Given most users' utter ignorance about any technical matter (a consequence of the intellectual laziness our age promotes IMHO), I think the only useful way to ensure this is to make it the default in any e-mail client. But this is still only half the way uphill -- it also means storage should also be secure, including remote ones like Gmail, or that users should become educated enough to stop using services that aren't.

The first one is unlikely to happen IMHO, as it would mean companies that depend on mining your e-mail, like Google, would basically have to stop doing it. The other one is even more unlikely to happen as it would require people to actually invest time in using computers, something which our society has constantly brainwashed to think they shouldn't do -- everything should be plug'n'play and trivial and just work out of the box. Heaven forbid you'd actually have to understand the whys and the hows.

Now that our decades-long dream of seeing everyone having access to a computer and to a vast network of information has finally come true, it doesn't look like such a beautiful dream anymore...

Caveat: I am no expert whatsoever in crypto/CS so understand this is almost certainly non-workable for some reason (which is what I'm trying to understand). Why couldn't Google hash every word in an email and store the list of hashes alongside the encrypted version. Then when you search for something, the search terms are hashed as well and the service searches for the hashed search terms amongst the lists of hashes.

Edit: Thanks everyone!

I agree.

> But this is still only half the way uphill -- it also means storage should also be secure

That would be ideal. But even without that, something useful has been done since it is practical for the NSA/GCHQ to read all internet traffic, it is not pratical fro them to burgle everyone's house.

If PCs come with encryption as standard, it needs to be a steganographic file system, with multiple keys revealing different sets of files and with the number of possible keys being very large. Otherwise, an adversary could simply use rubber hose techniques to get the information.

> including remote ones like Gmail

Gmail represents a single point of failure and is thus always going to be attractive to an adversary. Anything stored unencrypted on gmail, Google Drive, or equivalent -- one should assume the NSA can read it.

> The first one is unlikely to happen IMHO, as it would mean companies that depend on mining your e-mail, like Google, would basically have to stop doing it.

You're right in that gmail's business model is basically anti-privacy. We need to convince people to use local email software not store their email on a remote website (such as gmail).

> The other one is even more unlikely to happen as it would require people to actually invest time in using computers

You're right, because it's impossible to have a zero-user interface filesystem encryption (since people need to type in their password).

> something which our society has constantly brainwashed to think they shouldn't do -- everything should be plug'n'play and trivial and just work out of the box.

There's certainly an element of truth to this.

> Now that our decades-long dream of seeing everyone having access to a computer and to a vast network of information has finally come true, it doesn't look like such a beautiful dream anymore...

Computers can be the biggest tool for freedom and empowerment ever invented, or the biggest tool for coercion and oppression. I believe this will be one of the biggest political issues of our times.

What, Gmail? Yahoo? They exist only because they can read your plain-text email and serve ads against it. Most people get their email through free webmail providers, who have every reason not to make encryption easy.

This is what we do. We use Google Apps so we used a combination of existing policy, crypto and user awareness. It's not the use of email that's an issue, it's the how the data is stored. If it's encrypted with good crypto it's not a problem. If it's encrypted with bad crypto or no crypto then the extent of the problem is down to the data.

As an aside, while you would want to encrypt anything sensitive, that doesn't mean you need to encrypt everything - it certainly makes conversations over smartphones more difficult, and google chats wouldn't be encrypted.

Still, a little common sense goes a long way.

It won't count for anything if the emails your server is sending/receiving are not encrypted, which exactly is what Google is advocating. I don't understand GP's smug rejoinder, as if encrypting emails in transit is a bad thing.

Well, since everybody is using Gmail or Office365 anyway, encrypted email is kind of pointless, no?

How would it ever be auditable or verifiable? You're talking about secret source code running in private data centers on inaccessible hardware. If you need auditability or verifiability, you cannot rely on GMail or any similar service.

> Our electronic devices and systems have far more information, in far more detail, on far more people, available at far higher rates, and for the most part, can be tapped with absolutely no awareness by the subject of the information revealed.

I'm not dismissive of that concern but I fail to see its relevance to the question of whether Google should add another key to everyone's account. You don't solve this problem by encrypting your mail unless you stop sending your mail through Google. In fact you don't even solve it that way because such a huge chunk of mail you send/receive will flow through Google anyway. You cannot solve the trust problem by adding another unverifiable layer of encryption. If you don't trust Google now, that shouldn't change if they tell you that they started encrypting with your public key at rest.

> An "entire mailbox" is only a few hundreds of MB or GB, and arrives incrementally....Storage itself is not a limitation.

I disagree. I'm using ~10 GB of storage for Gmail. I don't want that space used for mail on my phone. Or my laptop for that matter, which has only ~36GB free at this point. I can't stick an SD card in my phone and if I could I wouldn't because it's slow.

