Back in June this year, people perked up to the news that Google was developing an email encryption extension to Google Chrome. The alpha version of the “End-To-End” extension was posted publicly for the coding community to test and kick around, and David Whelan dropped the news here on Slaw in the course of a more general post about the importance of encryption and the risks lawyers take when they don’t properly safeguard client data.
Unlike data on your hard disk, data sent by email has always been prohibitively complicated to encrypt. The tools necessary to encrypt email from sender to recipient have long existed, but they required a lot of technical expertise to implement. Luckily—from the perspective of people who like a bit of convenience, even if they’re not terribly concerned about data privacy—a string of legal ethical opinions, including Formal Opinion No. 99-413 of the American Bar Association and the Law Society of BC’s April 1998 opinion on the transmission of confidential information over the internet, seemed to offer near-absolution to lawyers from concern over unencrypted email. These opinions, penned in the 1990s, likened sending unencrypted email to faxes and regular mail, from a technological and legal standpoint. Email in the 1990s was carried over hardlines, like telephone signals, and afforded a reasonable expectation of privacy as well as any other commonly used mode of transmission. The Law Society of BC’s Ethics Committee wrote:
E-mail on the Internet is transmitted over ordinary telephone lines and is, therefore, unlike cordless or cellular telephone messages, which are broadcast over the open airwaves. […] [A]lthough interception of e-mail on the Internet is possible, the chances of obtaining useful information from an e-mail interception are not significantly better than the chances of obtaining similar information from the interception of an ordinary land-line telephone call.
Needless to say, the fact that iPhones and many laptops or other devices used for email lack hardline data jacks shows that much of assumptions underpinning these opinions no longer hold up. The use of regular old email by lawyers to send confidential information back and forth, while common practice, is really more risky than it ever was. Especially post-Snowden’s revelations.
For these reasons, it was quite interesting to read Google’s announcement last week, and on TechCrunch, that “Google’s End-To-End Email Encryption Tool Gets Closer To Launch“. Google’s move to upload the codebase for the next version of End-To-End onto GitHub for hackers to try and break is a good signal. The first release of the code on Google’s own code repository resulted in payouts to hackers who found two security bugs. Now that this improved version has been released for testing, it’s a sign the extension is even closer to appearing in the Chrome Web Store.
The ongoing challenge appears to be encryption key distribution and management. Google says it won’t release a non-alpha version of the End-To-End extension until they have a solution they’re content with. Apparently, Google is taking a slightly different approach than is conventional with public key encryption, by establishing an authoritative repository of everyone’s public keys. TechCrunch says:
“With its key server, Google is taking a more centralized approach. Users’ public keys will be automatically registered with the server and the directory will publish the key. When somebody then wants to send an encrypted email to another End-to-End user, the system will check the key directory for the right key and encrypt it. You can read more about the exact details for how this is going to work here, but the main point is that this should take away at least one layer of complexity.”
Also important to note is that this encryption will probably not be restricted to Gmail, since Yahoo! engineers have also contributed to the project.
The good news is that within 2015 a much less complex encryption option should be available. To follow up on updates, you can check on Google’s Online Security Blog: http://googleonlinesecurity.blogspot.ca
In the meantime, try and see if you can still get a dial-up service and landline internet, just to ensure compliance with our nearly sepia-toned legal ethics opinions relating to email.