The security and privacy community was abuzz over the weekend after Google said it was open-sourcing E2Email, a Chrome plugin designed to ease the implementation and use of encrypted email. While this is welcome news, the project won't go anywhere if someone doesn't step up and take ownership of it.
Interest in secure communications has soared in recent years, and a number of tools bring end-to-end encryption to phone calls, text messaging, and online chats. However, almost three decades after the invention of PGP (Pretty Good Privacy), encrypted email still relies on command-line tools, plugins for IMAP-based email clients, or dedicated mail services such as ProtonMail and Lavabit, putting PGP out of reach for most individuals.
Consider how clunky it can be: A Gmail user can copy and paste the block encrypted in a different tool, and the recipient can do the same into a decryption tool to read the message. There's a reason why many security professionals don't use PGP -- including, at one point, its inventor, Phil Zimmerman.
Thus, when Google started its research on end-to-end encryption back in 2014 and released the JavaScript cryptographic library as open source shortly after, there was a lot of interest. The fact that E2Email is using this cryptographic library is a good sign for the extension's future.
As a Chrome extension, E2EMail integrates OpenPGP into Gmail, but doesn't turn the inbox into an encrypted email client. Instead, plugin displays a separate inbox in which only encrypted messages are visible, and all messages sent from this view are automatically signed and encrypted. The extension makes sure all cleartext of the message remains on the client and is never transmitted.
E2EMail is an intriguing attempt at solving the encrypted email challenge, except the current state of the project doesn't inspire a lot of confidence. The GitHub repository hasn't been updated in months, and the Chrome extension is still not ready for general use. It also doesn't appear that E2EMail was ever used internally by Google employees.
"E2Email is not a Google product, it's now a fully community-driven open source project, to which passionate security engineers from across the industry have already contributed," Google engineers KB Sriram, Eduardo Vela Nava, and Stephan Somogyi wrote in the blog post for the open source announcement.
This inactivity raises the possibility that the project has been abandoned internally, and open-sourcing is a last-ditch effort to keep some of the work alive. The Google engineers noted that future work would need integrate E2EMail with Key Transparency. A recently announced Google project to create a central repository for public cryptographic keys, Key Transparency tackles the problem of discovering and distributing public keys. Any effort that attempts to bring PGP to the masses will need the integration to be successful.
However, simply open-sourcing a project isn't enough to convince people to contribute time and code. It's a good way to increase visibility and awareness for a project, but if no one is taking on the leadership role to start discussions and clarify goals, then the efforts will peter out. Whether that leadership comes from a Google engineer or someone else doesn't matter. The open source world is littered with abandoned projects due to lack of interest, commitment, and direction. There's clearly interest in E2EMail, and it would be distressing if the project languishes because of the other two key elements.