Are Yahoo and Google Really Serious About E-mail Encryption?

Despite big promises, these tech giants probably won’t champion end-to-end encryption

4 min read
Are Yahoo and Google Really Serious About E-mail Encryption?

/img/emails-finalV2-1450385104478.png Illustration: Elias Stein

Last March Alex Stamos, then Yahoo’s head of information security, showed off prototype software for encrypting sensitive e-mail messages. The new tool, which Stamos said could be ready for deployment by the start of 2016, featured “end-to-end” encryption, meaning that even Yahoo itself wouldn’t be able to decrypt messages stored on its servers.

Yahoo promised to make such encryption easy to use, building on open-source software for end-to-end e-mail encryption that Google has been developing. (Google’s software implements a standard called OpenPGP, based on an encryption system that Phil Zimmerman created in 1991: Pretty Good Privacy, or PGP.)

Matter of Fact

The name for the now 25-year-old encryption system Pretty Good Privacy (PGP) was inspired by Ralph’s Pretty Good Grocery of Garrison Keillor’s fictional Lake Wobegon.

If Yahoo and Google were to throw their market weight—not to mention their substantial developer resources—behind end-to-end e-mail encryption in 2016, it would no doubt displease the many government authorities who claim this technology is rendering them unable to eavesdrop on bad guys’ electronic communications—or “going dark” as they call it.

James Comey, director of the Federal Bureau of Investigation, summarized those sentiments in July when he told the Senate Judiciary Committee that “we have on a new scale seen mainstream products and services designed in a way that gives users sole control over access to their data.” He pointed to the central role of tech companies, saying, “We would like to emphasize that the Going Dark problem is, at base, one of technological choices and capability.”

The implication of Comey’s statement was clear: If companies were forbidden by law from offering such privacy protections, the products and services Comey alluded to would have to be shut down—at least in the United States. But it’s unlikely that the U.S. government will do that anytime soon. Indeed, the Obama administration signaled in October that it would not ask tech companies to build back doors into their encryption products, given the strong possibility that weakening security in this way would enable criminal hackers and malicious foreign agents to compromise even more systems than they are already doing.

Such concerns aren’t so strong on the other side of the Atlantic, though. In particular, U.K. prime minister David Cameron indicated last July that he wants to outlaw encrypted messaging systems that don’t offer government authorities the means to decrypt content. And in November, U.K. home secretary Theresa May introduced a surveillance bill that would, among other things, outlaw end-to-end encryption. The debate is bound to boil over in the next few months as U.K. lawmakers work to replace the country’s Data Retention and Investigatory Powers Act 2014, which is set to expire at the end of 2016.

So are Google and Yahoo headed on a collision course with the U.K. government over their end-to-end e-mail encryption? Probably not, according to Matthew Green, a cryptography expert at Johns Hopkins University, in Baltimore. “I don’t think they are putting the resources behind it that it needs,” says Green. He estimates that Google has one or two developers working on end-to-end e-mail encryption, too few to meet the challenge of creating a system that’s truly versatile. Yahoo, too, hasn’t dedicated adequate resources to the project to make their efforts successful, argues Green. “I think eventually they’ll have egg on their face.”

/img/HRAlexStamosbyWinMcNameeGettyImages490832273-1450276860493.jpg Truth To Power: Alex Stamos, then Yahoo’s information-security chief, testified before the U.S. Senate’s Homeland Security Committee in 2014. Stamos has since left Yahoo for Facebook, where he is the chief security officer. Photo: Win McNamee/Getty Images

Christopher Soghoian, principal technologist of the American Civil Liberties Union, is similarly skeptical, characterizing these projects at Google and Yahoo as post-Snowden “feel-good” exercises. Soghoian notes that strong e-mail encryption goes against these companies’ self-interest: “Google wants to be your brain,” doing things like adding flight times to your calendar when you receive an e-mail confirmation after buying a plane ticket. “That kind of personal digital assistant is possible only if they see everything you’re doing.”

While he, too, recognizes the PR value Google and Yahoo gain from these projects, Joseph Bonneau, a technology fellow at the Electronic Frontier Foundation, in San Francisco, thinks that these tech giants’ interest in developing end-to-end e-mail encryption is more genuine. “It’s definitely a problem that Google and Yahoo would like to solve,” he says. It’s just that the challenges that come along with encrypting e-mail are enormous. They include figuring out how to manage people’s cryptographic keys in a way that is secure and yet doesn’t make users prone to losing access to their e-mail archives, how to filter spam when only the end user can read the messages, and how to enable users to search through their past messages. “The experience of Gmail would be a lot different if you couldn’t search,” notes Bonneau.

Both Google and Yahoo declined interview requests, so it’s hard to gauge whether these companies really are determined to provide their users with encrypted e-mail in 2016. Even if they end up putting serious muscle behind the effort, it might still stall. It’s a better bet that the main battlefield in 2016’s cryptowars won’t be e-mail so much as instant messaging services like iMessage and WhatsApp, where users have fewer expectations for spam filtering and searching. What makes end-to-end encryption in these messaging services so attractive and popular, Bonneau says, is, ironically, that “nobody knows it’s there.”

This article originally appeared in print as “Don’t Expect Encrypted E-mail in 2016.”

The Conversation (0)

Video Friday: DARPA Subterranean Challenge Final

1 min read

This week we have a special DARPA SubT edition of Video Friday, both because the SubT Final is happening this week and is amazing, and also because (if I'm being honest) the SubT Final is happening this week and is amazing and I've spent all week covering it mostly in a cave with zero access to Internet. Win-win, right? So today, videos to watch are DARPA's recaps of the preliminary competition days, plus (depending on when you're tuning in) a livestream of the prize round highlights, the awards ceremony, and the SubT Summit with roundtable discussions featuring both the Virtual and Systems track teams.

Keep Reading ↓ Show less

Making 3D-Printed Objects Feel

3D-printing technique lets objects sense forces applied onto them for new interactive applications

2 min read

Researchers from MIT have developed a method to integrate sensing capabilities into 3D printable structures comprised of repetitive cells, which enables designers to rapidly prototype interactive input devices.


Some varieties of 3D-printed objects can now “feel," using a new technique that builds sensors directly into their materials. This research could lead to novel interactive devices such as intelligent furniture, a new study finds.

The new technique 3D-prints objects made from metamaterials—substances made of grids of repeating cells. When force is applied to a flexible metamaterial, some of their cells may stretch or compress. Electrodes incorporated within these structures can detect the magnitude and direction of these changes in shape, as well as rotation and acceleration.

Keep Reading ↓ Show less

How to Write Exceptionally Clear Requirements: 21 Tips

Avoid bad requirements with these 21 tips

1 min read

Systems Engineers face a major dilemma: More than 50% of project defects are caused by poorly written requirements. It's important to identify problematic language early on, before it develops into late-stage rework, cost-overruns, and recalls. Learn how to identify risks, errors and ambiguities in requirements before they cripple your project.

Trending Stories

The most-read stories on IEEE Spectrum right now