Google continued its client-side encryption rollout, the feature generally available to some Gmail and Calendar users who can now send and receive encrypted messages and meeting invites.
Today’s general availability covers global customers who use Workspace Enterprise Plus, Education Standard, and Education Plus. It follows a client-side encryption beta program for these same enterprise and education users that Google launched late last year.
Personal Google accounts and Workspace plans, however, still don’t have the option of turning on this added security element. A Google spokesperson declined to say when the company planned to add client-side encryption to personal Gmail and other consumer-facing services.
The service encrypts emails and meeting events in the client’s browser before they reach Google Cloud servers — meaning even Google, as the cloud provider, can’t access the encryption keys or decrypt data in the body of the email or in an attached file.
This feature is off by default, something many security folks will be unhappy about, and can be enabled after a customer deploys a key management service integrated with their identity provider. When asked about why the data privacy service isn’t on by default, the spokesperson said enterprise customers wanted client-side encryption (CSE) as an added protection measure for their most sensitive data — and being able to turn it on or off best suited their needs.
“Our customer admins will be best placed to determine what that most sensitive data is and the right set of users in their organization to enable CSE for,” the spokesperson said.
“As customers retain control over the encryption keys and the identity management service to access those keys, sensitive data is indecipherable to Google and other external entities,” Googlers Ganesh Chilakapati and Andy Wen wrote in a blog post about the data privacy feature.
We should note, however, that client-side encryption is not the same as end-to-end encryption (E2EE). With E2EE, data is encrypted on the sender’s device and decrypted only by the intended recipient’s device, so only people involved in the private conversation can access its contents.
Additionally, with E2EE, encryption keys are generated on the sender and receivers’ devices, which means the administrator doesn’t have control over the keys or visibility into what content has been encrypted.
CSE, on the other hand, gives company admins more access. For example, they could revoke a user’s access to keys, or even read their encrypted files.
Expanding CSE across Google Workspace services helps enterprises and public-sector organizations comply with data sovereignty laws and other regulations, Chilakapati and Wen said.
The duo cited customers including UK business services behemoth PwC, US telco Verizon, French media giant Groupe Le Monde and French aeronautics firm Airbus, which uses CES to protect “their critical intellectual property and maintain their data sovereignty requirements,” Chilakapati and Wen wrote.
“Users can continue to collaborate across other essential apps in Google Workspace while IT and security teams can ensure that sensitive data stays compliant with regulations,” the Googlers said.
Google, last year, enabled CSE for Drive, Docs, Slides, Sheets and Meet.
And on the E2EE front: Google Messages added support in late 2020, and Group messages got E2EE in early 2022. Google Chat, however, is not end-to-end encrypted. ®