Dear Dr. Schmidt,

The signatories of this letter are researchers and academics in the fields of computer science, information security and privacy law. We write to you today to express our concern that many users of Google’s cloud-based services are needlessly exposed to an array of privacy and security risks. We ask you to increase users’ security and privacy protection by enabling by default transport-level encryption (HTTPS) for Google Mail, Docs and Calendar, a technology already enabled by default for Google Voice, Health, AdWords and AdSense.

As a market leader in providing cloud services, Google has an opportunity to engage in genuine privacy and security leadership, and to set a standard for the industry.

Google’s services are not secure by default Google’s default settings put customers at risk unnecessarily. Google’s services protect customers’ usernames and passwords from interception and theft. However, when a user composes email, documents, spreadsheets, presentations and calendar plans, this potentially sensitive content is transferred to Google’s servers in the clear,1 allowing anyone with the right tools to steal that information.

Google uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers’ login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, anyone who uses these Google services from a public connection (such as open wireless networks in coffee shops, libraries, and schools) faces a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

As the massive data breach suffered by T.J. Maxx clearly demonstrated, valuable information that is transmitted without sufficient protection can and will be exploited by criminals.3 Widely available tools known as packet sniffers4 make it easy for even amateur hackers to intercept users’ confidential files
and communications as they are transmitted between a user’s laptop or handheld device and Google’s servers– attackers can steal data without being detected. These sniffing tools are available for free, and even come pre-installed with some operating systems.5

Authentication cookies and the risks of account hijacking Google’s implementation of cookies makes it easy for attackers to effectively impersonate users.
Google, like many other companies, uses authentication cookies, which are transmitted by the user’s browser to Google’s servers for all requests after the initial login. These cookies are, by default, sent without encryption, and can thus be intercepted by hackers. By using one of these intercepted authentication cookies, a hacker can access a user’s account, read their documents, delete their files, and even send new email messages in their name.6

This risk is real, and Google’s response to date has been inadequate. In 2007, two researchers highlighted this cookie theft vulnerability in talks at the DefCon security conference.7 A year later, one of them released a tool to automate cookie theft and account hijacking.8 A year after first being notified of
the flaw, and just a few days before the security researcher planned to release his tool, Google announced the release of a new configuration option in Gmail to protect these authentication cookies and to force the use of HTTPS for Gmail sessions.9 However, to this day, this option is off by default, and is not widely known or publicized.

A large body of scientific research shows that users overwhelmingly retain default options; thus, unless the security issue is well known and salient to consumers, they will not take steps to protect themselves by enabling HTTPS.10 To deliver on Google’s promises about privacy and security, the company should
shift the default option to the more protective HTTPS setting.

Data interception vulnerabilities are not new

The technology industry has long known about the risks of transmitting private information in the clear. Web browsers have supported HTTPS since 1994, and many companies have made this switch. Today, all financial companies in the United States use the industry standard HTTPS technology to protect their
customers’ communications and transactions. Companies including Bank of America and American Express have gone even further, by using HTTPS to encrypt every single page served from their Web sites, even promotional information and non-confidential data.

Google itself has long known about these risks, and as a result, has supported HTTPS since the first day that the Gmail service launched. HTTPS support for Docs and Calendar is similarly long-standing, although as with Gmail, it is not enabled by default.

Google is not the only Web 2.0 firm which leaves its customers vulnerable to data theft and account hijacking. Users of Microsoft Hotmail, Yahoo Mail, Facebook and MySpace are also vulnerable to these attacks. Worst of all – these firms do not offer their customers any form of protection. Google at least
offers its tech savvy customers a strong degree of protection from snooping attacks. However, due to the fact that HTTPS protection is disabled by default and only enabled via an obscure configuration option, most regular users are likely to remain vulnerable.

