Washington, DC, August 12, 2014 --  

Big businesses are teaming up to protect citizens from the tyranny of big government.

A Silicon Valley revolt against National Security Agency snooping gained momentum last week, when Yahoo announced plans to join Google in an effort to create a mail system with end-to-end encryption.¹ The new system would make it impossible for the NSA and other government authorities to demand that service providers turn over data. Providers would never possess the messages in unencrypted form, nor would they possess they keys needed to decrypt them.

Yahoo's decision is critical because it ensures that the new system will not be limited to one mail provider. Mail encryption is unworkable unless both sender and receiver use the same system, so for widespread use, Google needs to recruit Apple and Microsoft into the effort as well.

End to end encryption is a radical change from the web-based email systems pioneered by Yahoo and Gmail. Instead of storing messages online as plain text, messages are encrypted on the user's laptop or mobile phone, and only transferred to or stored on the server as encrypted gibberish. Powerful agencies like the NSA can still use brute force to crack encryption, but it is so expensive and time consuming that it is not possible to do on a widespread basis.

A similar end-to-end mail encryption system called Lavabit was used by Edward Snowden. That service was shuttered by its founder earlier this year rather than comply with a secret American court order to turn over all its encryption keys to the government.² Google and Yahoo's new system would avoid that fate by refusing to store customers encryption keys, leaving them stored on users' own laptops and mobile devices. This would allow the companies to honestly say they have no way of giving the government access to user communications.

This differentiator offers serious privacy protection, but also creates serious problems. The technology on which the system is based, public key cryptography and the Pretty Good Privacy (PGP) program, has been around for over two decades. Considered revolutionary in the early dot com days, it never took off because it was so hard to use. Even if Google successfully lowers the barrier to entry by simplifying the complexities for users, it can't change the fact that users must keep track of their own keys, and losing them means losing access to their email forever.

What's more, Google must recruit enough people to sign up for the encrypted system, even though (at first anyway) it will be nearly useless because there will be almost nobody on the other end to receive encrypted messages. Without a critical mass of users, the system will be limited to dissidents, whistleblowers, journalists and the like. If put to such limited use, it would hardly be a widespread challenge to the NSA.

Like any security system, end-to-end encryption is only as strong as its weakest link. The keys stored on users' individual computers and mobile devices will be vulnerable to old-fashioned hacking techniques with viruses and malware. And by design, the subject line, sender, recipient, and timestamp will still be sent unencrypted, allowing spy agencies to continue collecting metadata.

And because mail on the server is encrypted, searching for mail must be done only on your computer (like back in 1995), and Google's context-driven ads will no longer allow looking at the mail content.

Even with these limitations, the system would be far preferable and more secure than what we have today. Can Google make it easy enough for widespread use? Will other mail providers other than Yahoo and Gmail join the effort?

The answers to these questions may be decisive for the future of internet freedom. Governments have proven incapable of respecting the liberties of the public. It is a sad state of affairs when citizens must look to big business to protected them from government and not the other way around.

Notes:

1. Daily Tech, Google, Yahoo Working Together on Encrypted Email Tool, August 8, 2014

2. The Guardian, Secrets, Lies and Snowden's Email: Why I was Forced to Shut Down Lavabit, May 20, 2014