Google shifts on email encryption tool, leaving its fate unclear

Credit to Author: Michael Kan| Date: Mon, 27 Feb 2017 13:34:00 -0800

Google is asking developers to take over its effort to make end-to-end email encryption more user-friendly, raising questions over whether it’ll ever become an official feature in the company’s browser.

On Friday, the search giant said its email encryption tool, originally announced in 2014, was no longer a Google product. Instead, it’s become a “full community-driven open source project,” the company said in a blog post.

The tool is designed to work as an extension to Google’s Chrome browser that uses the OpenPGP standard to encrypt emails, ensuring that only the recipient can read them, and not the email provider or a government.  

The main goal of Google’s project was to make OpenPGP easier to use. It was announced amid growing scrutiny over U.S. surveillance efforts following disclosures from noted leaker Edward Snowden.

However, the search giant hasn’t made the extension officially available on its Chrome Web Store. Instead, the project’s source code has only been made available on GitHub, a software collaboration site, making the extension harder to install, especially for non-technical users. 

The GitHub page also hasn’t been frequently updated, so it’s unclear how serious the search giant has been about the effort, or if others will take up the project.

Google didn’t immediately respond to a request for comment. But the GitHub page is offering the source code to what’s called E2EMail, a Chrome extension that works with Gmail. “At this stage, we recommend you use it only for testing and UI feedback,” the page says.

A screenshot of the E2EMail extension. 

In December 2014, Google also said that its end-to-end encryption tool still wasn’t as “usable as it needs to be,” pointing to the problem of managing the public keys used in PGP encryption. Often, the keys necessary to exchange secure messages are held on a public server or sent via email, but the authenticity of the user providing them is never verified.

Last month, Google announced a separate open-source project, called Key Transparency, that tries to solve this problem. It essentially works as a lookup service for public keys. However, as a safeguard, all the logs can be audited to track for any suspicious activity.

In Friday’s blog post, Google said the Key Transparency project was “crucial” to the development of its end-to-end email encryption efforts.

“Key discovery and distribution lie at the heart of the usability challenges that OpenPGP implementations have faced,” it said.

Although Google’s email encryption tool is no longer a company-led product, Google is still hoping to integrate it with its Key Transparency project, according to the blog post. 

In the midst of Google’s effort, others are also developing new email encryption protocols, too. Last month, the developer behind Lavabit, an email service that Snowden used, released its own open-source encrypted email standard for surveillance-proof messaging. 

http://www.computerworld.com/category/security/index.rss