Encryption may sound like a topic best left to hackers and tin foil hat users, but don’t be fooled: it’s a critical part of contemporary life and something that’s important to everyone, especially business users, please understand. And one of the places where encryption is most relevant and misunderstood is in the realm of email.
If you’re using Gmail for electronic communication, whether for business, personal use, or a combination of both, it’s worth knowing how the service protects and doesn’t protect your information and what steps you can take to ensure get the level of privacy you need.
ready to dive in?
gmail encryption: how google protects most messages
Google’s Gmail’s standard method of encryption is called TLS, or Transport Layer Security. As long as the person you’re emailing with also uses a mail service that also supports tls (which most major email providers do), all messages you send through gmail will be encrypted from this way.
what that basically means is that it will be incredibly difficult for anyone to look at a message while it’s on its way from point a to point b. however, it does not guarantee that the message will remain private or available only to the recipient once it reaches the destination mail server. Google itself, for example, has the ability to view the messages associated with your account, which is what allows the company to scan your email for potential spam and phishing attacks, and also offers advanced features like Smart Reply. , which suggests replies based on the content of the email.
(Google also used to scan messages for ad targeting, but stopped doing that in 2017. And if you’d rather not have those smart suggestion features on the image, by the way, you can always turn them off in your account, although that doesn’t will have no direct effect on gmail’s approach to encryption or when and how that extra layer of security is applied).
If the person you’re communicating with uses a mail server that doesn’t support tls, messages won’t be encrypted at all in the meantime. with paid google workspace accounts, admins can choose to only allow messages to be sent or received with tls encryption, though that would have its own set of undesirable consequences, as you can imagine, in terms of your outgoing messages bouncing or having certain incoming messages never reach your inbox.
gmail encryption: a next level option
Beyond that basic form of encryption, gmail supports an enhanced standard known as s/mime, or secure/multipurpose internet mail extensions (gesundheit!). it’s only available for paid google workspace suite accounts, so if you’re using a regular free gmail account, it doesn’t apply to you.
For people with enterprise-grade workspace setups, however, s/mime (which may or may not have been invented by a mime) allows emails to be encrypted with user-specific keys so they remain protected during transmission. delivery and can be decrypted only by the intended recipient.
Like tls, s/mime only works if both sender and recipient use a compatible service, and as an added complication, only if both parties have exchanged keys in advance so that encryption can succeed. configured. like tls, it also does nothing to keep a message secure once it reaches its actual destination server (and, again, within gmail, google itself will be able to scan messages in the usual automated way).
last but not least, a workspace administrator must enable s/mime before it will work.
gmail encryption: end to end encryption
Google has been talking about adding end-to-end encryption to Gmail since 2014, but all that talk hasn’t meant much until now (and may never, according to some analyses). The only way to get that level of protection in Gmail at the moment is to rely on a third-party service like FlowCrypt, which is available as a Chrome or Firefox extension on the desktop and also as its own standalone Android mail client. (An iOS app is also available as a pre-release test.)
flowcrypt adds a special “encrypt and send” button to your inbox interface, which allows you to send encrypted messages using the pgp standard (pretty good privacy, yes, that’s what it’s called). Your recipient will need to have flowcrypt or another pgp system configured and will also need to have your personal pgp key in order to decrypt and view your messages. alternatively, you can use the app or extension to encrypt a message with a password, which you then need to provide to the recipient in some way.
So, yes: it’s not exactly simple, and the third-party plugin implementation isn’t quite ideal. but it can do the job. And it’s free, up to a point: If you want to unlock the service’s full feature set and remove all of its restrictions, you’ll need to pay $5 per month for a premium subscription. enterprise plans are also available, with rates that vary based on the total number of users involved.
wait, what about gmail confidential mode?
yes, don’t give it too much importance. confidential mode is a feature that google added to gmail as part of the service revamp in 2018. the idea is that it allows you to prevent anyone from forwarding, copying, printing, and downloading anything you send them, and if you want, it allows you to set an expiration date after which your message will no longer be accessible. you can also create an access code, delivered by email or text message, which is required to open the message.
That all sounds pretty good on the surface, but the problem is that it doesn’t really do much when it comes to actual security. Messages are not yet fully encrypted, which means Google and other mail services can still see and store them. the “no forwarding, copying, printing and downloading” bit doesn’t mean much either, since anyone can take a screenshot of a message if they wish. (Google has said that the feature is less about that level of security and more about simply deterring people from accidentally sharing sensitive information where they shouldn’t.)
The same applies to message expiration dates, as well as the fact that an “expired” message still exists in its own gmail sent folder. overall, confidential mode has the potential to be useful for what it is, but it doesn’t involve encryption or any significant high-level privacy. in fact, the electronic frontier foundation has gone so far as to say that the mode could create a false sense of security and deter users from finding more serious solutions.
so what other options are there?
If you’re looking for native end-to-end encryption and the highest level of privacy possible, your best bet is to look outside of gmail and find a standalone email app called protonmail. protonmail is among the best privacy and security apps on android, and for good reason: it makes privacy a top priority in ways that no form of standard gmail encryption can match.
first, protonmail uses an open source method of end-to-end encryption that ensures that no one but the intended recipient, not even the people at protonmail, can see your messages. Beyond that, the app doesn’t require you to provide any personal information to use it, and the company doesn’t keep logs of IP addresses or anything that could associate your identity with your account. their servers are also hosted in switzerland, no less than in a “bunker 1000 meters under the swiss alps”, which apparently has its own set of security benefits.
Here’s how it works: When you sign up, protonmail gives you a personalized email address at their domain. You can then use that address to send secure messages within the ProtonMail Android app, iOS app, or web interface. Every time you send an email to another person with a protonmail address, the encryption is automatic. if you’re sending an email to someone who doesn’t use protonmail, you can choose to send the message unencrypted, just like any other normal email, or you can click a button to create a password and hint that the recipient will need to decrypt and read your message.
protonmail is free at its most basic level, giving you a single protonmail address, 500MB of storage, and up to 150 messages per day. you can get more storage, more messages per day, and access to advanced features like email filters, an autoresponder system, and support for custom domains, starting at $48 a year.
Not technically gmail encryption, of course, but you can import your gmail messages or configure gmail to forward to protonmail, or just use protonmail as a gmail plugin for times when you need the highest possible level of protection. when privacy is a priority and you don’t want to take risks, it’s an excellent option.
Sign up for my weekly newsletter for more practical advice, personal recommendations, and a Plain English perspective on the news that matters.
[android intelligence videos on computerworld]