Google adds client-side encryption to Gmail and Calendar. Should you care? Spoiler: Probably Not

Shows portion of a Google Drive screen with pop up message saying Encrypted by ink-42.com This file is encrypted by your organisation.

On Tuesday, Google made client-side encryption available to a limited set of Gmail and Calendar users in a move designed to give them more control over who sees sensitive communications and schedules.

Client-side encryption is a generic term for any sort of encryption that’s applied to data before it’s sent from a user device to a server. With server-side encryption, by contrast, the client device sends the data to a central server, which then uses keys in its possession to encrypt it while it’s stored. This is what Google does today. (To be clear, the data is sent encrypted through HTTPS, but it’s decrypted as soon as Google receives it.)

Google’s client-side encryption occupies a middle ground between the two. Data is encrypted on the client device before being sent (by HTTPS) to Google. The data can only be decrypted on an endpoint machine with the same key used by the sender. This provides an incremental benefit since the data will remain unreadable to any malicious Google insiders or hackers who manage to compromise Google servers.

The point is really, this is not client to client E2EE like ProtonMail, Tutanota, OpenPGP, etc provide. This is more like Cloudflare where it is encrypted between your client and the server.

Most of us can in fact use OpenPGP to secure our mail fully encrypted from one user to the other, but it is mostly “too complicated” for average end users to enable it (otherwise we’d all be able to use it already). ProtonMail and Tutanota however have made this E2EE a lot easier to adopt and use, but again, the average user is not bothered enough to have to sign up with a new mail provider (even if there is a perfectly usable free tier).

Also if GMail implemented a fully E2EE that would be the end of any easy searching to find e-mails you had sent as Google’s search engines could not then index the comments of the e-mails.

So where do we stand with “private” or encrypted e-mail in 2023? Well good news is most users (and I include companies) seem to have achieved a level of comfort with universally sending and reading encrypted PDF attachments…

See https://arstechnica.com/information-technology/2023/02/google-adds-client-side-encryption-to-gmail-and-calendar-should-you-care/

#technology #privacy #Gmail #encryption #email