Skiff Team / 5.01.2020Home / guides

Is Gmail Encrypted?

Gmail is not end-to-end encrypted. Can it be trusted?
Gmail vs Skiff encrypted private email header

The Dangers of Unencrypted Email

If you’re worried about email privacy, you’re not alone — and you have good reason to be concerned. Ninety-five percent of cybersecurity breaches are caused by human error, and the worldwide information security market is forecast to reach $170.4 billion in 2022. Privacy and security breaches are hard to prevent, and they remain risks even at the largest companies.For most people, inboxes are inherently one of the most intimate, private things in our lives. You might find yourself joking that if anything bad ever happens to you, make sure someone erases your inbox and deletes your search history!Email also takes up a large majority of our professional and personal days. An Adobe survey reported an average of 3.1 hours a day spent on professional email and an additional 2.5 hours on personal communication.With so much of our lives happening via email, privacy and security are of utmost importance. But unfortunately, the biggest email providers are putting your sensitive communication at risk.

Email Provider Giants Might Be Putting Your Data at Risk

Google, Outlook, and Yahoo have historically dominated the email space — Google maintains the highest number of email addresses in the world with 1.8 billion, while as of 2020, Yahoo has 225 million. Outlook reported 400 million email users in 2018.With about 67% of the population utilizing Gmail, it’s mission-critical for that platform to be fully safe and secure. However, Google has notoriously been plagued by data and security breaches.Google users have filed class-action lawsuits surrounding privacy violations, with Google paying out hundreds of millions. Famously, Google+ was even shut down after a data breach of 500,000+ users. They cited “significant challenges” and a flaw in programming interfaces that exposed user data such as “full names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status.”Google is transparent about its lack of end-to-end encryption in Gmail, citing its use of “encryption in transit” instead. App developers, Google themselves, and others have the ability to rifle through your email since it’s not end-to-end encrypted. Google can access the content of your messages as it has access to all decryption keys.The Wall Street Journal reported on tech’s “dirty secret” — your email isn’t private.And it never was.

What Is End-to-End Encryption?

End-to-end encryption is the gold standard of privacy and security. It means only the sender and receiver of the content will ever be able to read it. Tech Target more formally describes it as “a method of secure communication that prevents third parties from accessing data while it’s transferred from one end system or device to another” using cryptographic keys. Many advocates claim it protects human rights and privacy.Several messaging apps, including Signal and WhatsApp (in limited contexts), use end-to-end encryption.

What Is Encryption in Transit and Encryption At Rest?

Gmail is not built on end-to-end encryption, which inherently means your emails are never fully protected. Google can scan the contents of your emails, and they have the keys to your data at all times. Google not only has the ability to read your emails using its own scanning software, but its employees might even be actively doing so. Google uses two types of encryption, encryption at rest and encryption in transit, which we detail below. But even with the use of these measures, Gmail still leaves your data vulnerable at many points. Let’s look at why.

Encryption in Transit

Encryption in transit means your email is encrypted as it’s moving from one point to another, such as from your device to a server or from one server to another. This ensures that your data will remain safe from prying eyes as it’s moving across the internet, but it has no bearing on its security after it’s arrived on Google’s servers.

Encryption at Rest

“Encryption at rest” means that data is encrypted after arrival at the server while it is not in use. If you (or Google) ever want to use the data, then Google decrypts it and gives it to you. An analogy for encryption at rest is a safety-deposit box at a bank. The bank holds the keys and can open the box if they like, but they give you access to the contents of the box on request.With both types of encryption, Gmail still holds the decryption keys, maintaining ultimate control of your private communication and putting those keys at risk of being stolen. Google has access to your sensitive data, and employees have the potential to decrypt it.Vice reported on leaked documents that detailed the tech giant’s firing of dozens of employees in 2020 for “security issues,” with 86% of all security violations typically involving employees’ “mishandling of confidential information, such as the transfer of internal-only information to outside parties.”Google’s email security policies inherently put privacy at risk, allowing for illegal employee tampering, third-party violations, and more.

End-to-End Encryption Vs. Encryption in Transit Vs. Encryption at Rest

What’s the difference between end-to-end security encryption, encryption in transit, and encryption at rest?Business Insider claims end-to-end encryption keeps your communication the most secure and protected. Your email is never decrypted as it’s being processed, and even the server can’t read the contents. It’s only decrypted once the email reaches its final destination and recipient.While other encryption options might seem like an okay solution, as more and more sensitive information is passed through email, data leaks and privacy violations will inevitably become more commonplace.End-to-end security encryption is the most effective, safest way to protect your data and email, efficiently preventing it from being intercepted, deleted, or modified by anyone, including the email provider itself.

Is There A Safer Email Alternative to Gmail?

Now that you know your emails are at risk on Gmail and that Google has the ability to read your communication at any time, you might be wondering if there’s a safer, more private email alternative.Skiff’s advisors are experts who critically rely on email security — including Ehren Kret, the CTO of Signal Messenger, and Dan Guido, head of the leading cybersecurity firm Trail of Bits. The Verge called us the “new, privacy-focused alternative to Gmail.”Skiff Mail is an end-to-end encrypted email that protects your inbox and gives you the power to communicate freely. And because Skiff Mail is entirely open source, anyone can verify our privacy claims and encryption protocols, so your privacy is more than a promise. Skiff Mail also gives you free access to Skiff’s full range of end-to-end encrypted collaboration tools, including a powerful note-taking platform that you can use to replace Google Docs, which suffers from many of the same privacy risks as Gmail.Worried you’ll sacrifice some of the perks that come with using an email giant? No need — Skiff offers 10GB of free storage, device syncing, custom domains, easy migration, and an active community of web3 and privacy enthusiasts that are helping us co-build a product roadmap that beats other email providers on privacy and experience.We’re making private, decentralized collaboration possible at Skiff.Sign up today for free.

Join the community

Become a part of our 1,000,000+ community and join the future of a private and decentralized internet.

Free plan • No card required