The secret’s out: our inboxes are less private than many of us might assume.
The Wall Street Journal reported July 2 that Gmail does little to protect users’ information from third-party email software companies. If you’re using a non-Google app like Edison Mail to read your Gmail messages, for example, it’s likely that company can read your messages, too. People who use third-party add-ons within Gmail — like apps that sort your mail or let you know your message was opened — risk giving third-parties a window into their inboxes as well.
The July 2 report prompted a swift response from Google assuring users the company “continuously works to vet developers and their apps.” It also inspired a letter July 9 from the U.S. House of Representatives Committee on Energy and Commerce. The committee members demanded answers from Google: How many software developers can access our inboxes? Who are these developers? And what’s the process for getting Google’s approval to access user email?
But the deeper problem here is the email standard, which enables mail sent from one provider, like Google mail, to pop up in an inbox hosted by Yahoo! or another provider without major disruptions in formatting. Known as Simple Mail Transfer Protocol, or SMTP, and first published in 1982, the standard isn’t encrypted by default. Part of why Gmail is so insecure is because email itself lacks any real privacy features.
Email was never truly private in the first place
Encryption is what prevents prying eyes from snooping on your data. Most email sources lack this essential layer of protection.
“Email is generally unencrypted when you send an email from one server to another,” said Hao Dinh, an ex-Gmail engineer and current chief technology officer for the third-party email app Sparrow.
Dinh noted, however, that there is at least some protection when using email through a standard provider, like Google or Microsoft.
“When a message is in transit, your internet provider, like Comcast or AT&T, won’t be able to see the message,” Dinh said. “But, when it’s relayed through a third-party app, the third-party will have knowledge of the email’s contents.”
One downside to the SMTP standard is that once a user receives an email, the message lives in their email provider’s servers in plain text — meaning someone with bad intentions could open it up and read it relatively easily. Having a message live on the server encrypted, on the other hand, would make this impossible. If you use a service that does support encryption, like MailFence or ProtonMail, the message becomes unencrypted once it hits a server run by Google or other mainstream email providers.
“Gmail doesn’t support end-to-end encryption,” said Andy Yen, CEO of ProtonMail, an alternative email service that encrypts messages end-to-end.
If both parties are emailing via ProtonMail, the messages traded are protected throughout every step of the email-sending process. With ProtonMail, nobody can read messages being sent except for the parties who are communicating — not even Yen or his employees. While Google encrypts messages in transit, Yen’s service encrypts them both in transit and as they live on ProtonMail’s cloud.
“Everything we store, we can’t access without your permission,” Yen said. “When the message is sent to a regular Gmail or Yahoo account, that’s when it becomes unencrypted on those servers.”
According to Dinh, standard email like Gmail does have its own encryption options, but those can be their own hassle — both parties in an email exchange have to have the options enabled for them to work, and they may not be free.
“Mail encryption options like S/MIME and PGP exist, but it can require that the user pay for certificates,” Dinh said.
S/MIME allows a user to digitally sign an email. That way, users be sure that their message is both protected from prying eyes, and that it’s coming from who the sender says it is.
Email’s fundamental architecture is dated, but there are workarounds that allow for modern features. In April, Google devised a method of sending self-deleting emails. By clicking the lock and clock icon in their compose message window, Gmail users were able to email links that took recipients to a Google webpage, where they could view the message for a short period of time before Google revoked access.
To Gmail users, these temporary messages would look like regular emails, but with a time limit attached — one day, one week, one month, three months or five years. The email would continue to live on Google’s servers and in the user’s sent folder.
Email is partly to blame, but Google has little incentive to make email private
Not all of Gmail’s privacy woes can be blamed on outdated standards, however. According to Yen, some of the fault still rests with Google.
“Third-party applications are getting all the attention right now, but the core of the problem is Google’s business model,” Yen said. “The question of how do you keep your Gmail data secure and private is the wrong question to ask. Unless Google changes their business model, it’s impossible.”
Even though Google offers many of its products for free, the company earns money by selling advertisements. Ads shown to users are customized based on everything Google learns about them when they use Google Maps, YouTube and other services. The business model is a winning one: In the first three months of 2018, Google raked in over $26.6 billion in advertising revenue.
For years after Gmail launched in 2004, Google scanned users’ emails to determine which ads to show them. In June 2017, Google said it would no longer read users’ emails for advertising purposes. They still scan your email for other reasons, though, like automatically adding a dinner reservation or flight to your calendar.
But Yen believes user data isn’t fully safe until Google finds a different way of making money altogether.
“Google can put safeguards in place to keep third-parties from gaining access to your data, but if it’s a question of keeping your data private, really nobody has more data on you than Google,” Yen said. “Google still retains a copy of your emails that they can read.”
Users hoping to add an extra layer of security to their messaging can use services like ProtonMail or Signal, which provide end-to-end encryption by default. Or those who would rather hold onto their email address name can roll up their sleeves and setup S/MIME with their account (which Gmail supports). But until Google and other email providers pursue a more secure messaging standard, easy-to-use options are limited.