Google considers request to boost privacy

Updated at 4:45 p.m. PST to clarify that Gmail data has always been encrypted by default when a user types in https:// and that last year they offered the ability to set https:// as the default.

More than three dozen security and privacy advocates and researchers are asking Google to offer better data protection for users of Gmail and other Google apps and Google said on Tuesday that it is considering doing that, if it doesn't slow down the apps too much.

You may not know this but you can set Gmail to encrypt your session data by default to protect it from being sniffed over the network. However, Google doesn't offer the ability to encrypt potentially sensitive data created in other Google apps like Docs or Calendar by default, which means the communications could be stolen or snooped on by someone using a packet sniffer on public Internet connections, such as open wireless networks, according to the letter addressed to Google Chief Executive Eric Schmidt and signed by a who's who of 38 experts in the security industry.

Granted, users of other free e-mail services, social networks, and many other sites are vulnerable to data theft and account hijacking, the letter notes. But Google is in a position to set a standard for others to follow, it says.

Google should enable HTTPS (Hypertext Transfer Protocol Secure), a technology used by banks and e-commerce sites, by default for Gmail, Docs and Calendar, or at least do more to educate users about the privacy risks and make it easy to turn on the HTTPS by default, the letter urges.

Not only do many people not understand the privacy risks in using unencrypted services, but they don't know that they have the HTTPS default option and finding the settings to change isn't that easy, the letter says. Users can access Gmail, Docs, Calendar and other apps via HTTPS by simply changing the "http://" in the URL address to "https://," but many don't know about that option, either.

"As a market leader in providing cloud services, Google has an opportunity to engage in genuine privacy and security leadership, and to set a standard for the industry," the letter says. "If Google believes that encryption and protection from hackers is a choice that should be left up to users, the company must do a better job of informing them of the risks so that they are equipped to make this choice."

Some of the security experts endorsing the document include Bruce Schneier, chief security technology officer of BT Group; Peter Neumann, principal scientist at SRI International; encryption pioneer Ron Rivest of MIT; Steve Bellovin of Columbia University; Eugene Spafford at Purdue University; and Defcon founder Jeff Moss, who recently joined the Homeland Security Advisory Council.

In response, Alma Whitten, a software engineer on Google's security and privacy teams, wrote in a blog post that Google has been "looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.

"But we want to more completely understand the impact on people's experience, analyze the data, and make sure there are no negative effects," she wrote. "Ideally we'd like this to be on by default for all connections, and we're investigating the trade-offs, since there are some downsides to HTTPS--in some cases it makes certain actions slower."

Google is planning to test the use of HTTPS with "small samples of different types of Gmail users" to see whether it affects the performance of their e-mail, the blog post says.

"Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users," the post says. "We're also considering how to make this work best for other apps including Google Docs and Google Calendar."

The letter addresses the performance trade-off argument, noting that Google seems to have solved the issue because it provides access to its advertising systems and several other services only via HTTPS sessions.

"Google's engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense--we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs, and Calendar work equally well in order to enable encryption by default," the letter says.