Gmail encryption: Everything you need to know

Gmail encryption: Everything you need to know

Sending an unencrypted email is often likened to a postcard, in that anyone who wants to read it just needs to look at it. Obviously this isn’t good, especially when you need to send personal information to someone else, such as your bank details.

What is Encryption?

Encryption is a modern form of cryptography that allows a user to hide information from others. Encryption uses a complex algorithm called a cipher in order to turn normalized data (plaintext) into a series of seemingly random characters (ciphertext) that is unreadable by those without a special key in which to decrypt it. Those that possess the key can decrypt the data in order to view the plaintext again rather than the random character string of ciphertext.

How Email Encryption Works in Gmail?

Google’s standard method of Gmail encryption is something called TLS, or Transport Layer Security. As long as the person with whom you’re emailing is also using a mail service that also supports TLS — which most major mail providers do — all messages you send through Gmail will be encrypted in this manner.

What that basically means is that it’ll be incredibly difficult for anyone to look at a message while it’s en route from point A to point B. It doesn’t, however, guarantee that the message will remain private or available only to the intended recipient once it reaches the destination mail server. Google itself, for instance, has the ability to see messages associated with your account, which is what allows the company to scan your email for potential spam and phishing attacks — and also to offer advanced features like Smart Reply, which suggests responses based on an email’s contents. (Google used to scan messages for ad targeting, too, but it stopped doing that last year.)

If the person with whom you’re corresponding is using a mail server that doesn’t support TLS, meanwhile, messages won’t be encrypted at all. (With paid G Suite accounts, administrators can opt to allow only messages with TLS encryption to be sent or received — though that’d obviously have its own set of likely undesirable consequences.)

Gmail encryption: A next-level option

Beyond that basic form of encryption, Gmail supports an enhanced standard known as S/MIME — or Secure/Multipurpose Internet Mail Extensions. It’s available only for paid G Suite Enterprise and G Suite Education accounts, so if you’re using a regular free Gmail account, it doesn’t apply to you.

For folks with G Suite setups, though, S/MIME (which may or may not have been invented by a mime) allows emails to be encrypted with user-specific keys so that they remain protected during delivery and can be decrypted only by the intended recipient.

Like TLS, S/MIME works only if both the sender and recipient are using a service that supports it — and, in an extra layer of complication, only if both parties have exchanged keys in advance so that the encryption can be properly configured. Like TLS, it also doesn’t do anything to keep a message secured once it’s reached its actual destination server (and so again, within Gmail, Google itself will be able to scan messages in its usual automated way).

Last but not least, S/MIME has to be enabled by a G Suite admin before it’ll work.

Gmail encryption: End-to-end encryption

Google’s been talking about adding end-to-end encryption into Gmail since 2014, but all of that talk hasn’t amounted to much so far (and may not ever, according to some analyses). The only way to get that level of protection in Gmail right now is to rely on a third-party service such as FlowCrypt, which is available as a Chrome or Firefox extension on the desktop. (An Android app is also available in a pre-release beta form.)

FlowCrypt adds a “Secure Compose” button into your regular Gmail interface, which allows you to send encrypted messages using the PGP (Pretty Good Privacy — yes, that’s actually what it’s called) standard. Your recipient will need to have FlowCrypt or another PGP system set up and will also need to have your personal PGP key in order to decrypt and view your messages. Alternatively, you can use the extension to encrypt a message with a password, which you’d then have to provide to the recipient in some way.

So, yeah: It isn’t exactly simple, and the third-party add-on implementation certainly isn’t ideal. But it can get the job done. And it’s free — to a degree: If you want to unlock the service’s full set of features and remove all of its restrictions, you’ll have to pony up $5 a month for a premium subscription.

Wait, what about Gmail’s Confidential Mode?

Yeah, don’t put much stock into that. Confidential Mode is a feature launched as part of the Gmail revamp earlier last year. The idea is that it lets you prevent someone from forwarding, copying, printing, and downloading anything you send them — and, if you want, lets you set an expiration date after which your message will no longer be accessible. You can also create a passcode, delivered via email or text message, that’s required in order to open the message.

That all sounds nice enough on the surface, but the problem is that it doesn’t really do a heck of a lot when it comes to actual security. Messages still aren’t encrypted in any end-to-end manner, meaning Google (and other mail services) are still able to view and store them. The “no forwarding, copying, printing, and downloading” bit doesn’t mean much, either, since anyone can still take a screenshot of a message if they’re so inclined. (Google has said the feature is less about that level of security and more about simply discouraging people from accidentallysharing sensitive info where they shouldn’t.)

The same applies to the message expiration dates — as does the fact that an “expired” message continues to exist in your own Gmail Sent folder. All in all, Confidential Mode has the potential to be useful for what it is, but it doesn’t involve encryption or any sort of meaningful, higher-level privacy. In fact, the Electronic Frontier Foundation has gone as far as to say the mode could create a false sense of security and discourage users from finding more serious solutions.

Gmail is still not truly end-to-end encrypted, where only the communicators can read the contents of the email. It only works when the encrypted email is sent to a Gmail address. It’s been three years and Google still has no updates for its end-to-end encryption tool.

So what other options are there?

So Gmail is definitely a secure option, but only if you’re recipient also uses Gmail. Here are a few alternatives to look into as Gmail builds its end-to-end encryption solution:

  • Snapmail – This tool is reminiscent of the mobile social networking app, Snapchat, from the name to the functionality. This Google Chrome extension adds a green “Snapmail” button next to the “Send” button in your emails. After your recipient accesses the email, it self-destructs after 60 seconds. No worries, and no trace of your conversation.
  • Tutanota – If you’re looking for a completely different email alternative (complete with an Android and Apple app), check out Tutanota. This is a completely open source email service with end-to-end encryption. It may not be as ubiquitous or supported as Gmail, but if security is your concern, this is your email solution.
  • ProtonMail – Want to take your security and privacy to the next level? Look into ProtonMail. This email service not only promises end-to-end encryption and open source code, but they also operate out of Switzerland and claim all your emails are protected under Swiss privacy laws. No personal information is required, ensuring your identity remains anonymous.


Leave a Reply