Experts ask Google to boost privacy

More than three dozen security and privacy advocates and researchers are asking Google to offer better data protection for users of Gmail and other Google apps and Google said on Tuesday that it is considering doing that, if it does not slow down the apps too much.

Users currently can set Gmail to encrypt their session data by default, to protect it from being sniffed over the network.

However, Google does not offer the ability to encrypt potentially sensitive data created in other Google apps such as Docs or Calendar by default, which means the communications could be stolen or snooped on by someone using a packet sniffer on public internet connections, such as open wireless networks, according to the letter addressed to Google chief executive Eric Schmidt and signed by 38 experts in the security industry.

Granted, users of other free email services, social networks, and many other sites are vulnerable to data theft and account hijacking, the letter notes. But Google is in a position to set a standard for others to follow, it says.

Google should enable HTTPS (Hypertext Transfer Protocol Secure), a technology used by banks and e-commerce sites, by default for Gmail, Docs and Calendar, or at least do more to educate users about the privacy risks and make it easy to turn on the HTTPS by default, the letter urges.

Not only do many people not understand the privacy risks in using unencrypted services, but they don't know they have the HTTPS default option, and finding the settings to change is not that easy, the letter says. Users can access Gmail, Docs, Calendar and other apps via HTTPS simply by changing the 'http://' in the URL address to 'https://', but many don't know about that option, either.

"As a market leader in providing cloud services, Google has an opportunity to engage in genuine privacy and security leadership, and to set a standard for the industry," the letter said. "If Google believes that encryption and protection from hackers is a choice that should be left up to users, the company must do a better job of informing them of the risks so that they are equipped to make this choice."

Some of the security experts endorsing the document include Bruce Schneier, chief security technology officer of BT Group; Peter Neumann, principal scientist at SRI International; encryption pioneer Ron Rivest of MIT; Steve Bellovin of Columbia University; Eugene Spafford at Purdue University; and Defcon founder Jeff Moss, who recently joined the US Homeland Security Advisory Council.

In response, Alma Whitten, a software engineer on Google's security and privacy teams, wrote in a blog post that Google has been looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.

"But we want to more completely understand the impact on people's experience, analyse the data, and make sure there are no negative effects," she wrote. "Ideally we'd like this to be on by default for all connections, and we're investigating the trade-offs, since there are some downsides to HTTPS — in some cases it makes certain actions slower."

Google is planning to test the use of HTTPS with "small samples of different types of Gmail users" to see whether it affects the performance of their email, the blog post said.

"Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users," the post says. "We're also considering how to make this work best for other apps including Google Docs and Google Calendar."

The letter addresses the performance trade-off argument, noting that Google seems to have solved the issue because it provides access to its advertising systems and several other services only via HTTPS sessions.

"Google's engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense — we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs and Calendar work equally well in order to enable encryption by default," the letter says.