> Unencrypted email can be indexed, the indexes encrypted, and transmitted to the client device.

It really can't. If the index is encrypted, then it can't be updated with new entries. So the best you can do is generate an inverted index per email and send that to the client to combine into a real index. But at that point, don't even bother because the client can probably index each email locally more cheaply than it can stream it from the server.

Given that most people are now using web clients, pushing indexing responsibility onto the client isn't remotely feasible. Imagine you log in from a new browser and GMail tries to push GBs into your localstorage and then your browser churns for hours trying to build the index.

> I'm not saying that the technical considerations here are simple, but the costs of failing to address them, quite literally the future of liberal democracy, are too high to not do so.

I think that's overstating it, mostly because adding a second key does not eliminate the social engineering weakness (maybe it's reduced). But also because I don't think leaked emails constitute the end of democracy.

  > if a decent looking/working e-mail client with end
  > to end encryption appears this year, I'll move to it
  > almost immediately.

  > So if Google wants to keep me as a Gmail users,
  > they'd better enable the DarkMail protocol [1]
  > or something similar in their e-mail client.

  > As soon as TextSecure is fully cross-platform,
  > I'm switching completely to it.

[1] https://github.com/WhisperSystems/TextSecure/wiki/Protocol [2] https://github.com/WhisperSystems/TextSecure/wiki/Using-Text...

Doesn't Protonmail decrypt at the server? That is, can't Protonmail read your encrypted messages? And don't they have form for grassing people up?

I'm not sure about those two claims. But that's the point - it's difficult for even a techie to use crypto(graphy) safely. If you want to use it as an impediment to snoopers, or as some kind of statement, cool. But if you let the server decrypt your messages, you aren't really safe.

Signal disloses your phone number.

I think I understand the limitations of PGP/GPG; I'd use that, if my correspondents had ever heard of it (and if I were sure that they weren't going to forward/reply-to my messages in plain, or store the plaintext on some Google server). But at the moment, the state of end-user encrypted messaging software doesn't look very safe to me. What I would like to see is an end-to-end scheme that can't be used unsafely, even if the user is an idiot, and that is used more-or-less universally.

Otherwise I'm reluctant to SHOUT my secrets over the internet.

Last time I looked, Gmail or equivalent products didn't allow you to easily end-to-end encrypt your messages without any additional effort.

How exactly is it ridiculous? I understand that email leaks metadata like a sieve, but the contents of emails can still be secured via encryption.

> (and ProtonMail's business model is effectively built on a marketing lie/false advertising),

No arguments here. They provide a web app to encrypt your emails, making the user trust the server for "end-to-end" encryption, this rendering it useless.

I'm not optimistic. We still have an Internet on which it's basically impossible for a non-expert user to reliably send or read encrypted email.

This sentence implies to me that under the current system, sites need cryptography, because sending login information in plaintext is not secure enough.

...and that the solution is to use email, because we already treat it as if it's secure.

...even though it sends the data in plaintext.

Okay, so most end-users probably accesses their email via https these days, but it's a (potentially) long journey from the website to the email provider's server.

Is any of that server-to-server journey ever encrypted? I'm no expert, but my impression has always been that it's not.

I work in the defence industry. All attachments must be encrypted. Also, all customer data must be stored in the same country.

Right now my bank, pension fund, utility supplier etc regularly e-mail me to inform me that a new statement is available. But they don't attach the statement to the e-mail... because "it isn't secure"

So there is real-world demand for a properly secured e-mail system. If we could jump in a time machine, go back 50 years and add end-to-end encryption to e-mail, I'd be getting my bank statements by e-mail.

(The chance of my bank deciding to deploy PGP is approximately one in a billion - which is why we'd need a time machine)

Why is that the alternative? How about everything is encrypted and nothing is scanned.

There is real-world demand for a properly secured messaging system (either real-time or asynchronous) that is as ubiquitous, as accessible, and as technologically neutral/decentralized as email.

I think you hit the nail on the head that if we could go back in time and email was encrypted from the start, it would be great, and there is a demand for that. But people keep trying to do that time travel by adding encryption after the fact, and like you I just don't think PGP works for that, I think it's throwing duck tape on top of a technology that is just not designed to handle it.

I'm not saying we should drop all email and move to something like Matrix, I still use email today for a lot of stuff. And I'm definitely not saying everyone should use Signal as a full email replacement (the phone number requirement and centralization problems make it unsuitable). But in the long, long term it would very likely be easier to drop email and move everyone everywhere to Matrix (or something else, it doesn't have to be an instant messenger), than it would be to try and retroactively make email encryption work well.

That's exactly what anti-encryptionists would want.