There's a new way to keep your Gmail safe from prying eyes, and experts say it's well worth using.
Google announced the addition of end-to-end encryption (E2EE) to Gmail on the web, which will allow enrolled Google Workspace users to send and receive encrypted emails within and outside their domain.
In an email interview with Lifeire, end-to-end encryption is critical for any communications service because it restricts message content to the sender and receiver(s), according to Jeff Wilbur, senior director of online trust at the nonprofit Internet Society.
"This means that the message content can be seen by bad actors or rogue employees and is subject to access by law enforcement under warrant," Wilbur added. "With end-to-end encrypted email, only the sender and recipient(s) have the key to unscramble the data, so it is safe from prying eyes of any kind."
Users of Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar already have access to client-side encryption, or what Google refers to as E2EE. The email header won't be encrypted if you enable the new encryption. Still, Google claims that data delivered as part of the email's body and attachments cannot be decrypted by Google servers.
"With Google Workspace Client-side encryption (CSE), content encryption is handled in the client's browser before any data is transmitted or stored in Drive's cloud-based storage," Google wrote on its support website. "That way, Google servers can't access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share it internally or externally."
The sender's and the receiver's devices—also referred to as device-to-device encryption—are these two ends in a true end-to-end encrypted messaging service, according to Anurag Lal, CEO of the cybersecurity firm NetSfere, in an email interview with Lifewire. He stated that this type of encryption is perfectly safe because it ensures that only the intended recipient can access the messages. Once messages are encrypted on the sender's device, they cannot be decrypted until they reach the receiver's device.
"While traversing the internet, a message may take several hops from server to server before reaching its final destination," he added. "True E2EE ensures that the message cannot be decrypted on any of these hops, thereby providing complete protection. It should be noted that in E2EE, the ends can refer to any two endpoints. Therefore it's essential to know what these endpoints are to understand if your messages are truly protected."
Private Data
Other email services that don't use Gmail provide end-to-end encryption. People can utilize PGP encryption to encrypt their own emails, but there are also email providers that focus on email encryption, like ProtonMail, according to Robert Andersen, CEO of data security firm Grape ID, in an email to Lifewire.
"Sadly, implementing PGP encryption typically requires significantly more effort than most people are willing to put forth (watch online training videos)," he added. "ProtonMail is a good solution for those who don't mind changing email providers and paying a subscription."
According to Kory Fong, vice president of engineering at Private AI, end-to-end encryption is "essential" for emails to maintain confidentiality. The only way to guarantee that only the sender and the recipient can view all the information in that email is to use this method.
"So even the email provider that controls the servers can't see what's in the messages," he added. "Generally, email services like Gmail will encrypt your email in transit, but Google itself can still access the content and even give access to third parties, but won't without explicit consent."
Fong said that ProtonMail is the most well-known provider that offers end-to-end email encryption, even in its free tier. "The company uses asymmetric, zero-access encryption, meaning even ProtonMail itself can't read what's in your emails," he added.
Another option for users who value their privacy above all else is to distribute a public key to others while automatically encrypting their mail with a private key. This is simple to use thanks to programs like GPG Suite and other GPG plugins, according to Fong. Whichever option you select, E2EE for email is crucial because, according to Andersen, email serves as the entry point to your entire online identity and data.
"Email provides centralized access to all of your online accounts, and your 26,000+ tracked digital profile attributes could easily get in the wrong hands leading to hundreds of types of fraud and scams," he added.
