The past year has seen a tremendous amount of change and turbulence in the security and privacy communities, much of it related to the NSA surveillance revelations. One of the things that has come out of all of the discussions and debates is a greater focus on the importance of encryption, especially encrypting email and other sensitive traffic while it’s traversing various networks.
As a result of the revelations that the NSA and other intelligence agencies have the ability to intercept communications in any number of ways, such as by tapping undersea cables or links between data centers, security and privacy advocates have been pressuring major Internet providers to encrypt the traffic on these critical links and expand their use of encryption in other areas, as well. Google, Yahoo and others have responded by starting or accelerating plans to encrypt the links between data centers, making life much more difficult for adversaries.
Google already was in the process of encrypting these links when the NSA revelations began to hit, and sped up those plans in the following months. Yahoo in April announced that it had encrypted the connections between its data centers, as well. What makes this change so important, especially for email, is that any one provider can only address this problem in a limited way, no matter how large its network is. If a Gmail user connects to Google’s servers over the default HTTPS connection, and then sends an email through Google’s encrypted network, the message is protected. Until the email leaves Google’s network, that is. From there, it’s a crapshoot.
There are still plenty of large email providers that don’t support TLS encryption across the board, meaning that even if Google and the Gmail user have done everything correctly, the message may still end up being sent in the clear once it leaves Google’s server. That’s sub-optimal if you’re trying to prevent the NSA or another adversary from getting easy access to the emails you’re sending.
But things are on the upswing.
In its new Gmail encryption transparency report, released Tuesday, Google has published data showing that on Jan. 1, 2014, just 33 percent of the emails leaving Gmail were encrypted. By the end of May, that number had climbed to 69 percent. For inbound mail, the change is nearly as profound, with encrypted email volume climbing from 30 percent on Jan. 1 to 56 percent on May 25. That’s a huge change in just six months.
And many of the larger email providers and senders in the U.S. are on the encryption bandwagon now, which is good news for users. Yahoo, Amazon, Twitter, Facebook and LinkedIn all are sending more than 90 percent of their email encrypted, according to Google’s numbers. On the outbound side, AOL, Craigslist, Hotmail, MSN, Yahoo and SBC all have better than 90 percent of their mail encrypted.
The work that Google, Yahoo and the other companies that now support TLS and deploy encryption on key services are giving users better tools to protect themselves, even against sophisticated, well-positioned adversaries. There’s certainly still room for improvement, but the data is trending in the right direction.