Gmail Encryption and Confidentiality

How does Google secure your data and ensure its confidentiality?

1. The Google Cloud Platform encrypts data at rest on their servers. That means that your stuff, while it sits idle on the cloud platform, is wrapped in encryption. This is done without your intervention. The Google Cloud Platform even allows users to declare their own cryptographic keys if desired for extra layers of security.

2. Google Data is distributed and wrapped in key-chunks throughout their data centers. That means your stuff is broken into pieces - so not all of your eggs are in one basket. Your data is spread among data centers to provide extra redundancy, security, and disaster recovery, and encrypted using Google's Key Management Service. This is also done without your intervention.

3. Data is encrypted at the storage level using AES128 or AES256 encryption. This is a bit nuanced, but let's say that Google's physical hardware is also set to use encryption.

4. Google uses Perfect Forward Secrecy (PFS) with it's API's. Data that travels between their services is encrypted. It also uses Keyczar to implement encryption of your data between all of their products.

5. Google employs TLS/SSL security in transit. While your data is on the move between their servers and your device it is encrypted.

6. Gmail's web interface forces all client connections to use HTTPS (RSA/SSL) encryption and has done so since 2014. While you're using Gmail on the web, your session is secure.

7. Gmail has client-side controls within the web interface to notify the user of security failures or questions.  While you're using Gmail, it informs the user if there are questionable aspects of the sender that could put you at risk.

8. Google is actively attempting to depreciate legacy mail clients that use older forms of email challenge/verification. Google refers to these mail solutions as "less secure clients" and the user must flip a switch for them to be used. This often forces the user to upgrade their mail client software to versions that support more modern and secure access tokens.

Now, all of this is well and good but it's not the end of the conversation. Your data may be encrypted at rest and in transit with Google, but is it confidential?

1. If you own a non-commercial Gmail account, you have no promise of confidentiality. That is because the service is offered in exchange for Google being able to read your email and market services to you. This aspect of Gmail would fail all best practice confidentiality requirements as Google expressly says in its EULA that the data is theirs and can be used to "token and stem" - a big-data practice of creating logical relationships between ideas - as to market to you. That's why it's free.

2. If you own a commercial Gmail account - if you pay for G-Suite - you are a commercial subscriber to the Google Cloud Platform. The EULA there says that Google does not read your data and Google considers it a private, sealed container. It's your data.

3. Caveat: both the non-commercial and commercial aspects of the Google Cloud Platform are subject to US Law and Regulation. That is, if Google receives a warrant to access data under your account, they will work with federal officials to retrieve that data and surrender it to authorities. This aspect of Google's operations - for some - presents a hazard that has folks turning to Proton Mail, for example: a free encrypted mail service that is presumed outside US jurisdiction, or, Signal, from Open Whisper Systems, an encrypted messaging platform.

Okay, but I use a thick mail client like Apple Mail or MsOutlook or Thunderbird. What about the security of my client software, o/s, or hardware platform?

This isn't recommended. Using a thick mail client makes you responsible for the care-taking of your data and some aspects of filtration (spam filters, AV filters, keyword and black list filters, etc). Even using G-Suite which centralizes some of this management.

Still, if you don't use the web for accessing email and insist on using a thick mail client:

1. Once the data is delivered to a software mail client (e.g., Apple Mail, MsOutlook, Eudora, etc.), it is up to the client to secure the messages. Example: if your Windows laptop was stollen, the data stored in MsOutlook's PST file is an open container - it is not encrypted unless you encrypt it - and is therefore vulnerable. You must take steps to encrypt that data.

2. The platform must provide encryption. At the o/s and hardware level, there are tools to encrypt the contents of your drive. You must take steps to encrypt the drive system (enable Filevault 2 on a Mac, or, Bitlocker on a PC).

3. You may not think the o/s level encryption is good enough, so you may be convinced to implement your own hardware level encryption. That's something you'd have to do, too.

4. Some iOS platforms are secured through hardware-level encryption; some are not. Generally, receiving mail to Apple Mail on an iPhone 6 or iPhone 7 is secure. Android phones must be specifically configured to provide o/s layer security; each vendor has their own policy on hardware level encryption, and that's variable based on product.

Best Practice:

Are you concerned about the best way to keep your data secure on Gmail/G-Suite?

1. Follow my list of advice on how to Avoid Gmail Hacks.

2. Don't use a thick mail client. Stick to using the web interface.

3. Avoid using Microsoft Windows computing platforms. Using a ChromeBox, Linux machine, or Apple product is far superior in terms of o/s security.

4. Use the latest iOS and Apple devices for the best security possible.

5. Avoid using unaltered Android platforms. Have a professional help you configure Android to be secure; and/or purchase specific OEM products like Google's Pixel or the Blackphone from Silent Circle to make it secure.

6. If you're concerned about HIPAA, only the G-Suite product can offer a Business Associate Agreement (BAA) for protecting that data, and there are specific restrictions over Google's service offerings. Not all data on the Google Cloud Platform is considered compliant. Careful.

7. If you're concerned about FERPA or COPPA, G-Suite for Education is compliant there. PCI-DSS 3.0 compliance is also a feature of the Google Cloud Platform.

And finally, how do you know that Google is actually doing what they're promising? Like, how can you trust Google?

Don't take my word for it: Google is audited annually to specific information system standards. Independent agencies routinely compare what Google says to what Google does. Still, Google isn't perfect - in 2015, the EFF rated Google poorly on being transparent with publishing government requests and data access. We hope that Google will make progress there.

There we go. A reasonable accounting of how well your data is secured and confidentiality managed on the Google (G-Suite) Cloud Platform. Questions?

R