Is there something that I'm missing here? Google and Yahoo are developing an encryption mechanism which will prevent themselves from reading users emails? I thought that was part of their business..
That's right.Google and Yahoo won't be able to scan users' mail and deliver targeted ads anymore.
Encrypted email will also prevent Google and Yahoo from extracting insights about users and it's safe to assume the management at these companies are not particularly excited about the prospect of encrypted email.
I thought the idea was that they derive more insight from bulk or other commercial mail which will continue to remain unencrypted (maybe signed?) than from personal emails.
I imagine it is a hassle for Google to avoid ads in sensitive topics like "grandma fell from the roof" and "mr snugglepuff just got diagnosed with cancer". If person to person emails were encrypted, I'd think the emails from Target and Amazon would still not (is my argument flawed? It feels flawed but I can't put my finger on the flaw.)
Google could place ads based on what the user was typing prior to sending, or reading reading post decryption. It would be no more intrusive than any website knowing what users are doing whilst surfing.
>I imagine it is a hassle for Google to avoid ads in sensitive topics like "grandma fell from the roof" and "mr snugglepuff just got diagnosed with cancer".
Avoid them? They are their most profitable kind of ads...
That was also my thought all along while reading the article. They are pushing big on these personal assistants which will go completely blind with pgp. So it's like trusting an ad company to develop an ad blocker.
I think they talk more about encryption of the e-mails during transport. Keeping e-mails encrypted on a server is doable and not very hard (Protonmail does this for exaple), but encrypting e-mails while they're in transit and go through some possibly untrusted mailservers is more challenging, because it usually requires asymmetric encryption e.g. via PGP. This in turn requires that the sender has access to a valid and trustworthy PGP key for all recipients of the e-mail. Distribution of these keys must be based on some form of trust, which in itself can be challenging to establish (hence services like Keybase). Also, while good solutions exist for using PGP in web- or desktop mail clients, usability is still not very good especially for people that don't have a technical background (in my opinion). I use PGP-based e-mail encryption a lot at work and I can say that there are still a lot of things to improve here.
It's not just Google and Yahoo, it's the other email providers, i.e. Your employer.
It's pretty common for corporations to use their own root certificate so they can snoop your HTTPS, one would have to assume security officers wouldn't be really interested in individual employees encrypting their mail at the MUA and the company losing visibility on outbound messages.
The thing I never got though, is why signing messages never really caught on. You'd think banks and financial service providers would have an interest here. Maybe they don't want to deal with the support headache.
That one constantly perplexes me. The GPG signature, or X.509 even, means nothing in the message. But if you go to the trouble of putting it in there, then I can actually run checks.
Conversely....I can see the argument not to. Uploading 50,000 1-character name mismatch to bank encryption keys would definitely happen.
Employers that care about this will simply ban origination of E2E secure messages from their networks. Plenty of large companies already ban web mail providers entirely, for similar reasons. So this isn't much of a factor in adoption of encrypted mail.
Right but my point is, big corporations are actively opposed to E2E secure messages and that's a barrier to adoption.
Few if any big companies are going to be sending you GPG/PGP encrypted or signed email or be willfully receiving it. Take the Fortune 1000 off the list of potential secure email users and you've got a large portion of the professional class who won't know how to use this technology. I think that's a barrier to adoption.
If you don't trust your send gateway then you are without a doubt hosed anyway, as they can just strip your signature anyway (or, replace it with one linked to a key they generated in your name on the fly). Yes, if your correspondant is super on the ball and notices that you didn't sign/encrypt this specific message, maybe you win. But if I were a bad MITM I'd just put "Sent from my iPhone" at the bottom and there is the plausible explanation.
