



Google continued rolling out client-side encryption, a feature generally available to some Gmail and Calendar users who can now send and receive encrypted messages and meeting invitations.

Today’s general availability is for customers worldwide with Workspace Enterprise Plus, Education Standard, and Education Plus. This follows a client-side encryption beta program for the same enterprise and educational users that Google launched late last year.

However, personal Google Accounts and Workspace plans still lack the option to enable this added element of security. A Google spokesperson declined to say when the company plans to add client-side encryption to the individual’s Gmail and other consumer services.

The service encrypts emails and meeting events in the client’s browser before reaching Google Cloud servers. This means that even the cloud provider, Google, cannot access the encryption keys or decrypt the data in the email body or attachments.

This feature is turned off by default, to the frustration of many security practitioners, and can be enabled after a customer deploys a key management service integrated with their identity provider. When asked why isn’t turned on by default, a spokesperson said enterprise customers want client-side encryption (CSE) as a means of protecting their most sensitive data and can turn it on or I said I hope it can be turned off. needs.

“Our customer administrators are best positioned to determine that most sensitive data and the appropriate set of users to enable CSE within their organization,” the spokesperson said.

“Customers have control over the encryption keys and the identity management services to access those keys, so sensitive data cannot be decrypted by Google or any other external entity,” said Googlers Ganesh Chilakapati and Andy Wen of Data Privacy. I wrote a blog post about the feature.

Note, however, that client-side encryption is not the same as end-to-end encryption (E2EE). With E2EE, data is encrypted on the sender’s device and decrypted only on the intended recipient’s device, so only those involved in the private conversation can access the content.

Additionally, with E2EE, encryption keys are generated on the sender’s and receiver’s devices. This means that administrators cannot control keys or view encrypted content.

CSE, on the other hand, gives company administrators more access. For example, they could revoke access to your keys or read encrypted files.

Extending CSE across Google Workspace services will help businesses and public sector organizations comply with data sovereignty laws and other regulations, Chilakapati and Wen said.

The two have hired UK business services giant PwC, US telecom company Verizon, French media giant Groupe Le Monde and CES to “protect critical intellectual property and maintain data sovereignty requirements.” It cites customers such as French airline Airbus, which uses CES.

“Users can continue to collaborate across other critical apps in Google Workspace, and IT and security teams can ensure sensitive data is compliant with regulations,” said a Google employee. .

Google enabled CSE for Drive, Docs, Slide, Sheets and Meet last year.

On the E2EE front, Google Messages added support in late 2020 and Group Messages got E2EE in early 2022. However, Google Chat is not end-to-end encrypted.

