Google is this week unveiling an enhanced client-side encryption (CSE) standard across its widely-used Gmail service – which marks its 21st birthday on 1 April – that it hopes may render the long-in-the-tooth Secure/Multipurpose Internet Mail Extensions (S/MIME) standard for end-to-end encrypted email (E2EE) obsolete once and for all.
S/MIME is used for public-key encryption and signing of MIME data and was originally developed by RSA many years ago. Today, although S/MIME functionality is widely used, it is not always enabled by default for most email services and it only works when both sending and receiving parties meet the standard.
This is because both IT teams need to acquire and manage the needed certificates and deploy them to each user, added to which users then have to figure out whether they and the recipient have S/MIME set up and then exchange certificates before they can exchange encrypted emails.
And while alternatives such as built-in features from email providers or point solutions exist, they suffer from similar drawbacks.
To Google’s mind, this limits the use of E2EE to organisations that have significant IT resources to call on and strong use cases for sending encrypted mail, and even then they can frequently only do so using workarounds that create fragmented, limited and sub-optimal experiences for everyone involved.
“When you talk to any IT admins, they’ll tell you a few things about encryption,” said Neil Kumaran, group product manager for Gmail security at Google. “First, they will probably tell you that for some subset of their data, they need to be fully encrypted in some way – usually because of regulatory obligation and maybe because of contractual obligation.
“The second thing they’ll tell you is that the current state of encryption is super hard to implement across the email ecosystem. And even if they implement some of these solutions outside of ideal use cases, there are usually holes in their encryption posture. The TLDR is this is widely felt across our customer base.”
Google said its solution to this effectively democratises encryption while requiring minimal effort for both IT teams and users, abstracting away old headaches associated with encryption while enhancing data control, privacy and sovereignty.
New model
Google’s solution is a new encryption model that it said removes the need for complex certificate requirements or complex admin rights and enables users to send fully-encrypted messages to any user on any platform.
“The idea is that we are creating sort of a protective bubble for emails that feels automatic to the point that it just feels like normal email,” Julian Duplant, Gmail security product manager, told Computer Weekly. “We’ve created a service that makes the organisations that use this functionality become the total gatekeeper for that data.”
With the new bubble technology, Google said it is first putting control of the certificates, or keys, needed to encrypt or decrypt messages into the hands of its customers, relinquishing its own ability to access the messages for good.
Second, it is giving them control of the user directory that decides who has access to the keys.
Third, it has created a new guest functionality where customers can automatically generate temporary accounts in their organisation for external recipients to access and decrypt the message subject to the customer’s rules.
“What that looks like as a functionality is, if you’re sending to a recipient that has Gmail, whether it’s Workspace or Consumer, they’re going to be able automatically decrypt that message based on the organisation’s rules. [But] if the organisation is any other email provider in the world, they’re going to receive is an email notification saying Julian has sent you an encrypted message, click here to read it,” said Duplant.
“When the user clicks that message, the browser will open and they will see a safe Gmail interface where they can decrypt the message and write their own reply. The best part about it is we’re doing this in a way that doesn’t require S/MIME. All that certificate exchange that would have happened before no longer has to be done. It feels automatic, and it gives customers the ability to have their own sort of safe space and control of that data.”
It is also important to note that when the recipient has S/MIME configured, Gmail will still send the email via S/MIME as it already does.
Google believes this approach offers a more comprehensive encryption solution for its customers, which has the beneficial side effect of reducing friction and lowering the barrier to doing cyber security effectively.
Data sovereignty a key benefit
Another side effect of this approach to client-side encryption, said Google, is that in making its customers the ultimate arbiters of who can access their email data, it can help them safeguard themselves against, for example, unwarranted intrusions by governments demanding the service provider hand over the data.
Google said this will hopefully heighten customer compliance with data sovereignty regulations, export controls and other requirements such as HIPAA in the US.
The new technology is available today in beta for organisations using Gmail internally, but in the coming weeks users will be able to send E2EE emails to any Gmail inbox and to any email inbox later in the year. More information is available from Google and organisations can sign up here for the beta programme.
