Isn't this contrary to Google's goals as an advertising business? If people are using end-to-end encryption, they won't have cleartext emails to mine, &c. I need to wonder what the catch is, because there is definitely one: does Google own all the keys, or does Google secretly own all the keys?
What if there is no catch? Google's security team is apparently pissed off over the NSA revelations with regards to the infiltration of their infrastructure.
> does Google own all the keys, or does Google secretly own all the keys
The keys are generated by you, stored on your browser's localStorage, preferably encrypted (their words, not mine). Since it's open source and distributed by Google, I bet many eyeballs will look for bugs, much more than alternatives such as Mailvelope or WebPG. So, no, I don't think Google will ever have access to your private key through this mean.
My theory:
- We're talking about PGP. This will only impact geeks.
- Google prefers keeping the trust of said geeks by willingly revoking its capability to read their conversations. One of the primary support of Google success is said geeks, and it wants to keep it that way.
- PGP only encrypts the body of an email. The header (ie the metadata) is still here for Google to collect, in plaintext
It's not really possible to send encrypted messages to people who aren't already using OpenPGP, since you need to get their public key, before you can encrypt the message. You could presumably encrypt it with some symmetric cipher ahead of time, then send them the encrypted junk and say, "Send me a PGP key and I'll send you the passphrase for the message!", but I dunno that anyone's going to do that.
That said, pretty much every message I send to someone who doesn't have a key on the keyservers includes, "Hey, send me your PGP key, I don't do plaintext."
No, this is a very wise strategy that puts users' interests before short-sighted goals to increase revenue at all cost. Companies need to understand it, users' interest must come first, revenue will follow.
Why do people use webmail? Because it's convenient. If I use a client like Thunderbird and download all my emails then if I want to find one of them I have to search for it on the device that I downloaded it. Of course I could upload my emails on a server and access them from other devices but it's a hassle. Webmail solves this problem. Additionally, why competent, smart, technical people very often don't use digital signatures? Same as before plus if you want to use your emails in other devices you have to transfer your secret keys and remember their passphrases.
The transfer of the secret keys is what will keep the usage of this extension low. Therefore, Google succeeds in gaining more trust while offering something that you can already achieve on your own using other software like Thunderbird with the Enigmail extension. Also, note that even by using a digital signature you hide only the emails that you choose to send encrypted and those that you receive encrypted by the senders. I use digital signatures every day, I usually send and receive signed messages. However, the percentage of unencrypted messages in my inbox is probably more than 99%.
Google is not mining all networks for cleartext email. They are mining gmail which they have control of the "end". This is a huge advantage for Google as ISPs are starting to offer ability to advertise to end users by mining traffic.
"End-to-end" implies that Gmail won't be able to read your emails. That means that this software and Gmail, one of Google's largest products, are going to be competing. One of them needs to adapt or die: if this software isn't backdoored or vulnerable right now, it will either be shuttered, backdoored or made vulnerable in the future. (Certainly Gmail is of tangible, financial good to them: it's more likely for them to favor it over End-to-End, which is a non-profit and humanitarian effort.)
Heh, that's actually a neat idea. The profile of people which regularly send/receive encrypted email is basically geeks right now. Key off of the "-----BEGIN PGP ENCRYPTED MESSAGE-----" bit.
Yeah. Honestly, I think that if you know that someone encrypts their messages, you probably know a lot more about them then most other data points reveal.
It would also get Google a lot of street cred for being a privacy centric business.
My only problem is, I just don't see how you can scale the Chromebook software stack to a privacy centric business. I can't imagine trying to secure PGP keys on a Chromebook. But I haven't used one since the early beta models, so others may have more informed opinions,.
Sure using this will just send a bunch of gibberish to Gmail in the body such that Gmail won't be able to auto-scan for ad keywords to send to you. But this probably will be used by .000001% of Gmail users, so I doubt they are worried about this affecting their business in any meaningful way.
And, even among those people who do use it, a big percentage of their email will remain unencrypted. Transactional email like flight or hotel booking confirmations sent from the airline or hotel. I have to think that's the valuable stuff to Google in terms of selling ads, not the topics you would choose to encrypt.
So the downside to them is not that big. And it's offset by the upside of user trust and confidence being maintained, or at least eroding less.
The headers, subject line, recipients are not encrypted. There's probably enough info in the subject line and recipients and corpus of other recent subject lines sent among those recipients to still do a halfway decent job at targeting ads.
