Google urged to beef up Gmail security

Google is weighing whether to encrypt its Web-based Gmail service by default, as suggested by a group of internationally prominent Internet security and legal experts as a way to mitigate privacy and security risks.

In response to the open letter to Google CEO Eric Schmidt, Google security blogger Alma Whitten says the company is considering whether it makes sense to turn on https for all Gmail users by default, given the potential to slow end-user interactions with the service.

The 37 cosigners of the letter note that using the secure protocol is an option for Gmail, Google Docs and Google Calendar, but have a problem with the way users are told about it. They say the notification is not prominent enough and that it doesn’t adequately explain in layman’s terms the importance of encryption.

The danger, the letter writers say, is “when a user composes email, documents, spreadsheets, presentations and calendar plans, this potentially sensitive content is transferred to Google’s servers in the clear, allowing anyone with the right tools to steal that information.” When public Internet connections are used, that creates a risk of data theft and snooping, they say.

The writers ask Google to do four things:

•  Provide a checkbox on the Gmail, Google Docs and Google Calendar login page to opt for encryption with a clear label such as “protect all my data using encryption”;
•  Raise the “always use https” configuration option in Gmail higher on the settings page so it is more prominent;
•  Rename the option so it is more clear to non-technical users; and
•  Extend encryption to all three Google applications if it is chosen for one.

Whitten says in her blog that Google intends to turn on https by default “hopefully for all Gmail users,” but with a broad caveat: “Unless there are negative effects on the user experience or it’s otherwise impractical.”

She also says in the blog that Google is considering the same default options for Google Docs and Google Calendar.

Google can’t say when it might decide. “Unfortunately, I can't share any more specific information about timelines or our plans for individual products since our actions will be shaped by what our data shows,” a Google spokesperson said in an e-mail response.

In their letter, the writers note that Microsoft Hotmail, Yahoo Mail, Facebook and MySpace don’t even offer https as an option, let alone by default.

Among those who signed the letter are Steve Bellovin, a Columbia University computer science professor; Bruce Schneir, chief security technology officer for BT; Bart Jacobs, professor of computer security at Radbound University in the Netherlands; ethical hacker Robert “RSnake” Hansen, CEO of SecTheory; and Chris Hoofnagle, director of information privacy programs at the University of California, Berkeley, School of Law.

Google services are the subject of a complaint to the Federal Trade Commission as well.