Is Gmail encryption enough to protect your emails?

Anton P. | July 21, 2020

Gmail encryption stands between hackers and your email messages. Even if you engage in such exchanges only occasionally, you should know how Gmail handles them. Data transfers and communications via emailing platforms usually contain sensitive information. Hence, Gmail encryption should be up to the challenge to satisfy clients with its security standards. Let’s give you a tour of the path that your emails take before reaching recipients.

How does Gmail encryption work?

Gmail encryption relies on the TLS (Transport Layer Security) protocol. While in transit, the messages traveling from senders to recipients are very unlikely to be compromised. As long as both parties use an emailing service that supports TLS, the exchange is safe.

However, once the email ends up in your inbox, its default protection is debatable. Gmail encryption is solely for securing online correspondence until it reaches its destination. After a successful journey, the TLS encryption no longer applies. Hence, Google itself recommends users to apply another layer of encryption, specifically Pretty Good Privacy (PGP). If used correctly, PGP will encrypt all the content stored on Gmail’s server and prevent external sources from accessing it.

Gmail and its intrusive strategies towards users

So, the default Gmail encryption protects your emails before they reach recipients. However, once the email arrives at the inbox, a third entity can legitimately join the conversation: Gmail itself. This strategy is a part of the long-term plan to battle terrorism and exchanges of harmful or inappropriate content. Additionally, it is for supplying additional features on Gmail. For instance, Smart Reply suggests possible answers to the emails you get. Without reading their content, Gmail would not have the ability to craft such a quick response mechanism.

However, the fact that Google gets access to all content associated with your account is not a celebration for digital privacy advocates. Physical security is usually the promise to get people to board the tracking train. A little-known fact is that Gmail encryption does not apply to the drafts you save as well. As a result, Google has access to this content. The tech giant started to run a tighter shift after terrorists used a shared Gmail account to communicate via drafts.

Improve Gmail encryption with S/MIME encryption

Gmail encryption creates a relatively safe environment, but more long-term protection is up to users. For G Suite Enterprise and G Suite Education accounts, Google offers S/MIME (Secure/Multipurpose Internet Mail Extensions). However, if you use the free Gmail account, these extensions are not available.

If you fit the criteria, you can enable S/MIME extensions after the G Suite administrator validates its use. In general, extensions use a combination of user-specific keys to initiate Gmail encryption that only communicating parties can decrypt. However, this premium protection only deals with email protection in transit. Once again, Gmail encryption does not use any additional measures to safeguard email correspondence after it reaches inboxes. Even if you are qualified to use premium Gmail encryption, this option won’t be enough.

Using third-party add-ons

You have the right to apply additional protection to prevent Google or other third parties from reading your communications. Here are the effective and industry-standard plugins for enhancing Gmail encryption:

FlowCrypt. This desktop extension is the industry-standard for encrypting emails stored in your Gmail account. FlowCrypt is available to Chrome and Firefox users, but you can also test the Android app beta version. Recipients of such PGP-encrypted correspondence need the same plugin or an emailing platform that supports PGP. Furthermore, senders will need to share personal PGP keys so that recipients can decrypt emails. While not exactly simple, it will get the job done: your emails will be private.
Mailvelope. This extension works on Chrome, Firefox, and Edge. Upon installation, you will need to create a PGP key for private email communication. Once you complete the necessary configurations, you will see the Mailvelope icon every time you compose an email. However, the recipient also needs to use the Mailvelope extension to open sealed messages.
InfoEncrypt. This online tool is different from FlowCrypt and Mailvelope. In this case, you do not need to download any additional tools. Instead, you can encrypt messages and set passwords for their decryption via your browser. When you need to send a confidential message once or twice, InfoEncrypt is a convenient tool. However, it might get annoying in the long-run, as you need to encrypt/decrypt messages outside your account.

More options for you

Common misconception: Confidential Mode. As a standalone feature, it can give a helpful privacy boost. However, it won’t influence the standard Gmail encryption. Confidential Mode allows you to set expiration dates for emails, prevent users from copying, printing, or downloading received content. Hence, it offers features useful in specific situations: just not for enhancing Gmail encryption.
Choosing another email service provider. If Gmail encryption does not satisfy you, you can use a different emailing platform. Google has an ill-famed reputation when it comes to users’ privacy. Knowing that the season to harvest data never ends, you are welcome to consider a less intrusive alternative. While free options are unlikely to surpass Gmail, you can consider paid ones if privacy is your top priority.
Protection beyond emails. To protect your digital identity and assets, you should employ industry-standard security practices. While Gmail encryption scrambles messages until they reach final destinations, some services can be even more negligent. With a VPN (Virtual Private Network), most of your online activities will be immune to attempts to steal or alter exchanged data. So, in addition to revamping Gmail encryption, consider protecting all your online pursuits.