by Google continued its rollout of client-side encryption, the feature generally available to some Gmail and Calendar users who can now send and receive encrypted messages and meeting invitations.
Today’s general availability covers global customers using Workspace Enterprise Plus, Education Standard and Education Plus. It follows a client-side encryption beta program for the same business and education users that Google launched late last year.
However, personal Google Accounts and Workspace plans still do not have the option to turn on this additional security feature. A Google spokesperson declined to say when the company planned to add client-side encryption to personal Gmail and other consumer-facing services.
The service encrypts emails and meeting events in the client’s browser before they reach Google Cloud servers – meaning that even Google, as a cloud provider, cannot access the encryption keys or decrypt data in the email itself or in an attached file.
This feature is off by default, which many security professionals will be unhappy about, and can be enabled after a customer deploys a key management service integrated with the identity provider. When asked why the data protection service is not on by default, the spokesperson said that business customers wanted client-side encryption (CSE) as an extra measure of protection for their most sensitive data – and to be able to turn it on or off to suit their needs.
“Our customer administrators will be best positioned to determine what the most sensitive data is and the right set of users in their organization to enable CSE for,” the spokesperson said.
“Because customers retain control of the encryption keys and the identity management service to access those keys, sensitive data is intractable to Google and other external entities,” Google’s Ganesh Chilakapati and Andy Wen wrote in a blog post about the privacy feature.
However, we should note that client-side encryption is not the same as end-to-end encryption (E2EE). With E2EE, data is encrypted on the sender’s device and decrypted only by the intended recipient’s device, so that only people involved in the private conversation can access the content.
Additionally, with E2EE, encryption keys are generated on the sender’s and receiver’s devices, meaning the administrator has no control over the keys or visibility into what content is encrypted.
CSE, on the other hand, gives business administrators more access. For example, they can revoke a user’s access to keys, or even read their encrypted files.
Extending CSE across Google Workspace services helps businesses and government organizations comply with data sovereignty laws and other regulations, Chilakapati and Wen said.
The duo cited clients including UK corporate services PwC, US telecoms company Verizon, French media giant Groupe Le Monde and French aerospace company Airbus, which use CES to protect “their critical intellectual property and uphold their claim to data sovereignty,” Chilakapati and Wen wrote.
“Users can continue to collaborate across other important apps in Google Workspace, while IT and security teams can ensure that sensitive data remains compliant with regulations,” Googlers said.
Google, last year, enabled CSE for Drive, Docs, Slides, Sheets and Meet.
And on the E2EE front: Google Messages added support in late 2020, and group messaging got E2EE in early 2022. However, Google Chat is not end-to-end encrypted. ®
