An open letter to Google's CEO, Eric Schmidt.

This six page letter (pdf) to Google's CEO, Eric Schmidt, is signed by 38 researchers and academics in the fields of computer science, information security and privacy law. Together, they ask Google to honor the important privacy promises it has made to its customers and protect users' communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.

Google already uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers' login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Google supports HTTPS encryption for the entire Gmail, Docs or Calendar session. However, this is disabled by default, and the configuration option controlling this security mechanism is not easy to discover. Few users know the risks they face when logging into Google's Web applications from an unsecured network, and Google's existing efforts are little help.

Support for HTTPS is built into every Web browser and is widely used in the finance and health industries to protect consumers' sensitive information. Google even uses HTTPS encryption, enabled by default, to protect customers using Google Voice, Health, AdSense and Adwords. Google should now extend this degree of protection to users of Gmail, Docs and Calendar.

Rather than forcing its customers to "opt-in" to adequate security, Google should make security and privacy the default.


View a list of the 38 experts who signed this letter.

Are you a member of the press, a government regulator, or a Google executive interested in doing the right thing?
Get in touch with Christopher Soghoian.




The 38 signatories of this letter are:

Affiliations are for identification purposes only, and imply no institutional endorsements

Jacob Appelbaum
Researcher
The Tor Project
Derek E. Bambauer
Assistant Professor of Law
Brooklyn Law School
Jay Beale
Senior Security Analyst and Co-Founder
InGuardians, Inc.
Thomas A. Berson, PhD, FIACR
President
Anagram Laboratories
Past-Chair
IEEE Technical Committee on Security and Privacy
Ian Brown, PhD
Senior Research Fellow
Oxford Internet Institute
University of Oxford
Steven M. Bellovin, PhD
Professor of Computer Science
Columbia University
Jon Callas
CTO, CSO
PGP Corporation
William R. Cheswick
Lead Member of Technical Staff
AT&T Research
Richard Clayton, PhD
Visiting Industrial Fellow
Computer Laboratory
University of Cambridge
Lorrie Faith Cranor, DSc
Associate Professor
Computer Science and Engineering & Public Policy
Director
CyLab Usable Privacy and Security Laboratory
Carnegie Mellon University
Roger Dingledine
Project Leader and Director
The Tor Project
Benjamin Edelman, PhD
Assistant Professor
Harvard Business School
Nico A.N.M. van Eijk
Professor
Institute for Information Law (IViR)
University of Amsterdam
Allan Friedman, PhD
Post-Doctoral Fellow
Center for Research in Computation and Society
Computer Science Department
Harvard University
Joe Grand
President
Grand Idea Studio
Matthew D. Green, PhD
CTO
Independent Security Evaluators
Robert "RSnake" Hansen
CEO
SecTheory
Chris Hoofnagle
Director - Information Privacy Programs
Berkeley Center for Law & Technology
University of California, Berkeley School of Law
Bart Jacobs, PhD
Professor of Computer Security
Radboud University
Nijmegen, The Netherlands
Markus Jakobsson, PhD
Principal Scientist
Palo Alto Research Center
3ric Johanson
Security Researcher
The Shmoo Group
Jerry Kang
Professor of Law
UCLA School of Law
Ian Kerr, PhD
Canada Research Chair in Ethics, Law & Technology
Faculty of Law, University of Ottawa
Harry R. Lewis, PhD
Gordon McKay Professor of Computer Science
Harvard University
Michael Lynn
Security Researcher
Rob Miller, PhD
Associate Professor, Department of Electrical
Engineering and Computer Science
The Massachusetts Institute of Technology
Jeff Moss
Founder and Director
Black Hat and DEFCON
Member, U.S. Department of Homeland Security Advisory Council
Steven Myers, PhD
Assistant Professor of Informatics
Indiana University Bloomington
Peter G. Neumann, PhD
Principal Scientist
SRI International Computer Science Lab,
Moderator of the ACM Risks Forum
Paul Ohm
Associate Professor of Law
University of Colorado School of Law
Ronald L. Rivest, PhD
Andrew and Erna Viterbi Professor of Electrical
Engineering and Computer Science
The Massachusetts Institute of Technology
Bruce Schneier
Chief Security Technology Officer
BT Group
Christopher Soghoian
Student Fellow
Berkman Center for Internet & Society
Harvard University
PhD Candidate
School of Informatics, Indiana University
Eugene H. Spafford, PhD
Professor of Computer Science
Executive Director
Center for Education and Research in Information and Security (CERIAS)
Purdue University
Frank Stajano, PhD
Senior Lecturer
Computer Laboratory
University of Cambridge
Matthew Wright, PhD
Assistant Professor
Computer Science & Engineering
University of Texas at Arlington
Michael Zimmer, PhD
Assistant Professor
School of Information Studies
University of Wisconsin-Milwaukee
Alessandro Acquisti, PhD
Associate Professor of Information Technology and Public Policy
H. John Heinz III School of Public Policy and Management
Carnegie Mellon University