Is Google’s wildly popular Gmail email service safe for work? The short answer is yes, for most of us at least, but there are circumstances in which Gmail is not an appropriate work option.
Gmail’s default settings provide fairly robust security. The data that users see can see in Gmail are actually encrypted with the industry-standard 128 bit encryption. Google transmits Gmail data to its users via transport layer security 1.1, also an industry standard. On the user side, encrypted data is authenticated by the SHA1 cryptographic hash function and eventually decoded by the ECDHE_RSA key exchange mechanism.
If this sounds confusing, it’s because we are talking about cryptography and cryptography is incredibly confusing for those of us that don’t do math problems for a living. Simply put though, Google sends your Gmail information to you in a coded format that only you have the key to and only you can decode.
So, for most of us, as long as we’re using strong passwords on secure machines and especially if we have Google’s two-factor authentication feature turned on, then Gmail is perfectly safe at work.
Broadly concerning is the reality that Google performs automated, nonhuman scans of the contents of its users Gmail accounts and messages in order to serve more relevant ads. Theoretically, it is therefore possible for an attacker to learn a great deal about his or her target’s work (if that person uses Gmail for work) simply by observing the target’s behavior-based web ads and or that person’s personalized search result rankings. While it is largely unknown whether or not such attacks have taken place, they’re certainly possible. So, if your work is so sensitive that you’d like to keep other from knowing what you do altogether, then it’s advisable to not use Gmail at work.
It’s technically possible to intercept Gmail data in transit via infected machines and spoofed digital certificates and, given Google’s yearly transparency report, there is no question that Google has and does comply with prosecutorial and other government information requests.
You really have to assess the kinds of communicating you do on Gmail and decide for yourself if using it at work is a good idea. If you work as an anti-regime activist or are otherwise involved with pursuits that run afoul of your government’s interests in a country that is known to actively surveil its citizens, then you probably want to avoid Gmail. Governments can subpoena Google for Gmail information and in some cases there is nothing Google can do but comply. Governments also have the money and resources required to crack Gmail’s encryption or they can spoof certificates (as mentioned above), effectively giving them the capacity to impersonate Google and perform man-in-the-middle attacks.
A number of experts speculated that Iranian state-sponsored hackers compromised the Dutch certificate authority (CA) Diginotar last year so that they could spy on their own citizens. No one knows for certain that this was the case, but compromises of that CA and another called Comodo in the last couple of years demonstrated that such a threat definitely exists. Even if nation-states weren’t responsible for those and other similar attacks, someone was, and the compromise of a certificate authority almost certainly means that someone is impersonating someone or something else, which also means that some user is unknowingly transmitting data to or through a source that is not what it claims to be.
Considering the information laid out above, users that do work that they don’t want their government to know about or that their Government is not on board with shouldn’t incorporate Gmail into their professional lives, whether that work is activism of a sort of something outright nefarious. More generally though, if you deal in incredibly sensitive or valuable information of any kind on a regular basis, then you are probably going to want to avoid Gmail or other cloud-storage email systems, because valuable information is aggressively sought after by hobbyist, criminal, and state-sponsored hackers alike.
Of course, no one wants their Gmail account compromised or their communications monitored – no matter what their work entails. There are also those that will insist on using Gmail at work regardless of their trade, so we have a few suggestions:
You should only access and use your Gmail account from a well-protected PC that is equipped with a total security solution. Again, it is incredibly important that users take advantage of Google’s two-factor authentication feature, which will help protect against account hijacks. You need to always logout when stepping away from your computer as well, even if you’re leaving your PC for a short period of time, because all the security in the world won’t protects against a malicious forwarding rule. As always, keep your browser and operating system up-to-date with the latest patches and avoid insecure networks, especially unencrypted public Wi-Fi.