1 week Ago
Gmail users have a surprising choice to make. NurPhoto via Getty Images Gmail needs a rethink, as do Outlook, Apple Mail, and other email platforms. The driver for this is AI — and not in a good way.
Symantec , Cofense and most recently Hoxhunt warn that unbeatable AI attacks are now inevitable, as the best known large language models (LLMs) design, develop and even execute attacks. But Gmail users also face a more immediate decision, given a critical problem with its most recent updates. Hoxhunt says “AI agents can now out-phish elite human red teams, at scale,” which means mass customization as spear phishing attacks tailored to a particular victim become the norm.
Google, Microsoft and others say they catch “more than 99%” of the spam, phishing and malware targeting inboxes. And yet millions of messages still get through before today’s trickle of AI attacks becomes an unstoppable tidal wave. This is why I’ve argued email needs a fundamental change, not evolutionary add-ons.
A change to better replicate the immediacy and brevity of the messaging platforms pulling users away from email, both in and out of the workplace. A change to leverage private and secure on-device filtering and threat defense. And a change with security built in, not added on.
Again, as we now expect from other comms platforms. Email can’t be adjusted to fit, it needs that rethink. And while many of Gmail’s recent innovations are welcomed — enhanced sender authentication, cloud-based AI filtering, and (in development) shielded addresses, its two most recent updates show the challenge in building on what we have today.
This month, Google confirmed it is “making end-to-end encrypted emails easy to use for all organizations” which use Gmail. This delivers the table stakes security we rely on with voice and video comms and with messaging. But it’s harder with email’s wide open architecture.
That’s why this change is coming first to enterprises. Ars Technica and others have qualified the excitement that quickly followed Google’s game-changiung announcement: “Gmail unveils end-to-end encrypted messages. Only thing is: It’s not true E2EE.
" The reason being that the keys protecting the secure email traffic sit within the client-side infrastructure, not within the actual “end.” Gmail's AI relevancy search Google As Ars Technica warns, “the new feature is of potential value to organizations that must comply with onerous regulations mandating end-to-end encryption. It most definitely isn’t suitable for consumers or anyone who wants sole control over the messages they send.
Privacy advocates, take note.” True end-to-end encryption (E2EE) sits within the client itself, managing key exchange between sender and recipient. The only way to deliver E2EE email is a walled garden such as Proton , which relies on manually password protecting emails sent outside.
Gmail's end-to-end encryption Google With Meta’s third-party chats and GSMA’s RCS E2EE update, we will see (almost) full E2EE between different walled gardens. RCS "will be the first large-scale messaging service to support interoperable E2EE between client implementations from different providers.” There is no direct read across to email of course.
But it moves the bar. Gmail is secured with Workspace’s Client Side Encryption (CSE), which keeps an "organization’s data private with end-to-end encryption that Google servers and third parties can’t decrypt, giving [an] organization greater control over access to its data. CSE is especially beneficial for organizations that store sensitive or regulated data, like IP, healthcare records, or financial data," not person-to-person comms.
And this brings us to the second innovation. AI-based relevancy search . Ten days before Gmail’s quasi E2EE, Google announced “Gmail is rolling out a smarter search feature powered by AI to show you the most relevant results, faster.
.. Search results now factor in elements like recency, most-clicked emails and frequent contacts.
With this update, emails you’re looking for are far more likely to be at the top of your search results.” Using this is in itself a decision for users, given it lets AI loose on your data. On which, Google told me "our priority is respecting our users’ privacy while giving them choice and control over their data.
To that end, this particular tool is one of the 'smart features’ that users can control in their personalization settings.” E2EE and AI search don’t work together, because they’re both wraps around a legacy comms architecture rather than one built for the world we live in today. Google confirmed to me that E2EE messages “are completely excluded" from AI search.
"We do not have the key to decrypt, so we literally cannot read the message.” That’s as it should be, but you can see the problem from a user perspective. Two new headline features don’t work together.
Email is a fundamentally insecure platform to which we’re adding AI, and that AI comes with new privacy expectations that email can’t deliver. This is why so much enterprise and personal comms has moved from email to messaging. Cue that rethink.
Meanwhile, you have a decision to make..
