Google urged to encrypt services by security experts

A group of 38 security and privacy researchers and academics have sent a letter to Google urging it to improve the security and privacy protection of its cloud-based services.

The open letter asked Google to enable default transport-level encryption (HTTPS) for Google Mail, Docs and Calendar. The technology already works on Google Voice, AdWords and AdSense.

It also claimed that Google's default settings put customers at risk unnecessarily. Although services are protected with user names and passwords, files are transferred to Google's servers "in the clear" potentially making it easier for hackers to try and steal the info.

"Google uses Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers' login information," the letter stated.

"However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar."

The letter continued: "As a result, anyone who uses these Google services from a public connection faces a real risk of data theft and snooping, even by unsophisticated hackers."

The letter was co-signed by experts including BT chief security technology officer Bruce Schneier, University of Cambridge security researcher Richard Clayton, and Black Hat founder and director Jeff Moss.

In response, Google software engineer Alma Whitten said in its security blog that HTTPS was already offered as an option on Gmail. She added that Google was looking at whether it would make sense to turn it on as a default option.

"In this case, the additional cost of offering HTTPS isn't holding us back," she said.

"But we want to more completely understand the impact on people's experience, analyse the data, and makes sure there are no negative effects. Ideally we'd like this on by default for all connections, and we're investigating the trade-offs, since there are some downsides to HTTPS in some cases it makes certain actions slower."

She added that Google was planning a trial where it would move small samples of Gmail users to HTTPS to see what their experience was like, and whether it affected email performance.