This six page letter (pdf) to Google's CEO, Eric Schmidt, is signed by 38 researchers and academics in the fields of computer science, information security and privacy law. Together, they ask Google to honor the important privacy promises it has made to its customers and protect users' communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.
Google already uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers' login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.
Google supports HTTPS encryption for the entire Gmail, Docs or Calendar session. However, this is disabled by default, and the configuration option controlling this security mechanism is not easy to discover. Few users know the risks they face when logging into Google's Web applications from an unsecured network, and Google's existing efforts are little help.
Support for HTTPS is built into every Web browser and is widely used in the finance and health industries to protect consumers' sensitive information. Google even uses HTTPS encryption, enabled by default, to protect customers using Google Voice, Health, AdSense and Adwords. Google should now extend this degree of protection to users of Gmail, Docs and Calendar.
Rather than forcing its customers to "opt-in" to adequate security, Google should make security and privacy the default.
View a list of the 38 experts who signed this letter.
Are you a member of the press, a government regulator, or a Google executive interested in doing the right thing?
Get in touch with Christopher Soghoian.
|
Jacob Appelbaum Researcher The Tor Project |
Derek E. Bambauer Assistant Professor of Law Brooklyn Law School |
Jay Beale Senior Security Analyst and Co-Founder InGuardians, Inc. |
|
Thomas A. Berson, PhD, FIACR President Anagram Laboratories Past-Chair IEEE Technical Committee on Security and Privacy |
Ian Brown, PhD Senior Research Fellow Oxford Internet Institute University of Oxford |
Steven M. Bellovin, PhD Professor of Computer Science Columbia University |
|
Jon Callas CTO, CSO PGP Corporation |
William R. Cheswick Lead Member of Technical Staff AT&T Research |
Richard Clayton, PhD Visiting Industrial Fellow Computer Laboratory University of Cambridge |
|
Lorrie Faith Cranor, DSc Associate Professor Computer Science and Engineering & Public Policy Director CyLab Usable Privacy and Security Laboratory Carnegie Mellon University |
Roger Dingledine Project Leader and Director The Tor Project |
Benjamin Edelman, PhD Assistant Professor Harvard Business School |
|
Nico A.N.M. van Eijk Professor Institute for Information Law (IViR) University of Amsterdam |
Allan Friedman, PhD Post-Doctoral Fellow Center for Research in Computation and Society Computer Science Department Harvard University |
Joe Grand President Grand Idea Studio |
|
Matthew D. Green, PhD CTO Independent Security Evaluators |
Robert "RSnake" Hansen
CEO SecTheory |
Chris Hoofnagle Director - Information Privacy Programs Berkeley Center for Law & Technology University of California, Berkeley School of Law |
|
Bart Jacobs, PhD Professor of Computer Security Radboud University Nijmegen, The Netherlands |
Markus Jakobsson, PhD Principal Scientist Palo Alto Research Center |
3ric Johanson Security Researcher The Shmoo Group |
|
Jerry Kang Professor of Law UCLA School of Law |
Ian Kerr, PhD Canada Research Chair in Ethics, Law & Technology Faculty of Law, University of Ottawa |
Harry R. Lewis, PhD Gordon McKay Professor of Computer Science Harvard University |
|
Michael Lynn Security Researcher |
Rob Miller, PhD Associate Professor, Department of Electrical Engineering and Computer Science The Massachusetts Institute of Technology |
Jeff Moss Founder and Director Black Hat and DEFCON Member, U.S. Department of Homeland Security Advisory Council |
|
Steven Myers, PhD Assistant Professor of Informatics Indiana University Bloomington |
Peter G. Neumann, PhD Principal Scientist SRI International Computer Science Lab, Moderator of the ACM Risks Forum |
Paul Ohm Associate Professor of Law University of Colorado School of Law |
|
Ronald L. Rivest, PhD Andrew and Erna Viterbi Professor of Electrical Engineering and Computer Science The Massachusetts Institute of Technology |
Bruce Schneier Chief Security Technology Officer BT Group |
Christopher Soghoian Student Fellow Berkman Center for Internet & Society Harvard University PhD Candidate School of Informatics, Indiana University |
|
Eugene H. Spafford, PhD Professor of Computer Science Executive Director Center for Education and Research in Information and Security (CERIAS) Purdue University |
Frank Stajano, PhD Senior Lecturer Computer Laboratory University of Cambridge |
Matthew Wright, PhD Assistant Professor Computer Science & Engineering University of Texas at Arlington |
|
Michael Zimmer, PhD Assistant Professor School of Information Studies University of Wisconsin-Milwaukee |
Alessandro Acquisti, PhD Associate Professor of Information Technology and Public Policy H. John Heinz III School of Public Policy and Management Carnegie Mellon University |