Google rolls out client-side encryption for Gmail and Calendar

Additional security for business users

Google rolls out client-side encryption for Gmail and Calendar

Image:
Google rolls out client-side encryption for Gmail and Calendar

Meanwhile, Tutanota vows it will not weaken its email encryption for the UK

Google has announced the rollout of client side encryption for business users of Gmail and Calendar. Client side encryption means messages are encrypted by the sender's device with keys managed by a third-party provider rather than from Google.

The service, which was previewed in beta last year, is only available to business users with Workspace Enterprise Plus, Education Standard or Education Plus accounts. There is no word about it being offered to personal users.

Google already offers client side encryption for services including Workspace version of Meet, Drive and Docs.

Client side encryption, as offered by Google, differs from end-to-end encryption (E2EE) as provided by email services like Protonmail and Tutanota and PGP add-ons to other email services, and by messaging services such as Signal and WhatsApp.

With E2EE, encryption and decryption keys are held only on the sender's and receiver's devices, meaning only the sender and receiver can view a message.

With Google's client side encryption, keys are managed by a Google partner rather than by Google itself, which may be important for compliance. Client side encryption thus provides an additional layer of security for sensitive messages, since Google employees cannot access emails, and system admins also have control over the issuing and revoking of keys.

Tutanota says it won't walk from the UK if backdoors mandated

End-to-end encryption is back in the public eye after US-based Signal said this week that it would leave the UK rather than comply with any order to weaken its E2EE. Privacy campaigners worry that the Online Safety Bill could require that the content of private messages be open to automated scanning.

In November, several security experts and human rights groups wrote an open letter to the prime minister saying that weakening encryption would erode privacy and reduce internet safety for UK citizens and businesses, including the very groups that Online Safety Bill seeks to protect.

Tutanota, which is based in Germany, has said it would stay in the UK put but would refuse to comply with any such order.

"We will not 'walk' from the UK," said CEO Matthias Pau in a blog post. "If prime minister Rishi Sunak and his government want to stop people in the UK to use strong encryption - like provided by our secure email service Tutanota - he must block access to Tutanota - just like Russia and Iran are already doing."

As security experts have frequently pointed out over the decades since PGP encryption became public, there's no such thing as a backdoor that only law enforcement can use. This is of increasing concern as state-sponsored hackers seek to extend their reach.

"The question with backdoors is not just 'will they help to catch criminals?'. The question we must look at very carefully is also 'will they help criminals?'," Pau wrote.