Google tries to NSA-proof Gmail

March 21, 2014: 9:05 AM ET
google gmail
Gmail now encrypts all data moving between you, Google's servers and the person receiving your message.
NEW YORK (CNNMoney)

Google just beefed up the security of Gmail to make mass surveillance of its customers' email nearly impossible. It's not quite NSA-proof, but it's close.

To accomplish the feat, Google (GOOG) secured how you connect to its servers. Gmail is now strictly using a secure communications protocol called HTTPS, which encrypts your email on its entire journey: from your computer to Google, between Google's servers, and from Google to the person receiving your email.

In a blog post Thursday, top Gmail security engineer Nicolas Lidzborski said the increased security was in response to disclosures about government surveillance made by former NSA contractor Edward Snowden.

"This ensures that your messages are safe ... something we made a top priority after last summer's revelations," Lidzborski wrote.

Related: Mark Zuckerberg calls Obama to complain about NSA

Google is trying to limit the abilities of the U.S. government's secretive PRISM program, which can spy on citizens' communications. The NSA declined to comment for this story.

As the New York Times explained last year, government spies have been tapping the fiber-optic cables between big tech companies' data centers. Data typically travels unencrypted between giant computer server farms, allowing for easy interception.

But by encrypting the flow of data between company servers, Google has made that kind of mass collection technologically unfeasible.

"That should be effective," said Mikko Hypponen, a top security researcher in Finland. "By protecting the connection between you and Google servers, they protect you against tons of attackers."

This drone can hack your phone

Hypponen explained that the HTTPS encryption method is essentially uncrackable at the moment.

That doesn't stop the federal government from eventually worming its way into your personal data, though. The FBI could still send Google a National Security Letter demanding client records -- something it does all the time. In 2012 alone, Google received Foreign Intelligence Surveillance Act requests on the content of 20,000 to 22,000 users' communications.

Google is taking the kind of approach to combating surveillance that top privacy researchers advocate: Make mass collection unfeasible by making it more difficult and more expensive to accomplish.

Related: Cops now wearing cameras

"I wouldn't call it NSA-proofing," Eugene H. Spafford, a computer science professor at Purdue University. "But they're doing something reasonable to protect against that and any other similar kind of eavesdropping."

That includes hackers that routinely spy on unsecured Internet connections, including hackers that lurk on public Wi-Fi connections and employers that snoop on workers in the office.

Privacy experts say Google's encryption is long overdue.

"This is something they could have done years ago," Spafford said. "It was a known problem with known solution. They and others have been very slow to adopt it."

The solution also only works if the email stays within Google's walls. The fix won't work if a Gmail user emails someone with a Microsoft (MSFT) or Yahoo (YHOO) account, because those companies don't yet support encryption between email providers, according to Christopher Soghoian, principal technologist for the American Civil Liberties Union.

Why haven't they made the change yet?

"Because they're lazy," Soghoian said. "It takes engineers. And these are not features that are salient to regular users. Companies prioritize features that users notice."

In November, Yahoo CEO Marissa Mayer said her company is working on encrypting information that moves between Yahoo servers and its users. She made no mention of that working with outside email providers. But Microsoft is working on all of the above, according to a December blog post from its top attorney, Brad Smith.


Search for Jobs