Home » Security Bloggers Network » How to Encrypt Gmail

How to Encrypt Gmail

by Orlee Berlove on May 18, 2020

Encryption is the high-tech version of a code language. It scrambles your plain English data into something that an outsider, or attacker, can’t decipher. Unlike simple code languages of early military strategy, modern tech-enabled encryption cannot be cracked by even the most advanced of enemies. But not all encryption holds the same standard. Take Gmail encryption – it’s about as effective at protecting your data as a teaspoon would be for filling a swimming pool.

“Google itself, for instance, has the ability to see messages associated with your account, which is what allows the company to scan your email for potential spam and phishing attacks — and also to offer advanced features like Smart Reply, which suggests responses based on an email’s contents.“
–Computer World, Nov. 2018

Can You Encrypt Email in Gmail?

Sponsorships Available

Savvy users know that commercial Gmail offers little security. Unfortunately, many can be fooled by believing that using Transport Layer Security (TLS) is sufficient to make up for Gmail’s security deficiencies.

Transport Layer Security is a system used to encrypt sensitive information sent over the web. You’ll recognize it as the small lock icon in your URL bar. But using it doesn’t mean that your data is locked down.

For TLS encryption to be effective, both the sender and the recipient of the message must be using it. This means that if you use TLS to send an email to someone, their reply may be sent insecurely. Further, if there’s a spam or anti-virus service checking messages as they come in, on either end, that’s a potential point for attack. That’s a spot where the channel isn’t encrypted.

Transport Layer Security (TLS)

Even if both sender and recipient use TLS and the communication channel’s encryption is not broken, the bigger issue remains: the actual data transmitted is not encrypted. It exists naked on the server, vulnerable to not only hackers, but also the infamously overreaching surveillance of Google itself.

After coming under a barrage of well-deserved media fire for privacy policies that amount to a constant digital surveillance state as the default, Gmail tried to better its reputation with the release of Gmail Confidential. But Gmail Confidential, even if used in conjunction with TLS, is not the answer. Gmail Confidential is nothing but a PR bandaid that completely fails to address the inherent insecurity of Gmail’s insecure by design communication platform.

What is Gmail Confidential?

Gmail Confidential, Gmail’s inadequate answer to digital privacy, is a collection of smokescreen security offerings that all fall a little short of efficacy. Those offerings include expiration dates for messages, requiring recipients to enter passcodes to view messages, and restricting actions for messages received. Here’s why these measures don’t actually protect you.

Expiration dates for messages gives users the false sense that their communications are ephemeral. They send them, the user receives them, and then they disappear. Wrong. Expired messages aren’t erased for good. While they may disappear from a recipient’s inbox, they remain in the sender’s sent folder and Google’s prying eyes can continue to access them, as can hackers, governments, or anyone else with some tech know-how. Recipients can also easily hold on to emails by screenshotting them. Those screenshots won’t expire.

Requiring message recipients to enter a passcode to view the email sounds like a good way to ensure that only the intended recipient can access the message. In reality, it’s an insidious way for Google to trick you into turning over even more personal data. This feature involves Google generating a passcode and sending it to the recipient’s cellphone via SMS, so you have to turn over their phone number to Google. That phone number is now linked to their email address and the contents of the message you send them. Leave it to Google, the prodigies of Surveillance Capitalism, to turn alleged privacy add-ons into a way to support their stalking.

Note that in Gmail Confidential, messages can still be visible to employers or schools.

Restrictions on emails sent in confidential mode prevent recipients from forwarding, copying, downloading, or printing them. But, again, it takes a second to screenshot an email. This isn’t protecting your data from inappropriate sharing by the recipient. And it does nothing at all to address Google’s access to your data on their server.

Gmail Confidential is not private and it’s not secure. Providing users with a truly secure option would mean giving up access to users’ data and private communications. That’s just not in Google’s DNA. Without end to end encryption, which would protect data at all points of communication and storage, including on the server, Gmail Confidential is nothing more than marketing. Google can still read your emails and, as they’ve proven, if they can do it they will do it.

Do Pretty Good Privacy (PGP) plugins protect emails?

So you’re back to square one – trying to layer something over Gmail to make it secure. Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. You can download Google add-ons that provide PGP. Here’s why that isn’t worth the effort.

PGP is a middle aged cybersecurity strategy. Developed by Philip Zimmerman in 1991, PGP is almost thirty years old. Cybersecurity strategies aren’t like wine; they aren’t better with age. While the encryption used in today’s PGP plugins has been updated from that used in the early 90s, the strategy itself is based on systems that predate serious cryptography.

PGP digitally signs emails, it encrypts them with passwords, and it encrypts them with public keys, but it doesn’t do any of those things particularly well. It doesn’t do any of them at all unless both sender and recipient have compatible versions of PGP software. If their versions of PGP software are incompatible, and there are many different versions, the information either won’t be decoded or only decoded by one party.

You’re also risking your data if you use PGP plugins. With PGP, the user is responsible for key management. There’s no workaround if access is lost, you’ll just permanently lose access to your account. For corporate accounts and business communications, that isn’t an acceptable risk.

PGP plugins sound good in theory. In reality, they’re too clunky and user unfriendly to work for businesses. PGP plugins are not the answer.

End-to-End Encryption for Gmail

The answer is end-to-end encryption. Gmail doesn’t offer end-to-end encryption for its communications. Doing so would be counter to their data collection interests. That’s why PreVeil developed a robust, secure, user-friendly Gmail plugin that provides enterprises with easy-to-use, highly secure encryption.

End-to-end encryption encrypts your data during all steps of data communication and storage. Even on the server, the data is encrypted. That means that there are no vulnerability points. Everywhere an attacker tries to attack, they’ll see nothing but unintelligible gibberish where your data should be. The gold standard of end-to-end encryption that PreVeil employs to encrypt your messages is so strong that the United States State Department recently adopted legislation allowing use of the same technology to secure International Traffic in Arms Regulations (ITAR) data. End-to-end encryption is simply the best way to secure user data.

PreVeil’s Gmail plugin is a quick and easy download that automatically encrypts your messages with end-to-end encryption, protecting it from all prying eyes. That includes Google and PreVeil itself. We never see your data on the server, nor does anyone else. Best of all, this high-level security is so user-friendly that it recently became PC Magazine’s Editors Choice with an overall rating of ‘Excellent’.

PreVeil’s Gmail Chrome extension allows you to keep your existing Gmail address and send messages from within your familiar Gmail user interface. There are no passwords and no corporate admins with god permissions. There’s no tricky new software for IT to teach your team how to use. It’s impeccable data privacy and security, made effortless. Take back your privacy. When it’s this easy, there’s no excuse not to.