Google’s Gmail Upgrade—Why You Need A Different App
Take this new warning seriously
As an interesting week for Google comes to an end, with Gmail under attack from hackers and Chrome under attack from legislators, a new warning has been issued for its 3 billion users. This was entirely predictable — and you need to take it seriously.
As I’ve said before, the flurry of excited headlines that followed Google’s announcement that it was bringing end-to-end encryption to Gmail were premature. Putting aside the fact this isn’t really end-to-end encryption, because a user’s organization controls the security and not their own client or “end,” there are other serious concerns.
End-to-end encryption doens’t work in email, because by it’s nature it’s an open architecture. That’s why it’s one of the few data types excluded from Apple’s end-to-end encrypted enclave under its Advanced Data Protection. Platforms such as Proton provide a walled garden to address this and password protect emails sent outside.
Google can end-to-end encrypt emails within an organization or when it’s Gmail to Gmail as it controls both ends, albeit that’s still not strictly end-to-end encryption per the point above. But when the recipient “is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail. The recipient can then use a guest Google Workspace account to securely view and reply to the email.”
Wired correctly warns that “the fear is that scammers will take advantage of this new and more secure communication mechanism by creating fake copies of these invitations that contain malicious links, and prompt targets to enter their login credentials for their email, single sign-on services, or other accounts.”
The other issue is that end-to-end encrypting emails breaks other Gmail features. Its new AI-powered relevancy search, for example, can’t operate on encrypted emails, so they will be missing from any results. As Google confirmed to me, its cloud AI processing rightly can’t see fully encrypted user content.
All these problems stem from the same cause. Email needs a rethink. It’s an archaic platform reliant on a past-due architecture. It’s similar to SMS, an open standard that worked for decades but then ran out of steam. Users now demand less spam and scams, better authentication as to who’s contacting them, and secured content in messaging.
Google says it will add a warning with its new encrypted emails, telling users “be careful when signing in to view this encrypted message. This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password.”
But as MalwareBytes suggested to Wired, “it’s almost as if someone at Google knew this was a bad idea and asked for a warning to be added. It’s quite likely fraudsters will jump on the opportunity to craft phishing emails using this exact same template, even including the original warning that will be overlooked.”
Encrypting email content within an organization does make sense, as does the occasional restricted email sent between email platforms. But the idea that fully encrypted email becomes mainstream will not work with today’s platforms. And so, if you want fully encrypted comms, just use a different app.