is short for Pretty Good Privacy. PGP was developed by a guy named Phil Zimmermann in 1991. It uses a series of steps to secure data before it’s sent out to another person. Think of it as using a series of personalized, impossible-to-duplicate keys that can only be used in one particular circumstance and never again.

It’s called OpenPGP because, like many other security algorithms (including SSL, which had a major flaw that became known as the HeartBleed bug), nobody owns it. It’s mostly run by something called the OpenPGP Working Group, which fields volunteers and works with companies to keep the email encryption methods safe and up to date.

How do I use it?

You can’t use it quite yet, as Google just released the End-to-End extension code today, so that other developers can test it, evaluate it, and suss out any bugs that might make it less secure.

Email encryption tools have been around for a while, but none are truly consumer friendly. They often require that anyone who uses them have a good amount of technical knowledge. They also require some preparation from both you and your recipient. In other words, ensuring that your emails are truly safe from spying involves more than simply clicking Send.

Google hasn’t officially premiered this tool in the Chrome store, so there’s no way for us to give you a full rundown of how to use it. But we can tell you that, in order for it to work, the person receiving your encrypted email will also have to be using End-to-End or another encryption service like GnuPG or Mailvelope with similar PGP functionality to open it. If someone uses an older version of an encryption service, or none at all, then the recipient would just get an email full of gibberish code.

Does this mean my email wasn’t safe before?

Not exactly. The majority of websites support an encryption technique called HTTPS. It goes through a series of digital handshakes to ensure that your connection to a website is safe. That way, no one can spy on your browsing or intercept the personal information you provide to a website.

That type of encryption can’t do anything to protect messages once they’re sent outside of an email provider’s servers.

Does End-to-End protect against the collection of “metadata”?
Metadata is the data about your data: whom you communicate with and when, but not the content inside your communications. Like other email encryption tools, Google’s End-to-End program does not encrypt the section of your email that shows the date, time, and recipient of your email. That information is necessary to routing your email and unfortunately can’t be covered up.

When will End-to-End be available to me? How easy will it be to use?

According to a blog post, the company will release the browser extension “once we feel that the extension is ready for prime time.” When it’s out, Google has promised that “anyone will be able to use it to send and receive end-to-end encrypted emails through their existing web-based email provider.”

When it is available, it’ll cut out some annoying steps that most encryption techniques still require of senders and recipients, like opening a separate coding window to paste the content of your message along with the encryption code you’re using, and then pasting it back into your browser. There will be explicit and user-friendly directions for how to use it.

That being said, Google doesn’t anticipate — or encourage — people enabling this tool for every single communication. Google has deemed it appropriate for “very sensitive messages” and/or people “who need added protection.” A mass adoption of email encryption would mean Google would also be shut out from collecting information from those who use its email services.

So does this mean I’m finally safe from the NSA’s spying?

It depends. For years, the NSA has been intercepting emails as they travel from your inbox to your recipient’s inbox. Or it has issued secret court orders for communications providers to let it access your messages. Even if someone attempts to use an encryption tool, the manual process of doing so can introduce errors into the process, errors that the NSA has exploited in the past.