Google trumpets extra encryption for Gmail, but stays mum on other apps

While touting an additional security layer to protect Gmail users against snooping, Google remains vague on its other apps

Google recently trumpeted that it now encrypts Gmail messages while shuffling them among its data centers, an extra security layer aimed at thwarting government and criminal snoops, but didn't say if it applies this protection to its other applications.

Asked for clarification, the company declined to comment. "We don't have more details to share beyond the Gmail news, but we're always working in strengthening and encrypting across more services and links," a spokeswoman said via email.

Google's reluctance to clarify the scope of its internal encryption is baffling and does a disservice to enterprise customers who rely on the Apps suite for workplace communication, cloud storage and collaboration, according to analysts.

"When confronted with the evidence of a compromise, and asked for an explanation as to how it happened and what they are doing about it, Google is dissembling. This is no basis for trust," said Jay Heiser, a Gartner analyst.

At issue are reports from last year, based on leaks from former National Security Agency (NSA) contractor Edward Snowden, that the agency snooped on users of online services in part by intercepting data Internet companies transmitted unencrypted in "plain text" among their own servers and data centers.

Back in September, Google officials told The Washington Post that the company was accelerating efforts to encrypt communications between its data centers as a result of these reports.

"It's an arms race," Eric Grosse, vice president for security engineering at Google, said at the time.

About two weeks ago, Google announced it had turned on this "internal" encryption for Gmail, but glaringly neglected to address if and when this will be done for its other services and applications.

"Every single email message you send or receive -- 100 percent of them -- is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers -- something we made a top priority after last summer's revelations," the Google post reads.

The Google spokeswoman declined to provide an update on the efforts described in The Washington Post article in September, in which Google officials were quoted as saying the "end to end" internal encryption project would be completed "soon." The spokeswoman also declined to say exactly when this encryption was turned on for Gmail, acknowledging only that it was first announced in the March 20 blog post.

The situation is a model case for why enterprise cloud-service buyers need more transparency from their providers, according to Heiser. "Not only did nobody expect their data would be vulnerable to surveillance in this way, but nobody outside of Google knows what question to ask to determine if that's been fixed," he said.

"Without knowing how data is transferred between Google servers, nobody has any basis for knowing if risk still exists. We all now know that there is a hole, but without knowing more details, vague assurances from Google do not constitute reliable evidence that the hole has been plugged," he added.

Google's vague response suggests that the company hasn't completed the major undertaking Grosse referred to in September, and customers should take note of this, Heiser said.

"This is an instance in which the extreme size and complexity of Google should be a matter of suspicion for its users. Is the traffic or infrastructure supporting their search and advertising business a factor that inhibits the implementation of encryption between their sites?" Heiser said.

Peter Firstbrook, another Gartner analyst, was also unimpressed with Google's lack of response.

"As usual, Google gives no real information here," he said via email, referring to the March 20 blog post. "It is another 'trust us, we're doing the right thing.' No hyperlink into a fuller explanation. There may be a weakness in the new encryption scheme. We just don't know."

The lesson for buyers of software-as-a-service (SaaS) products is clear, according to Heiser: Demand clear, granular explanations from vendors about their security technology and policies.

"No amount of 'we have the following features' can ever help a SaaS buyer fully understand where a particular service might have undesirable vulnerabilities, if you don't have full details on the technology and topology of that service," he said. "SaaS is the digital equivalent to sausage: Mystery meat is not necessarily bad for you, but if you don't have full knowledge of the ingredients, you can never fully understand the health hazards."

Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags internetGoogleMailInternet-based applications and services

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juan Carlos Perez

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?