There's the option of reducing that exposure to a minimum limited extent. To the extent that this is auditable, verifiable, and based on well-established procedures, it may be an acceptable risk.
This includes encrypting unencrypted messages, after arrival, to the user's own key(s).
Keep in mind that data security consists of numerous elements:
* Access.
* Encryption-in-flight.
* Encryption-at-rest.
* Encryption-to-client.
* Rates of transfer or exfiltration. This has numerous elements, one of which I refer to as the Pennyworth limit. Bruce Wayne has a butler who is privy to Wayne's innermost secrets. But he is not also privy to the secrets of all of Gotham. And even at maximum data transmission rate, can only reveal a few hundred words a minute of information, on the order of a megabyte or so per day (in textual form). Our electronic devices and systems have far more information, in far more detail, on far more people, available at far higher rates, and for the most part, can be tapped with absolutely no awareness by the subject of the information revealed.
* An "entire mailbox" is only a few hundreds of MB or GB, and arrives incrementally. Since reading information client-side requires transmission of that data in any regard, the information is already client-side. There are now microSD devices with capacity approaching or exceeding 1 TB and above. Storage itself is not a limitation.
Unencrypted email can be indexed, the indexes encrypted, and transmitted to the client device.
I'm not saying that the technical considerations here are simple, but the costs of failing to address them, quite literally the future of liberal democracy, are too high to not do so.
> There's the option of reducing that exposure to a minimum limited extent. To the extent that this is auditable, verifiable, and based on well-established procedures, it may be an acceptable risk.
How would it ever be auditable or verifiable? You're talking about secret source code running in private data centers on inaccessible hardware. If you need auditability or verifiability, you cannot rely on GMail or any similar service.
> Our electronic devices and systems have far more information, in far more detail, on far more people, available at far higher rates, and for the most part, can be tapped with absolutely no awareness by the subject of the information revealed.
I'm not dismissive of that concern but I fail to see its relevance to the question of whether Google should add another key to everyone's account. You don't solve this problem by encrypting your mail unless you stop sending your mail through Google. In fact you don't even solve it that way because such a huge chunk of mail you send/receive will flow through Google anyway. You cannot solve the trust problem by adding another unverifiable layer of encryption. If you don't trust Google now, that shouldn't change if they tell you that they started encrypting with your public key at rest.
> An "entire mailbox" is only a few hundreds of MB or GB, and arrives incrementally....Storage itself is not a limitation.
I disagree. I'm using ~10 GB of storage for Gmail. I don't want that space used for mail on my phone. Or my laptop for that matter, which has only ~36GB free at this point. I can't stick an SD card in my phone and if I could I wouldn't because it's slow.
> Unencrypted email can be indexed, the indexes encrypted, and transmitted to the client device.
It really can't. If the index is encrypted, then it can't be updated with new entries. So the best you can do is generate an inverted index per email and send that to the client to combine into a real index. But at that point, don't even bother because the client can probably index each email locally more cheaply than it can stream it from the server.
Given that most people are now using web clients, pushing indexing responsibility onto the client isn't remotely feasible. Imagine you log in from a new browser and GMail tries to push GBs into your localstorage and then your browser churns for hours trying to build the index.
> I'm not saying that the technical considerations here are simple, but the costs of failing to address them, quite literally the future of liberal democracy, are too high to not do so.
I think that's overstating it, mostly because adding a second key does not eliminate the social engineering weakness (maybe it's reduced). But also because I don't think leaked emails constitute the end of democracy.
And the same government that wants to tap everything and subpoena email accounts with little cause is going to enforce that Google makes it difficult/impossible to do those things?
This includes encrypting unencrypted messages, after arrival, to the user's own key(s).
Keep in mind that data security consists of numerous elements:
* Access.
* Encryption-in-flight.
* Encryption-at-rest.
* Encryption-to-client.
* Rates of transfer or exfiltration. This has numerous elements, one of which I refer to as the Pennyworth limit. Bruce Wayne has a butler who is privy to Wayne's innermost secrets. But he is not also privy to the secrets of all of Gotham. And even at maximum data transmission rate, can only reveal a few hundred words a minute of information, on the order of a megabyte or so per day (in textual form). Our electronic devices and systems have far more information, in far more detail, on far more people, available at far higher rates, and for the most part, can be tapped with absolutely no awareness by the subject of the information revealed.
* An "entire mailbox" is only a few hundreds of MB or GB, and arrives incrementally. Since reading information client-side requires transmission of that data in any regard, the information is already client-side. There are now microSD devices with capacity approaching or exceeding 1 TB and above. Storage itself is not a limitation.
Unencrypted email can be indexed, the indexes encrypted, and transmitted to the client device.
I'm not saying that the technical considerations here are simple, but the costs of failing to address them, quite literally the future of liberal democracy, are too high to not do so.