The 10th anniversary of Gmail reminds us of Google’s uncanny ability to symbiotically evolve with and shape the future of the Web. When the service launched in 2004, it successfully disrupted the then-dominant players in the space, a feat that the company pulled off for search, and repeated with Android. The most recent example of Google’s adaption is its move to extend Gmail encryption.
The speed of innovation on the Web has opened up infinite possibilities, including those for cyber surveillance. Against this backdrop, Google has again emerged on the cloud providers’ side to lead the way in securing users’ emails. As explained on its Gmail blog:
Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made HTTPS the default. Today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers — no matter if you’re using public WiFi or logging in from your computer, phone or tablet.
No, this isn’t deja vu. While Google made a similar announcement about email protection in 2010, it will now encrypt all inter-server traffic for Gmail to offer an additional step to enhance user privacy in the era of Web-powered communications.
At the center of Google’s approach to protecting the next generation of the Internet is a revamp of email encryption, a technique that traces back to the 1990s. Historically, HTTPS made it possible for e-commerce to flourish by securing the IT tunnels for payment transactions, authenticating websites and securing digital communications. Now, Google is adapting the protocol as part of its model for securing the future of the Internet by building trust in its technologies and by setting the stage for a more secure Internet.
The fact is that the Web is evolving much faster than we can grasp, and not always in a good way. But, as Google’s latest move shows, encryption is becoming a much more pervasive and trusted technology in our connected world. Even if surveillance leaks never occurred, the nature of information dispersed in the cloud would inevitably have roped encryption into the security, if not privacy, equation.
That said, the NSA’s extensive data collection programs have certainly escalated sensitivities. As a result, encryption terms once only known to the engineers working with these standards are crossing into the consumer sphere. Look again at the blog excerpt above. HTTPS shows up three times in one paragraph.
This level of broad awareness — for the government’s actions and for the solution in the form of encryption — is a good thing. People have a right to know what is happening with their data, and in the case of sensitive data, enterprises are required by law to protect it.
Google has brought end-to-end encryption to email tunnels. Now it’s time to extend that protection to data across the IT stack that businesses and consumers touch. As Edward Snowden pointed out in his SXSW panel, encryption is most powerful when applied from end to end.
This requires the vendor community to work together to push the strongest available level of encryption across the entire technology stack. As explained above, HTTPS only secures the tunnel through which email moves. To complement this, encrypting the email contents, including video and audio, adds a layer of precaution for the content wherever it goes.
Beyond email, what if we encrypted data across all cloud applications — whether we’re talking medical records in a customer portal cloud, bank accounts shared on a collaboration cloud, social security numbers for Healthcare.gov, etc.? And then, as advocated by Snowden, let’s encrypt information on whole disks, servers and mobiles, too. This would create a proactive defense model that could protect sensitive data even in the worst case scenario of a breach in the stack.
The timing couldn’t be better for an industry discussion on taking encryption from end to end. Privacy concerns are at an all-time high in the aftermath of Snowden’s revelations and the epic retail breaches at Target, Neiman Marcus and others. Now is a golden opportunity to define the future of encryption and its role in the creation of a more secure Internet.
Pravin Kothari, founder and CEO of CipherCloud, has more than 20 years of experience building industry-leading companies and bringing innovative products to market. He was the founder and CTO of Agiliance, a security risk management company; and co-founder and VP Engineering of ArcSight, a security company that was acquired by Hewlett-Packard for $1.6 billion. He holds more than a dozen patents in security technologies, and is the inventor behind CipherCloud’s cloud encryption technology. Reach him @pkothari.