[magicalist]

IMAP/POP3 has always been a gmail option, which allows local PGP use. Chrome sync allows you to set your own encryption passphrase (provided you trust the binary doing the encrypting...). You've been able to share encrypted files on google docs/drive since they added arbitrary file storage. Etc.

Chrome sync is probably the strongest example that I can think of fitting your criteria, since it's built into the product itself, but a lot of this just comes with the territory of web-based apps.

[mike-cardwell]

They haven't done anything there though... They've just provided a standard IMAP service, and a standard file syncing service...

When they provide an option in GMail for people to upload their public PGP keys, and then start encrypting email on the way in, and don't store any non-encrypted versions of those emails, and build PGP support into Chromium for accessing those emails. Then they will have done something worth noticing.

[jmillikin]

How would spam filtering or searching work in such a service?

[mike-cardwell]

Spam filtering:

  Step 1. Spam filter
  Step 2. Encrypt

Searching:

Client side tool which builds a local index as messages are decrypted to be read for the first time. The index is it's self encrypted and incrementally synced between clients.

That took me less than 5 seconds to think up. Google can spend time and money thinking up better solutions if they want to actually do something.

[jmillikin]

If there's any sort of processing on incoming data, then there's going to be a lot of unencrypted copies floating around in various caches and intermediate staging systems. A secure system requires encrypting the data right off the wire, before it's stored anywhere.

Search indexes are very large -- you don't want to double or triple the amount of storage your email client uses. Also, being able to search only mail that you've downloaded and decrypted is a terrible user experience. I'd estimate over 60% of the mail to my personal inbox is from some automated system, rather than directly from a human, and I typically don't look at them unless a search hits them.

It takes 5 seconds to think of solutions with terrible security and usability characteristics. Thinking of a system that will be a measurable improvement in security and will actually be used by people is much more difficult.

[mike-cardwell]

These are all easily solvable issues. But to get back to the point of this thread: Google has done nothing to help secure peoples email.

The fact that you can't identify any ways in which they could, or refuse to acknowledge them, or think they're too difficult for a multi-billion dollar company makes no difference to the point under discussion.