Performance impact is minimal while security impact is large Enabling HTTPS for Google services by default will have a small impact in performance for the user, but will yield considerable security gains. In a 2008 blog post describing a new Gmail feature to force the use of HTTPS, Google engineer Ariel Rideout defended the company’s decision to not enable HTTPS by
default:

“We use https to protect your password every time you log into Gmail, but we don’t use https once you’re in your mail unless you ask for it (by visiting https://mail.google.com rather than http://mail.google.com). Why not? Because the downside is that https can make your mail slower. Your computer has to do extra work to decrypt all that data, and encrypted data doesn’t travel across the internet as efficiently as unencrypted data. That’s why we leave the choice up to you.”11

Once a user has loaded Google Mail or Docs in their browser, performance does not depend upon a low latency Internet connection. The user’s interactions with Google’s applications typically do not depend on an immediate response from Google’s servers. This separation of the application from the Internet connection enables Google to offer ‘offline’ versions of its most popular Web applications.12

Even when low latency is important, financial firms such as Bank of America and American Express have demonstrated how to provide users with a pleasant, low-latency browsing experience, while still implementing strong encryption by default. Likewise, Adobe’s cloud-based Photoshop Express lets users interactively edit images via a Web application that is 100% encrypted by default.

Other Google applications demonstrate that security need not come at the cost of performance. Google’s Health service enables users to browse through and manage their private health information online. Google’s Voice service lets customers initiate VOIP phone calls, send text messages, and manage voicemail inboxes. However, unlike with its Gmail, Docs, and Calendar products, Google only provides access to Health and Voice via HTTPS encrypted communications sessions, recognizing the highly sensitive health and call record information users entrust to Google. Likewise, Google’s AdWords and AdSense products, which are the backbone of Google’s advertising business, can only be managed by customers using a secure HTTPS connection.

Google’s engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense – we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs, and Calendar work equally well in order to enable encryption by default.

Google does not inform users adequately of the risks of unencrypted sessions Users do not adequately appreciate the risks of failing to use encryption and need protective defaults. Researchers have shown that most users have no idea of the data interception risks that they face when using public wireless networks.13 Other researchers have demonstrated that few users notice the presence or absence of HTTPS encryption and fail to take appropriate precautions when HTTPS is not used.14 Furthermore, Google employee Alma Whitten wrote one of the foremost studies documenting the human factors which lead to the many problems faced by users who wish to employ encryption.15

If Google believes that encryption and protection from hackers is a choice that should be left up to users, the company must do a better job of informing them of the risks so that they are equipped to make this choice. The company currently does very little to educate its users, and the sparse information describing encryption options is hidden, and presented in terms that few members of the general public will understand.

Indeed, Google’s disclosures may mislead users about how secure their activities are. When users create a new Google account, or login to Google Mail, Docs, or Calendar, they are not told about the risks they face if they use these services from a public network. However, each time a user logs in to Google Docs, they see promotional text on the login page stating that “Files are stored securely online” (bold in original).16

Likewise, a Privacy and Security page on Google’s help site advises customers:

“Many Google Docs users add personal information to their documents, spreadsheets and presentations, and this information is safely stored on Google’s secure servers … That means by default, your data is private, unless you grant access to others and/or publish your information.”17

These statements have significant potential to mislead users, who understandably may not know the difference between storage security, access control, and network-transport security. As a result, many users may be lulled into a false sense of safety.

used.14 Furthermore, Google employee Alma Whitten wrote one of the foremost studies documenting the human factors which lead to the many problems faced by users who wish to employ encryption.15 If Google believes that encryption and protection from hackers is a choice that should be left up to users, the company must do a better job of informing them of the risks so that they are equipped to make this choice. The company currently does very little to educate its users, and the sparse information describing encryption options is hidden, and presented in terms that few members of the
general public will understand.

Indeed, Google’s disclosures may mislead users about how secure their activities are. When users create a new Google account, or login to Google Mail, Docs, or Calendar, they are not told about the risks they face if they use these services from a public network. However, each time a user logs in to Google Docs, they see promotional text on the login page stating that “Files are stored securely online” (bold in original).16

Likewise, a Privacy and Security page on Google’s help site advises customers: “Many Google Docs users add personal information to their documents, spreadsheets and presentations, and this information is safely stored on Google’s secure servers … That means by default, your data is private, unless you grant access to others and/or publish your information.”17

These statements have significant potential to mislead users, who understandably may not know the difference between storage security, access control, and network-transport security. As a result, many users may be lulled into a false sense of safety.

Many users are unlikely to know what https means, or understand that enabling this option is critical to protect them from data theft, account hijacking, and snooping. Google’s interface fails to explain either the risk or the solutions adequately explained. While there is a “learn more” link to another page with more information on this option, Google does not convey the importance of this setting, and few users are likely to click the link.

