The security and privacy community was abuzz over the weekend after Google said it was open-sourcing E2Email, a Chrome plugin designed to ease the implementation and use of encrypted email. While this is welcome news, the project won’t go anywhere if someone doesn’t step up and take ownership of it.
Interest in secure communications has soared in recent years, and a number of tools bring end-to-end encryption to phone calls, text messaging, and online chats. However, almost three decades after the invention of PGP (Pretty Good Privacy), encrypted email still relies on command-line tools, plugins for IMAP-based email clients, or dedicated mail services such as ProtonMail and Lavabit, putting PGP out of reach for most individuals.
Consider how clunky it can be: A Gmail user can copy and paste the block encrypted in a different tool, and the recipient can do the same into a decryption tool to read the message. There’s a reason why — including, at one point, its inventor, .
, and open-sourcing is a last-ditch effort to keep some of the work alive. The Google engineers noted that future work would need integrate E2EMail with Key Transparency. A recently announced Google project to create a central repository for public cryptographic keys, Key Transparency tackles the problem of discovering and distributing public keys. Any effort that attempts to bring PGP to the masses will need the integration to be successful.
However, simply open-sourcing a project isn’t enough to convince people to contribute time and code. It’s a good way to increase visibility and awareness for a project, but if no one is taking on the leadership role to start discussions and clarify goals, then the efforts will peter out. Whether that leadership comes from a Google engineer or someone else doesn’t matter. The open source world is littered with abandoned projects due to lack of interest, commitment, and direction. There’s clearly interest in E2EMail, and it would be distressing if the project languishes because of the other two key elements.