Google has been advised to encrypt its web-based Gmail service by default. A group of internationally prominent Internet security and legal experts has told the company that this is the best way to mitigate privacy and security risks.
In response to the group's open letter to Google CEO Eric Schmidt, sent to the Washington Post, Google security blogger Alma Whitten said the company is considering whether it makes sense to turn on https for all Gmail users by default, given the potential to slow end-user interactions with the service.
The 37 signatories of the letter noted that using the secure protocol is an option for Gmail, Google Docs and Google Calendar, but have a problem with the way users are told about it. They said the notification was not prominent enough and that it doesn't adequately explain in layman's terms the importance of encryption.
The danger, the letter writers said, is "when a user composes email, documents, spreadsheets, presentations and calendar plans, this potentially sensitive content is transferred to Google's servers in the clear, allowing anyone with the right tools to steal that information." When public Internet connections are used, that creates a risk of data theft and snooping, they say.
The writers ask Google to do four things:
• Provide a checkbox on the Gmail, Google Docs and Google Calendar login page to opt for encryption with a clear label such as "protect all my data using encryption";
• Raise the "always use https" configuration option in Gmail higher on the settings page so it is more prominent;
• Rename the option so it is more clear to non-technical users; and
• Extend encryption to all three Google applications if it is chosen for one.
Whitten said in her blog that Google intended to turn on https by default "hopefully for all Gmail users," but with a broad caveat: "Unless there are negative effects on the user experience or it's otherwise impractical."
She also says in the blog that Google is considering the same default options for Google Docs and Google Calendar.
Google couldn't say when it might decide. "Unfortunately, I can't share any more specific information about timelines or our plans for individual products since our actions will be shaped by what our data shows," said a Google spokesman.
In their letter, the writers note that Microsoft Hotmail, Yahoo Mail, Facebook and MySpace don't even offer https as an option, let alone by default.
Among those who signed the letter are Steve Bellovin, a Columbia University computer science professor; Bruce Schneir, chief security technology officer for BT; Bart Jacobs, professor of computer security at Radbound University in the Netherlands; ethical hacker Robert "RSnake" Hansen, CEO of SecTheory; and Chris Hoofnagle, director of information privacy programs at the University of California, Berkeley, School of Law.
Google services are the subject of a complaint to the Federal Trade Commission as well.