Ever since former National Security Agency contractor Edward Snowden began leaking government documents, it’s become clear that our email is not safe from the U.S. government’s alarmingly robust surveillance system. So clear, in fact, that Snowden called on technologists to develop more sophisticated encryption systems when he appeared before an audience via livestream at Austin’s South by Southwest festival in March.
Today, Google took a step toward answering that call, releasing the source code for a new Chrome browser extension that will make it much easier for you to encrypt your email. The tool, dubbed End-to-End, uses something called OpenPGP (an industry standard for encryption) that will allow you to protect your email from the time it leaves your browser to when it’s decrypted by your intended recipient. Shortly after Google’s announcement, the nation’s largest Internet provider, Comcast, announced that it, too, would begin scrambling its customers emails.
But email encryption is still by no means a mainstream product. End-to-End will require that both you and the person you’re communicating with are using End-to-End, or some other kind of encryption tool. Comcast has yet to announce a similar tool that’s accessible to the public, but a company spokesman told the Wall Street Journal that it’s testing encryption and would begin rolling it out for customer emails “within a matter of weeks.”
Below, a complete guide to understanding what the heck this whole thing is about and why you might want to use it.
What does it mean to encrypt an email?
Basically, it means you’re adding an extra layer of security that protects the content of your email from being read by anyone for which it’s not intended. Encryption is meant to protect your messages as they move from Point A to Point B, so no one — not even your email provider — can see their content.
How does it work?
There are a variety of different methods you can use to encrypt an email. But let’s focus specifically on OpenPGP, which is what Google has chosen to power its End-to-End tool.
PGP is short for Pretty Good Privacy. PGP was developed by a guy named Phil Zimmermann in 1991. It uses a series of steps to secure data before it’s sent out to another person. Think of it as using a series of personalized, impossible-to-duplicate keys that can only be used in one particular circumstance and never again.
It’s called OpenPGP because, like many other security algorithms (including SSL, which had a major flaw that became known as the HeartBleed bug), nobody owns it. It’s mostly run by something called the OpenPGP Working Group, which fields volunteers and works with companies to keep the email encryption methods safe and up to date.
How do I use it?
You can’t use it quite yet, as Google just released the End-to-End extension code today, so that other developers can test it, evaluate it, and suss out any bugs that might make it less secure.
Email encryption tools have been around for a while, but none are truly consumer friendly. They often require that anyone who uses them have a good amount of technical knowledge. They also require some preparation from both you and your recipient. In other words, ensuring that your emails are truly safe from spying involves more than simply clicking Send.
Google hasn’t officially premiered this tool in the Chrome store, so there’s no way for us to give you a full rundown of how to use it. But we can tell you that, in order for it to work, the person receiving your encrypted email will also have to be using End-to-End or another encryption service like GnuPG or Mailvelope with similar PGP functionality to open it. If someone uses an older version of an encryption service, or none at all, then the recipient would just get an email full of gibberish code.
Does this mean my email wasn’t safe before?
Not exactly. The majority of websites support an encryption technique called HTTPS. It goes through a series of digital handshakes to ensure that your connection to a website is safe. That way, no one can spy on your browsing or intercept the personal information you provide to a website.
That type of encryption can’t do anything to protect messages once they’re sent outside of an email provider’s servers.
Does End-to-End protect against the collection of “metadata”?
Metadata is the data about your data: whom you communicate with and when, but not the content inside your communications. Like other email encryption tools, Google’s End-to-End program does not encrypt the section of your email that shows the date, time, and recipient of your email. That information is necessary to routing your email and unfortunately can’t be covered up.
When will End-to-End be available to me? How easy will it be to use?
When we contacted Google, they were reluctant to give a time frame. But according to a blog post, the company will release the browser extension “once we feel that the extension is ready for prime time.” When it’s out, Google has promised that “anyone will be able to use it to send and receive end-to-end encrypted emails through their existing web-based email provider.”
When it is available, it’ll cut out some annoying steps that most encryption techniques still require of senders and recipients, like opening a separate coding window to paste the content of your message along with the encryption code you’re using, and then pasting it back into your browser. There will be explicit and user-friendly directions for how to use it.
That being said, Google doesn’t anticipate — or encourage — people enabling this tool for every single communication. Google has deemed it appropriate for “very sensitive messages” and/or people “who need added protection.” A mass adoption of email encryption would mean Google would also be shut out from collecting information from those who use its email services.
So does this mean I’m finally safe from the NSA’s spying?
It depends. For years, the NSA has been intercepting emails as they travel from your inbox to your recipient’s inbox. Or it has issued secret court orders for communications providers to let it access your messages. Even if someone attempts to use an encryption tool, the manual process of doing so can introduce errors into the process, errors that the NSA has exploited in the past.
If and when effective encryption tools become accessible to the mass public, the NSA may have to resort to hacking into individuals’ computer systems themselves, not just the service providers people are using. That’s a much more serious breach of privacy, and one that will no doubt be challenged even more vociferously by the courts and the American public.
Well, that’s depressing.
Yes. But Google’s and Comcast’s forays into easy-to-use email encryption mean that hopefully more companies will feel pressured to follow suit. Microsoft has plans to implement similar tools as well. Perhaps this is only the beginning!
That doesn’t make me feel much better.
OK, maybe this adorable video of some ducklings hopping up a staircase will help?
I knowwww. It’s sort of like a metaphor for the nation’s upward battle to ensure privacy to its citizens!
You ruined it.