Google Rolls Out Gmail End-To-End Encryption On Mobile Devices

Gmail's end-to-end encryption is now available on all Android and iOS devices, letting enterprise users send and read encrypted emails directly in the app without any extra tools. "This launch combines the highest level of privacy and data encryption with a user-friendly experience for all users, enabling simple encrypted email for all customers from small businesses to enterprises and public sector," Google announced in a blog post. BleepingComputer reports: Starting this week, encrypted messages will be delivered as regular emails to Gmail recipients' inboxes if they use the Gmail app. Recipients who don't have the Gmail mobile app and use other email services can read them in a web browser, regardless of the device and service they're using.

[...] This feature is now available for all client-side encryption (CSE) users with Enterprise Plus licenses and the Assured Controls or Assured Controls Plus add-on after admins enable the Android and iOS clients in the CSE admin interface via the Admin Console. Gmail's end-to-end encryption (E2EE) feature is powered by the client-side encryption (CSE) technical control, which allows Google Workspace organizations to use encryption keys they control and are stored outside Google's servers to protect sensitive documents and emails.

Google and Privacy

[IWantMoreSpamPlease]

are words that do not go together. I await the news that Google has the keys to this and use it for...whatever nefarious purposes...very soon now.

Re:

[Austerity Empowers]

I await the news that Google has the keys to this and use it for.

You're unlikely to hear this news without either another Snowden level leak, or a very long, drawn out legal battle.

Re:

[Anonymous Coward]

RTFS

Gmail's end-to-end encryption (E2EE) feature is powered by the client-side encryption (CSE) technical control, which allows Google Workspace organizations to use encryption keys they control and are stored outside Google's servers to protect sensitive documents and emails.

Let me guess: new standard?

[Anonymous Coward]

Did they use OpenPGP or x.509-baed S/MIME? Let me guess: something new.

How are keys introduced? Let me guess: Google is fully trusted to do it for the users.

Re:

[Anonymous Brave Guy]

Google learned to embrace, extend and extinguish right out of Microsoft's playbook. They were excellent students and you can see the results in how email and web "standards" work today.

The difference is that when Microsoft did it the authorities eventually started getting in their way to promote more openness and competition again. So far there is little sign that anyone intends to challenge the way a few tech giants have recently been capturing long-established standards that we rely on for what have becom

What I want for Christmas from the google

[shanen]

Is NOT this encryption. Why don't I want this encryption? Can't possibly be because I don't trust the google anymore, so I am sure that it includes back doors of their convenience.

Can't imagine how today's google could convince me that they have changed their business model in a way that they aren't selling me as the product. Funny related reading is Disrupted by Dan Lyons. Actually a couple of years old, but still funny.

What do I actually want from the google? Right now the #1 priority would be a way to delete the garbage in my google account. Without completely tossing the stuff that I speculate could come back to haunt some criminals. I think that business model is actually to get me to pay for personal information they have acquired without my comprehension and now want to store on my time. But in lack of a "friendly" solution I'm on the verge of wholesale slaughter of the data, hopefully including whatever the google values because it is the data they hope (or want) to use against me. Freedom is a funny thing, too.

By the way, I don't even know if Gmail still has that confidential email stuff. What I wanted there was an option to auto-bounce any incoming email that tried to use it. Seems moot, since I can't recall ever seeing such an animal.

Re:

[shanen]

*sigh*

s/on my time/on my time/

And probably other mistakes.

Re:

[shanen]

*sigh* !

s/on my time/on my dime/

My fingers and eyes are borken [sic].

Re:

[SlashbotAgent]

I completely sympathize with you. As I also hate it when one of my snark filled grammar Nazi posts backfires and embarrasses the fuck out of me.

Your ears must be hot from the humiliation and you can't edit nor delete it. LOL!

Re:

[shanen]

NAK

Re:

[jenningsthecat]

What do I actually want from the google? Right now the #1 priority would be a way to delete the garbage in my google account.

What I actually want from the google is for them to just fuck off and die. Seriously, at this point the world would be a better place without them, even given all the disruption that nuking them would cause. Short-term pain for long-term gain, etc.

Re:

[shanen]

I'm not sure how much I agree, though I'm more sure that I can't say I disagree. My old position was that I favored evolution over revolution, but I'm less sure what that means now. When it comes right down to it, both evolution and revolution are driven by death, and how much does it matter about the timing?

But I'm also beginning to understand the violent Russian anarchists I studied so many decades ago. They caused a lot of problems in Russia before Lenin took over, but I was basically stumped by their mo

Client

[Himmy32]

E2E doesn't matter very much if you also control the client.

Re:

[gweihir]

Indeed. And there is a second problem: Since this seems to be gmail-only, it does not solve any issues with email sent over the open Internet. Unless gmail uses non-encrypted protocols for the client connections?

I am a bit confused as to what advantage this supposedly has?

Re:

[Himmy32]

what advantage this supposedly has?

The data stored in their cloud is stored encrypted with your key, which is undoubtedly better. So a government request for data on their servers would return nothing.

But just like the recent "Antifa" Signal Group Chat [slashdot.org] showed again that the most vulnerable piece of the equation is the end device. And is also true for non-government threat actors.

But Google making their infra able to be used more privately is still a good thing.

Re:

[gweihir]

So this is protection against Google? Well. It would make sense, but I somehow doubt they are really doing that.

"End to End"

[Unpopular Opinions]

Except Google can still read, index and process your email messages as they are delivered to them. In reality, this is just taking competition away from reading from the wire. Everything else continues to be managed by Google.

So, Only Google Can Spy on You?

[BrendaEM]

Google putting end-to-end encryption is like putting a pillow on top of the hand-grenade you're sitting on.

"User friendly", you say

[gweihir]

At this time that still means reduced security. That will eventually change, but not anytime soon. That said, for most uses, this should be fine, even if one goal is obviously creating a google-only email system.

Non enterprise?

[wgoodman]

I see nothing in tfs about how non enterprise users can have the illusion of privacy as well.

Re:

[Himmy32]

Because if you aren't paying with money, then your data and your eyeballs on targeted ads are the payment.

pre scanned at their end

[Growlley]

of course!

Not E2EE if not user managed keys

[ei4anb]

It's not end to end encryption if the mail transport provider manages the encryption keys. I participated in the Google early testing of PGP for Gmail but that never got past beta testing. It seems they decided that key management is too complicated for Johnny, so they went with server side S/MIME for Gmail. Nevertheless they cannot claim that they have deployed true end-to-end encryption.