Google does have a help page that accurately explains the risks faced by Google users who connect from public wireless networks. The page states:

“If you sign in to Gmail via a non-secure Internet connection, like a public wireless or nonencrypted network, your Google account may be more vulnerable to hijacking. Non-secure networks make it easier for someone to impersonate you and gain full access to your Google account, including any sensitive data it may contain like bank statements or online log-in credentials. We recommend selecting the ‘Always use https’ option in Gmail any time your network may be non-secure. HTTPS, or Hypertext Transfer Protocol Secure, is a secure protocol that provides authenticated and encrypted communication.” 18

This page offers users important information, but it is buried five layers deep in Google’s help Web site (Google Help › Gmail Help › Your Account › Privacy & Security › Enabling the HTTPS setting). If Google does not enable HTTPS by default – the best strategy — it is vitally important that information about risk be presented to all users, so that their use of HTTPS is an informed choice, and not merely the result of sticking with a poor default option.

Existing security options fail to adequately protect users People who use multiple Google services are at particular risk – and Google does not offer them a way to protect themselves adequately. The “always use https” preference in Gmail helps Gmail users (at least those who locate it) safeguard their information. However, this preference only applies to Gmail sessions. When those users login to Docs and Calendar, their information again flows over the public Internet without the protection offered by HTTPS encryption.

There is no encryption setting available for Docs or Calendar. The only way for users of these other Google services to protect themselves is to remember to type https://docs.google.com and https://www.google.com/calendar into their browser’s location bar every time they employ those applications. Google does not explain this difference between applications, and users may incorrectly believe that setting the Gmail preference will protect all of their Google sessions.
Google’s authentication design puts users at risk. Google uses a single authentication cookie. This means that once users have logged into Google Docs, they do not need to enter their usernames and passwords again when they switch to Google Mail during the same session. This design choice means that an authentication cookie captured from a Google Docs or Calendar session can later be used by criminals to gain access to a Google Mail account – even if the victim attempted to protect herself by setting the “always use https” preference in Gmail. This makes Docs and Calendar sessions the weakest link in the chain of security, and attackers can use this cookie information to steal far more important data that would otherwise have been protected.

Our recommendations

We strongly urge you to follow the lead of the financial industry and enable HTTPS encryption by default for the users of Google Mail, Docs, and Calendar. As Google’s own help page notes, mail inboxes often contain “sensitive data … like bank statements or online log-in credentials.”19 Given the huge threat posed by identity theft, it is vital that Google take proactive steps to protect its users from these risks.

Google has long argued that the reason it does not enable HTTPS encryption by default is because of latency-related issues – that is, encrypted data may load more slowly, causing noticeable delays for the user. The company states that it wants users to have the “choice” to enable encryption, so they can weigh the security benefits against possible reductions in interface responsiveness. We support empowering users. However, rather than forcing users to “opt-in” to adequate security, we strongly urge you to make security and privacy the default setting, and allow informed users to “optout” of the encryption if they feel it is an unnecessary burden.

If Google insists on not enabling these encryption-based protective measures by default, the company should at least make the consequences of this decision more prominent, so that users make a fully informed choice. Few users know the risks they face when logging into Google’s Web applications from an unsecured network, and Google’s existing efforts are little help. We suggest that, at minimum, Google do four things:

1. Place a link or checkbox on the login page for Gmail, Docs, and Calendar, that causes that session to be conducted entirely over HTTPS. This is similar to the “remember me on this computer” option already listed on various Google login pages. As an example, the text next to the option could read “protect all my data using encryption.”

2. Increase visibility of the “always use https” configuration option in Gmail. It should not be the last option on the Settings page, and users should not need to scroll down to see it.

3. Rename this option to increase clarity, and expand the accompanying description so that its importance and functionality is understandable to the average user.

4. Make the “always use https” option universal, so that it applies to all of Google’s products. Gmail users who set this option should have their Docs and Calendar sessions equally protected. Google has made important privacy promises to users, and users naturally and reasonably expect Google to follow through on those promises. We therefore urge Google to put the privacy and security of its customers first by making the changes described here.