Today, a six page letter was sent to Google’s CEO, Eric Schmidt, asking Google to honor the important privacy promises it has made to its customers and protect users’ communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.
The open letter is signed by 38 researchers and academics in the fields of computer science, information security and privacy law — myself included. The letter was spearheaded by Christopher Soghoian, a computer researcher, programmer and privacy activist, and it has already received some press coverage at Wired and NY Times.
From the letter’s executive summary:
This six page letter to Google’s CEO, Eric Schmidt, is signed by 38 researchers and academics in the fields of computer science, information security and privacy law. Together, they ask Google to honor the important privacy promises it has made to its customers and protect users’ communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.
Google already uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers’ login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.
Google supports HTTPS encryption for the entire Gmail, Docs or Calendar session. However, this is disabled by default, and the configuration option controlling this security mechanism is not easy to discover. Few users know the risks they face when logging into Google’s Web applications from an unsecured network, and Google’s existing efforts are little help.
Support for HTTPS is built into every Web browser and is widely used in the finance and health industries to protect consumers’ sensitive information. Google even uses HTTPS encryption, enabled by default, to protect customers using Google Voice, Health, AdSense and Adwords. Google should now extend this degree of protection to users of Gmail, Docs and Calendar.
Rather than forcing its customers to “opt-in” to adequate security, Google should make security and privacy the default.
HTTPS is commonly used by banks and e-commerce websites to protect sensitive user information in transit; it ensures that anyone “snooping” on the network cannot see your password or credit card information “in the clear”. While Google does use HTTPS when you log into your GMail or Docs account, thereby protecting your password, the remainder of your activities on those applications occur unencrypted, leaving everything you do and type susceptible to snooping. Google does allow users to turn on HTTPS for all of their activities, but the default setting is for less-secure processing, and Google does a poor job of promoting and explaining the benfits of using a secured connetion (sound familiar?).
The letter asks the following of Google:
[R]ather than forcing users to “opt-in” to adequate security, we strongly urge you to make security and privacy the default setting, and allow informed users to “opt-out” of the encryption if they feel it is an unnecessary burden.
If Google insists on not enabling these encryption-based protective measures by default, the company should at least make the consequences of this decision more prominent, so that users make a fully informed choice. Few users know the risks they face when logging into Google’s Web applications from an unsecured network, and Google’s existing efforts are little help. We suggest that, at minimum, Google do four things:
- Place a link or checkbox on the login page for Gmail, Docs, and Calendar, that causes that session to be conducted entirely over HTTPS. This is similar to the “remember me on this computer” option already listed on various Google login pages. As an example, the text next to the option could read “protect all my data using encryption.”
- Increase visibility of the “always use https” configuration option in Gmail. It should not be the last option on the Settings page, and users should not need to scroll down to see it.
- Rename this option to increase clarity, and expand the accompanying description so that its importance and functionality is understandable to the average user.
- Make the “always use https” option universal, so that it applies to all of Google’s products. Gmail users who set this option should have their Docs and Calendar sessions equally protected.
Google has responded, acknowledging these concerns, but stating they “want to more completely understand the impact on people’s experience” before making HTTPS the default. Google seems most concerned about HTTPS’s impact on speed, asking rhetorically “Does it load fast enough? Is it responsive enough?”. These are loaded questions, since users typically don’t know what “enough” is, especially when they aren’t fully told the security risks of not using HTTPS.
We further address this issue of latency in the letter:
Once a user has loaded Google Mail or Docs in their browser, performance does not depend upon a low latency Internet connection. The user’s interactions with Google’s applications typically do not depend on an immediate response from Google’s servers. This separation of the application from the Internet connection enables Google to offer ‘offline’ versions of its most popular Web applications.
Even when low latency is important, financial firms such as Bank of America and American Express have demonstrated how to provide users with a pleasant, low-latency browsing experience, while still implementing strong encryption by default. Likewise, Adobe’s cloud-based Photoshop Express lets users interactively edit images via a Web application that is 100% encrypted by default.
Other Google applications demonstrate that security need not come at the cost of performance. Google’s Health service enables users to browse through and manage their private health information online. Google’s Voice service lets customers initiate VOIP phone calls, send text messages, and manage voicemail inboxes. However, unlike with its Gmail, Docs, and Calendar products, Google only provides access to Health and Voice via HTTPS encrypted communications sessions, recognizing the highly sensitive health and call record information users entrust to Google. Likewise, Google’s AdWords and AdSense products, which are the backbone of Google’s advertising business, can only be managed by customers using a secure HTTPS connection.
Google’s engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense – we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs, and Calendar work equally well in order to enable encryption by default.
I hope Google does the right thing and put the privacy and security of its customers first by making the changes described in this important letter.
MichaelZimmer.org 