Marking the 21st anniversary of Gmail, Google is preparing to roll out an end-to-end encryption standard for its email service in hopes of democratising encryption and leaving old standards in the dust
Google is this week unveiling an enhanced client-side encryption (CSE) standard across its widely-used Gmail service – which marks its 21st birthday on 1 April – that it hopes may render the long-in-the-tooth Secure/Multipurpose Internet Mail Extensions (S/MIME) standard for end-to-end encrypted email (E2EE) obsolete once and for all.
S/MIME is used for public-key encryption and signing of MIME data and was originally developed by RSA many years ago. Today, although S/MIME functionality is widely used, it is not always enabled by default for most email services and it only works when both sending and receiving parties meet the standard.
This is because both IT teams need to acquire and manage the needed certificates and deploy them to each user, added to which users then have to figure out whether they and the recipient have S/MIME set up and then exchange certificates before they can exchange encrypted emails.
And while alternatives such as built-in features from email providers or point solutions exist, they suffer from similar drawbacks.
To Google’s mind, this limits the use of E2EE to organisations that have significant IT resources to call on and strong use cases for sending encrypted mail, and even then they can frequently only do so using workarounds that create fragmented, limited and sub-optimal experiences for everyone involved.
“When you talk to any IT admins, they’ll tell you a few things about encryption,” said Neil Kumaran, group product manager for Gmail security at Google. “First, they will probably tell you that for some subset of their data, they need to be fully encrypted in some way – usually because of regulatory obligation and maybe because of contractual obligation.
