[onereplyac]

Depends, on an older phone, downloading all emails just to allow for searches locally won't be very efficient. Log out also becomes a problem, if emails are stored on one device that gets stolen, adversary now has access to the local index since all the keys or on the device usually with no FDE. Meanwhile with gmail a log-out would clear all traces instantly.

[amilich]

Also, not really true of Gmail. Try turning your WiFi off, then deleting your Gmail account. You might have mail stored offline on your phone (let alone any other device), as well as any IMAP or other clients. It's the same or worse.

[amilich]

Emails are downloaded when you receive them. Isn't that how email works?

[onereplyac]

Normal email proiders don't dowbload all emails whenever a user logs into a new device

[amilich]

We also don't do this. In a near future implementation you can just synchronize the end-to-end encrypted search index.

[raggi]

This step is what I was expecting you to talk about, and it has some tricky subtleties to get right, which is why I looked for it in the whitepaper.

A trivial problem with a naive implementation is being able to perform presence proofs using side channel information: send someone mail containing a terms you want to verify, and watch for the associated high level costs affecting operations that are likely to be incremental index change uploads.

[onereplyac2]

You mean you currently do this but plan not to in the future

[pseudalopex]

All common operating systems can encrypt keys or full disks.