It may be one of the most widely used email service providers, but is Gmail secure? Google encrypts your emails, but the encryption isn’t strong enough to guarantee that your business contracts or personal conversations won’t end up in someone else’s hands (or in Google’s). You can prevent this from happening by encrypting your Gmail emails in a few simple steps.
Aug 25, 2020 · 5 min read
Google automatically encrypts your emails in transit with Transport Layer Security (TLS) encryption standard. TLS is better than not using any encryption at all, but you should still take Gmail encryption with a pinch of salt:
Every message in Gmail indicates whether it is encrypted or not. However, this doesn’t mean that your emails are only accessible to you and the recipient.
Gmail can view your messages and filter the ones that contain malware, phishing, or look suspicious. Even encrypted with TLS, your sensitive information can be stolen.
TLS is definitely better than no encryption, but if you’re looking for the ultimate security level, it’s not enough.
Not directly: Google’s employees don’t have access to your emails and can’t read them. However, Google’s bots scan your emails to collect more information about you. They use this data to show you relevant content later in ads, YouTube suggestions, search results, etc. You can turn ad personalization off in Ad Settings. It won’t stop Google’s bots from scanning your emails, but things you discuss in private emails won’t show up in ads when you go online.
There are ways to give your Gmail an extra layer of encryption. You can do this by either getting a paid G Suite account and encrypting your emails with S/MIME encryption or using a third-party plugin and encrypting your emails manually. Let’s delve into them in more detail.
Google offers paid G Suite Enterprise and G Suite Education accounts enhanced S/MIME encryption. With S/MIME, you can encrypt your messages with user-specific keys that you will then need to share with the intended recipient. Otherwise, they will not be able to decrypt the message. With this add-on, you will also be able to see the level of encryption your message will have. Just look for a lock icon next to your recipient's name. (Green means that your message will support S/MIME encryption; Gray – TLS encryption; red – unencrypted.)
Even though it’s more secure than TLS, it still presents many vulnerabilities as the receiver also needs to use S/MIME, your message can again be hacked once it gets to the destination server, and Google still can scan your emails. It also creates an extra step you need to complete before sending an email, which might be frustrating for those who send hundreds of emails a day. The encryption isn’t set up by default so you’ll have to ask G Suite admins to do this for you.
Flowcrypt works as a desktop Firefox or Chrome extension and adds a ‘Secure Compose’ button to your Gmail’s interface. It encrypts your messages with industry-standard Pretty Good Privacy (PGP) encryption. Your recipient can use any email service provider as long as it supports PGP, but you will still need to share your private key for them to decrypt the message. Alternatively, you can set a password, but you will still need to share it with the recipient.
SecureMail is another plugin that works similarly to Flowcrypt but was developed for Google Chrome users only. Once installed, you should see a lock icon next to Gmail’s ‘Compose’ button. Make sure to click on that icon before composing an email or you will send your sensitive information unencrypted.
With SecureMail, you’ll need to set up a password and a password hint for the receiver to decrypt your message. These should be shared with your recipient through other communication channels. The receiver will also need to be a SecureMail user to decrypt your message.
This is another Chrome extension that offers PGP encryption, but this one might require more technical knowledge to set up.
If you used PGP encryption before and already have your public and private keys, you can import them straight into Mailvelope. If not, you’ll have to generate new ones. For the encryption to work, you will need to share your public key with the recipient as well as import recipients’ public keys to Mailvelope’s keyring, too. You can share your public key with others by uploading it on a public key server like the PGP Global Directory or the MIT Key Server.
Once this is set up, you can start composing your encrypted messages. Mailvelope will create a button next to the Gmail ‘Compose’ button. Once you click on it, a new window will pop up. Compose your message and then click ‘encrypt.’ Choose the recipient and transfer the encrypted text into Gmail. Mailvelope provides you with end-to-end encryption meaning that no one snooping on your traffic, not even Google, will be able to read your messages.
Unfortunately, none of the options discussed above provide a perfect solution if you care about your privacy. TLS and S/MIME encryption standards do not guarantee 100% security. Third-party plugins aren’t user-friendly, add extra steps to the emailing process, and don’t encrypt emails composed on a mobile device.
To send truly secure emails, you should look for a privacy-oriented email provider that:
Click here to see the best Gmail alternatives for your privacy and security.