Google automatically encrypts your emails in transit using the Transport Layer Security (TLS) encryption standard. tls is better than no encryption at all, but you should still take gmail’s encryption with a pinch of salt:
- tls encryption only works if the receiver also has tls encryption. if they don’t, you’re sending unencrypted email.
- tls encryption isn’t very strong. your message could still pass through a hacked or third party server. whoever is sitting behind that server could decrypt and read your messages.
- tls is not end-to-end encryption. this means hackers can capture your email once it reaches the destination mail server.
- tls does not encrypt your message, allowing google bots to track your emails, read them and use the information found in them to create your user profile and share your information with third parties.
every message in gmail indicates whether it is encrypted or not. however, this does not mean that only you and the recipient can access your emails.
gmail can see your messages and filter those that contain malware, phishing or look suspicious. even encrypted with tls, your confidential information can be stolen.
tls is definitely better than no encryption, but if you’re looking for the highest level of security, it’s not enough.
not directly: Google employees don’t have access to your emails and can’t read them. however, google bots scan your emails to collect more information about you. They use this data to show you relevant content later in ads, youtube suggestions, search results, etc. You can disable ad personalization in your ad settings. It won’t stop Google bots from scanning your emails, but things you discuss in private emails won’t show up in ads when you go online.
There are ways to give your gmail an extra layer of encryption. You can do this by getting a paid g suite account and encrypting your emails with s/mime encryption or by using a third party plugin and encrypting your emails manually. let’s dive into them in more detail.
Google offers paid g suite enterprise and g suite education accounts with enhanced s/mime encryption. With s/mime, you can encrypt your messages with user-specific keys that you then need to share with the intended recipient. otherwise, they will not be able to decrypt the message. With this plugin you will also be able to see the level of encryption that your message will have. just look for a lock icon next to your recipient’s name. (green means your message will support s/mime encryption; grey: tls encryption; red: no encryption).
although it is more secure than tls, it still has many vulnerabilities as the receiver also needs to use s/mime, your message can be hacked again once it reaches the destination server and google can still scan your emails. it also creates an extra step that you need to complete before sending an email, which can be frustrating for those who send hundreds of emails a day. encryption isn’t set by default, so you’ll need to ask your g suite administrators to do it for you.
Flowcrypt works as a desktop Firefox or Chrome extension and adds a ‘Secure Compose’ button to your Gmail’s interface. It encrypts your messages with industry-standard Pretty Good Privacy (PGP) encryption. Your recipient can use any email service provider as long as it supports PGP, but you will still need to share your private key for them to decrypt the message. Alternatively, you can set a password, but you will still need to share it with the recipient.
SecureMail is another plugin that works similarly to Flowcrypt but was developed for Google Chrome users only. Once installed, you should see a lock icon next to Gmail’s ‘Compose’ button. Make sure to click on that icon before composing an email or you will send your sensitive information unencrypted.
With securemail, you’ll need to set up a password and a password hint for the recipient to decrypt your message. these should be shared with your recipient through other communication channels. the recipient will also need to be a secure mail user to decrypt your message.
This is another Chrome extension that offers PGP encryption, but this one might require more technical knowledge to set up.
If you used pgp encryption before and you already have your public and private keys, you can import them directly into mailvelope. if not, you will have to generate new ones. for encryption to work, you’ll need to share your public key with the recipient, as well as import the recipients’ public keys into the mailvelope’s keyring. You can share your public key with others by uploading it to a public key server such as the pgp global directory or the mit key server.
Once you’re set up, you can start composing your encrypted messages. mailvelope will create a button next to the gmail ‘compose’ button. once you click on it, a new window will appear. compose your message and then click ‘encrypt’. choose the recipient and transfer the encrypted text to gmail. mailvelope gives you end-to-end encryption, which means that no one snooping on your traffic, not even google, will be able to read your messages.
You can also try other plugins like enigmail, gpgtools and gnu privacy guard.
Unfortunately, none of the options discussed above offer a perfect solution if you are concerned about your privacy. tls and s/mime encryption standards do not guarantee 100% security. third-party plugins aren’t user-friendly, add extra steps to the email sending process, and don’t encrypt emails composed on a mobile device.
To send truly secure emails, you should look for a privacy-oriented email provider that:
- has end-to-end encryption, which means that your message will be encrypted at the time you compose it and can only be decrypted by the intended recipient. (Google promised to implement end-to-end encryption in 2014, but since then the project has not been developed);
- keeps your messages encrypted even if you send them to someone who uses a different email service provider;
- has a zero-knowledge policy so that not even your employees can see your encryption keys;
- encrypts not only your message, but also your attachments;
- offers ‘additional email accounts‘ for total anonymity.
click here to see the best gmail alternatives for your privacy and security.