Google Abandons 'End-To-End' Email Encryption Project, Invites Community To Take It Over

Google announced that the “End-to-End” email browser extension project it started three years ago is no longer a “Google project,” and that the community is invited to take it over because the project “has left the nest.” The company also renamed the End-to-End project “E2EMail.”

“End-to-End” Project Abandoned

Back in 2014, Google announced the OpenPGP-based End-to-End project to bring easier to use end-to-end encryption to Gmail and other email services. Yahoo later joined the project as well, but eventually abandoned it, probably for different reasons.

Google started the project to win back the trust of Gmail users, after being accused of being part of the NSA PRISM program, and to show that it cares about its users’ privacy. End-to-end encryption would make email readable only to the users sending each other emails, but not to Google, as it is now the case.

The company developed the project for two years; last year, though, the code contributions seemed to have suddenly stopped. The project has remained untouched on the GitHub repository for almost a year. We’ve contacted Google before to ask if the project has been abandoned or not, but we haven’t gotten clear answers.

Google has now published a blog post in which it renamed “End-to-End” to “E2EMail” and said that it’s no longer a Google product, but a “fully community-driven open source project.”

Key Transparency

Google also mentioned that it recently announced a separate “Key Transparency” project, which could end up being a critical component of E2EMail in the future. One of the problems that appears when you try to make PGP easier to use is that you have to have everyone’s public keys so that the users don’t have to share those keys with each other. However, you also have to ensure that those keys aren’t changed by malicious actors, so you need a system that can be easily audited.

The Key Transparency project, which at least for now seems to be developed and maintained by Google, takes innovations from the Certificate Transparency project and from CONIKS, a new type of key management system developed by Princeton and Stanford researchers, to create a secure key server.

Despite already working on both projects, Google doesn’t seem to have integrated Key Transparency into the E2EMail project yet, and it’s leaving that up to the community. It’s possible the company didn’t integrate it because the Key Transparency project itself is quite new and unproven, or it could be because Google simply didn’t want to expend more resources working on E2EMail.

The company did mention in the blog post that it’s "looking forward to working alongside the community to integrate E2EMail with the Key Transparency server, and beyond." However, it’s not clear what that means exactly, considering there haven’t been any serious code commits to the End-to-End project from the company in almost a year.

End-To-End Encrypted Emails

Although Google tries not to show it, it does seem that the company is not as focused on bringing end-to-end encryption to its services as it was immediately after the Snowden revelations.

Although the abandonment of the End-to-End tool was evident from the lack of contributions, it was confirmed when the company chose to adopt S/MIME for enterprise users over OpenPGP. Google turned even that end-to-end encryption technology into a centralized/hosted one where Google knows the private key of the users and therefore can read the contents of their emails.

Google seems to be removing itself from all end-to-end encryption projects, as it continues to focus on artificial intelligence and more advanced tracking and mining of user data. That means if you want end-to-end encrypted email, you may have to look elsewhere.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Chris_396
    Ok... I will first say, I'm just a casual "security reader" so take this for the $0.02 it's worth. Google may have just saved that project. By inviting the open source community to take over the project, it should mean the security stays open and transparent. Where as if the US Gov't gets what it wants and has backdoors built into encryption, google would have been forced to comply or tie the decision up in court for who-knows-how-long. Now, I could be completely off... maybe they got bored with it!