Gmail encryption: Everything you need to know

This easy-to-follow guide will help you understand what's going on with Gmail encryption and what you can do to maximize your messaging privacy.

Email encryption  >  A key + a three-dimensional 'at' symbol bearing a series of locks.

Encryption may sound like a subject best left to hackers and tinfoil hat wearers, but don't be fooled: It's a critical part of contemporary life and something that's important for everyone, especially business users, to understand. And one of the places where encryption is most relevant and misunderstood is in the realm of email.

If you're using Gmail for electronic communication — be it for business purposes, for personal use, or some combination of the two — it's well worth your while to know how the service does and doesn't secure your information and what steps you can take to make sure you're getting the level of privacy you need.

Ready to dive in?

Gmail encryption: How Google protects most messages

Google's standard method of Gmail encryption is something called TLS, or Transport Layer Security. As long as the person with whom you're emailing is also using a mail service that also supports TLS — which most major mail providers do — all messages you send through Gmail will be encrypted in this manner.

What that basically means is that it'll be incredibly difficult for anyone to look at a message while it's en route from point A to point B. It doesn't, however, guarantee that the message will remain private or available only to the intended recipient once it reaches the destination mail server. Google itself, for instance, has the ability to see messages associated with your account, which is what allows the company to scan your email for potential spam and phishing attacks — and also to offer advanced features like Smart Reply, which suggests responses based on an email's contents.

(Google used to scan messages for ad targeting, too, but it stopped doing that in 2017. And if you'd rather not have those smart suggestion features in the picture, by the way, you can always turn them off in your account — though that won't have any direct effect on the Gmail encryption approach or when and how that extra layer of security is applied.)

If the person with whom you're corresponding is using a mail server that doesn't support TLS, meanwhile, messages won't be encrypted at all. With paid Google Workspace accounts, administrators can opt to allow only messages with TLS encryption to be sent or received — though that'd come with its own set of undesirable consequences, as you could imagine, in terms of having your outgoing messages bounce or having certain incoming messages never reach your inbox.

Gmail encryption: A next-level option

Beyond that basic form of encryption, Gmail supports an enhanced standard known as S/MIME — or Secure/Multipurpose Internet Mail Extensions (gesundheit!). It's available only for paid Google Workspace Suite accounts, so if you're using a regular free Gmail account, it doesn't apply to you.

For folks with enterprise-level Workspace setups, though, S/MIME (which may or may not have been invented by a mime) allows emails to be encrypted with user-specific keys so that they remain protected during delivery and can be decrypted only by the intended recipient.

Like TLS, S/MIME works only if both the sender and recipient are using a service that supports it — and, in an extra layer of complication, only if both parties have exchanged keys in advance so that the encryption can be properly configured. Like TLS, it also doesn't do anything to keep a message secured once it's reached its actual destination server (and so again, within Gmail, Google itself will be able to scan messages in its usual automated way).

Last but not least, S/MIME has to be enabled by a Workspace admin before it'll work.

Gmail encryption: End-to-end encryption

Google's been talking about adding end-to-end encryption into Gmail since 2014, but all of that talk hasn't amounted to much so far (and may not ever, according to some analyses). The only way to get that level of protection in Gmail right now is to rely on a third-party service such as FlowCrypt, which is available as a Chrome or Firefox extension on the desktop and also as its own standalone mail client for Android. (An iOS app is also available in a pre-release testing form.)

FlowCrypt adds a special "Encrypt and Send" button into your inbox interface, which allows you to send encrypted messages using the PGP (Pretty Good Privacy — yes, that's actually what it's called) standard. Your recipient will need to have FlowCrypt or another PGP system set up and will also need to have your personal PGP key in order to decrypt and view your messages. Alternatively, you can use the app or extension to encrypt a message with a password, which you'd then have to provide to the recipient in some way.

So, yeah: It isn't exactly simple, and the third-party add-on implementation isn't entirely ideal. But it can get the job done. And it's free — to a degree: If you want to unlock the service's full set of features and remove all of its restrictions, you'll have to pony up $5 a month for a premium subscription. Company plans are also available, with rates varying based on the total number of users involved.

Wait, what about Gmail's Confidential Mode?

Yeah, don't put much stock into that. Confidential Mode is a feature Google added into Gmail as part of its 2018 revamp of the service. The idea is that it lets you prevent someone from forwarding, copying, printing, and downloading anything you send 'em — and, if you want, it lets you set an expiration date after which your message will no longer be accessible. You can also create a passcode, delivered via email or text message, that's required in order to open the message.

That all sounds nice enough on the surface, but the problem is that it doesn't really do a heck of a lot when it comes to actual security. Messages still aren't encrypted in any end-to-end manner, meaning Google and other mail services are still able to view and store them. The "no forwarding, copying, printing, and downloading" bit doesn't mean much, either, since anyone can still take a screenshot of a message if they're so inclined. (Google has said the feature is less about that level of security and more about simply discouraging people from accidentally sharing sensitive info where they shouldn't.)

The same applies to the message expiration dates — as does the fact that an "expired" message continues to exist in your own Gmail Sent folder. All in all, Confidential Mode has the potential to be useful for what it is, but it doesn't involve encryption or any sort of meaningful, higher-level privacy. In fact, the Electronic Frontier Foundation has gone as far as to say the mode could create a false sense of security and discourage users from finding more serious solutions.

So what other options are there?

If native end-to-end encryption and the highest possible level of privacy is what you're after, your best bet is to look outside of Gmail and toward a standalone email app called ProtonMail. ProtonMail is among the best privacy and security apps on Android — and for good reason: It makes privacy a top priority in ways no form of standard Gmail encryption can match.

First, ProtonMail uses an open-source method of end-to-end encryption that ensures no one beyond your intended recipient — not even the folks at ProtonMail — can ever see your messages. Beyond that, the app doesn't require you to provide any personal information to use it, and the company maintains no records of IP addresses or anything else that could associate your identity with your account. Its servers are also hosted in Switzerland — in a "bunker 1000 meters under the Swiss alps," no less — which has its own apparent set of security benefits.

So here's how it works: When you sign up, ProtonMail gives you a custom email address at its domain. You can then use that address to send secure messages within the ProtonMail Android app, iOS app, or web interface. Whenever you email someone else with a ProtonMail address, encryption is automatic. If you email someone who isn't using ProtonMail, you can choose to send the message unencrypted — just like any regular ol' email — or you can click a button to create a password and a hint that the recipient will need in order to decrypt and read your message.

ProtonMail is free at its most basic level, which gives you a single ProtonMail address, 500MB of storage, and up to 150 messages per day. You can get more storage, more messages per day, and access to advanced features — such as email filters, an auto-responder system, and support for custom domains — starting at $48 a year

It isn't technically Gmail encryption, of course, but you can import your Gmail messages or set up Gmail to forward to ProtonMail — or just use ProtonMail as a supplement to Gmail for the times when you need the strongest possible level of protection. When privacy is a priority and you don't want to take any chances, it's an excellent option to have.

Sign up for my weekly newsletter to get more practical tips, personal recommendations, and plain-English perspective on the news that matters.

AI Newsletter

[Android Intelligence videos at Computerworld]

Copyright © 2020 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon