Google To Introduce Warnings For Unencrypted Emails

Google has said it plans to introduce warnings for email messages received by its Gmail service that have been received over an unencrypted connection, as a measure to prod service providers who haven’t made encryption the default option for sending communications.

“To notify our users of potential dangers, we are developing in-product warnings for Gmail users that will display when they receive a message through a non-encrypted connection,” wrote Elie Bursztein of Google’s anti-fraud and abuse research team and Nicolas Lidzborski, Google’s Gmail security engineering lead, in a blog post.

Broader encryption

The warnings, to be introduced in the coming months, are part of Google’s campaign to bring encryption into wider use across the Internet. Google uses encryption in its search and cloud storage services, and began encrypting Gmail messages by default last year.

Google and other Internet companies have placed greater emphasis on encryption since Edward Snowden published documents revealing the extent of the US government’s mass collection of Internet communications in 2013.

Those companies’ efforts have resulted in a dramatic increase in the proportion of encrypted messages received by Gmail, rising from 33 percent to 61 percent between December 2013 and October 2015, according to new research (PDF) carried out in partnership with the University of Michigan and the University of Illinois and published by Google.

During the same period the percentage of messages encrypted with TLS sent from Gmail to non-Gmail recipients increased from 60 percent to 80 percent, Google said.

‘Email is more secure’

Meanwhile, more than 94 percent of inbound messages on Gmail now contain some form of authentication, according to the company.

“Email is more secure today than it was two years ago,” wrote Bursztein and Lidzborski.

Government security bodies, including those of the UK, maintain that the spread of encrypted communications threatens their ability to protect citizens from attackers, and Google noted that certain countries strip encryption from email communications or manipulate DNS routing information in a way that could allow messages to be censored or altered before reaching their destination.

Google’s research noted that Tunisia, Iraq, Papua New Guinea, Nepal, Kenya, Uganda and Lesotho remove encryption from some or all messages. The company said it is working with industry association M3AAWG to better protect messages from encryption-stripping.

The company listed Slovakia, Romania, Bulgaria, India, Israel, Switzerland, Poland and the Ukraine as manipulating DNS routing data.

Security weaknesses

“Whether malicious or well-intentioned, STARTTLS stripping and falsified DNS records highlight the weakness inherent in the failopen nature and lack of authentication of the STARTTLS protocol,” Google’s study stated.

Such techniques don’t affect Gmail-to-Gmail communications, the company noted.

Earlier this year Mark Rowley, the leading counter-terrorism policeman in the UK, told a conference in London that some tech firms are helping militants avoid detection by developing systems that are “friendly to terrorists”, saying that tech firms need to think about their “corporate social responsibility” in creating products which make life difficult for law enforcement to access material during investigations.

“Some of the acceleration of technology, whether it’s communications or other spheres, can be set up in different ways,” Rowley said at the time. “It can be set up in a way which is friendly to terrorists and helps them… and creates challenges for law enforcement and intelligence agencies. Or it can be set up in a way which doesn’t do that.”

In June, firms including the likes of Google, Microsoft, Apple, Facebook and IBM appealed to US President Obama to respect the privacy rights of consumers by not weakening encryption systems.

‘Dire consequences’ of back doors

Apple chief executive Tim Cook warned last week of the possible harmful side-effects of the British government’s new draft investigatory powers bill, whichrequires companies to assist investigators’ efforts in bypassing encryption.

“We believe very strongly in end-to-end encryption and no back doors,” he told The Daily Telegraph. “Opening a back door can have very dire consequences,”

Google has itself been criticised for scanning users’ emails in order to fine-tune its advertising services, a practice it made explicit last year, stating in its terms of service that “our automated systems analyse your content (including emails) to provide you personally relevant product features”.

Are you a Google expert? Take our quiz!