Google introduces client-side encryption for Gmail - but not for you.

Gmail's end-to-end encryption project seemed dead in 2017. Now it's back, but only for key account customers.

2022-12-20
How to encrypt emails in Gmail? Use an encrypted email provider instead!
Gmail once promised that it will become end-to-end encrypted by default. Now Google has announced that it is following through on its promise - but only for Workspace key accounts. For private Gmail users end-to-end encryption is still out of reach. Will this new effort for true security be available to all users in the future, or just to a 'chosen few'?

TL;DR: Google says end-to-end encryption is important for security. But normal users will not see such a feature in their Gmail account. To secure your emails now, we recommend you sign up for a fully encrypted Tutanota mailbox. Better use a Gmail alternative that encrypts your entire mailbox and contacts automatically - and respects your privacy.

Encryption in Gmail

Back in 2014 it looked like Gmail wanted to bring end-to-end encryption to all users, yet, the company never followed through on this promise, which was made shortly after the Snowden leaks on NSA surveillance.

Gmail's then end-to-end encryption project seemed dead in 2017. Now it's back, but this time only for key account customers.

Google has just announced to offer client-side encryption for its Gmail email service for beta testing. However, only for key account customers after an application, and right now only as a beta version.

"With Google Workspace Client-side encryption (CSE), content encryption is handled in the client's browser before any data is transmitted or stored in Drive's cloud-based storage."

"That way, Google servers can't access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share it internally or externally", Google explains.

Here Google explains how you can apply for the encryption being enabled on your account if you are a customer of Google Workspace Enterprise Plus, Education Plus, and Education Standard customers.

The feature currently only works within the browser, but app support is planned, the company said.

Notably, Google calls the feature not 'end-to-end encryption', but 'client-side encryption'. The emails are not encrypted in a zero-knowledge format, but businesses can recover emails sent through their system, even if they were encrypted.

Encryption is gaining momentum

This new move by Google follows a trend that encryption and privacy matters - one that was originally sparked by fully encrypted services such as Signal and Tutanota more than a decade ago.

Recently also Apple announced that it will start to offer end-to-end encryption for iCloud backups.

After ten years of successful user growth of apps such as Tutanota, Signal and others, Big Tech is feeling the pressure. Users no longer want to give away their data in return for 'free' services.

Instead, they understand that their data is the new gold and that it must be protected just like any other valuable asset: with proper end-to-end encryption.

We at Tutanota welcome the move by Google and Apple as it will make the web as we know it more secure. However, important features like encryption must not be limited to a chosen few!

To the contrary: Everyone deserves encryption!

Regardless of these companies' decision, we are thrilled to see a growing number of people understanding the need and the importance of privacy. We already said in 2017 that the privacy-era has started, and we have been proven right ever since.

People around the world are no longer okay with fueling the surveillance capitalism of Big Tech.

Will Big Tech protect everyone?

The question that remains after Google's latest move to offer proper encryption to business customers is:

Will Google offer end-to-end encryption to everyone?

Given Google's business model of harvesting personal data and selling targeted ads to businesses, it is highly unlikely that they will.

Quote: If it's free, you are the product. End-to-end encryption is not available to all in Gmail.

People on Reddit are also sure that Google will not offer true encryption to everyone.

But fortunately, people are smart enough to choose alternatives.

New tools have made protecting people's private data very easy. Email services like Tutanota and chat apps like Signal are just a few that integrate encryption seamlessly into their services so that users don’t have to think about how the encryption works.

And the best thing is: With these apps, encryption is available to everyone, not just a chosen few.


History of Gmail's end-to-end encryption project

In 2017, Google has silently handed the project E2EMail which was started to enable easy end-to-end encryption in Gmail via a browser extension to "the open source community". Since then the GitHub project is literally dead.

Three years earlier, Google had announced that they are building an end-to-end encrypted Chrome plugin to automatically encrypt emails between Gmail users.

Promise to add email encryption tool to Gmail was marketing move

In 2017 it became obvious that promising easy email encryption in Gmail to millions of users was only a marketing move after the Snowden revelations in 2013. While the E2EMail project would have been a great tool for millions of people to automatically adapt end-to-end encryption, it has been buried by Google when they did not see its marketing benefits anymore.

"The real message is that they’re not actively developing this as a Google project anymore," said cryptography expert Matthew Green to Wired. "It’s definitely a bit of a disappointment, given how much hype Google generated around this project at one point, to see that they’re not pursuing this as a core feature of Gmail," Green says.

Making email encryption easy is hard

Google officially said that they had not abandoned their move towards encryption. However, they explained that developing easy email encryption is much harder than one might think.

It is difficult to make encrypted emails interoperable with different clients as well as to design the key exchange in an easy-to-use fashion. Issues that are already known to any PGP user, and that didn't disappear when Google wanted to add a PGP-based plugin to Chrome.

Nevertheless, ending a project that would have brought end-to-end encrypted emails to Gmail users around the world shows where Google's real interests are: Not in protecting their users' private data, but in harvesting it for their own benefit.

No automatic email encryption in Gmail

Google leaves the question on how to encrypt an email to the user. However, adding an option for email encryption to Gmail remains as complicated as with any other email service: Users need to enable PGP support in their email clients, must generate and mange their own keys and make sure that these keys are kept safe on their devices. Even then, mobile email encryption is basically impossible.

Google wants to leave the final decision about whether or not to make use of encryption to the user, but cryptography expert Matthew Green criticizes this harshly via Twitter, calling it a "self-serving decision":

Google in 2007: HTTPS? That should be the user's choice.

Google in 2017: End-to-end encryption? Really ought to be the user's choice.

The more people use email encryption, the better

We at Tutanota believe in our right to privacy and fight for it with automatic email encryption ourselves. If Gmail had adopted automatic end-to-end encryption for all, this would have made a huge difference to today's level of security online. It would have made the Internet so much more secure to millions of users and would have made illegal mass surveillance online impossible.

Unfortunately, Google's move to abandon E2EMail in 2017 has shown that we should not trust large organizations with our private information.

As Google has broken its promise to users once before, the likelihood that the new move to bring end-to-end encryption to Gmail will remain limited to paying business customers is rather high.

Maybe it was illusory from the start to believe that a company so focused on mining user data and posting targeted ads would suddenly start protecting its users' right to privacy with built-in end-to-end encryption in Gmail.

If we want to really protect our privacy, we have to take matters into our own hands. And this is exactly what we have been doing at Tutanota these past couple of years: Building easy-to-use end-to-end encrypted email, free for anyone. In Tutanota your entire mailbox is encrypted so that no-one - not even our developers - can read your personal emails.


If you want to take back your privacy completely, read our recommendations on how to leave Google behind and find out what makes Tutanota a true Gmail alternative.