The Google for Education Community Platform

Dean_Mantz · ‎12-10-2024

What are you folks encouraging users to communicate with others about topics that require end-to-end encryption? I understand that Google Chat does not provide E2E encryption, and I want to ensure that my end users only share PII or other student data on services with that protection. Thanks in advance for any insight!

claycodes · ‎12-10-2024

Google's applications including Google Chat use End to End Encryption. https://services.google.com/fh/files/helpcenter/google_encryptionwp2016.pdf

All data is encrypted in transit and at rest.

View solution in original post

claycodes · ‎12-10-2024

Google's applications including Google Chat use End to End Encryption. https://services.google.com/fh/files/helpcenter/google_encryptionwp2016.pdf

All data is encrypted in transit and at rest.

Dean_Mantz · ‎12-10-2024

Thank you, @claycodes for your response and the PDF link. I had read some research links that said it was not and wanted to confirm.

claycodes · ‎12-10-2024

Can you provide the sources of this information so I may better advise?

Dean_Mantz · ‎12-10-2024

Here is the first insight I received when searching for "Is Google Chat end to end encrypted?"

No, Google Chat is not end-to-end encrypted by default; however, if you are using Google Messages and both you and the recipient have RCS chat features enabled, your conversations will be end-to-end encrypted within the Google Messages app, which is considered part of the Google Chat service for certain functions.

Key points about Google Chat and encryption:

Limited end-to-end encryption:
Only specific Google Messages conversations with RCS chat features turned on will be fully end-to-end encrypted.
Not all Google Chat conversations are encrypted:
Standard Google Chat conversations outside of the Google Messages app do not have end-to-end encryption.

When I read through https://support.google.com/messages/answer/10252671?hl=en , I thought Google Chat was different from Google Messages.

Kim_Nilsson · ‎12-10-2024

Google Chat != Messages

Yeah, that article is most likely talking about communication on the phone, where Messages actually exist.

--
https://wheretofind.me/@NoSubstitute

Dean_Mantz · ‎12-10-2024

Thank you, @Kim_Nilsson

claycodes · ‎12-10-2024

Google Messages is not Google Chat. Google Messages is the Android Chat application. That content is revering to text based RCS which is not part of the Google Workspace.
Google Chat is an application on Google systems which follows the same Encryption standards as all our Google Workspace core applications.

Kim_Nilsson · ‎12-10-2024

However, I must respectfully disagree with @claycodes a little here. While this is true, and very good.

"All data is encrypted in transit and at rest."

That is not the same as End to End Encryption (E2EE), as one very important factor with E2EE is the idea that the only parties able to access the communication in its clear text form is the sender and the recipient.

The data is encrypted before entering the communication channel and decrypted after leaving the channel, with no way to decrypt it in between the sender and recipient, and also not accessible by anyone else after the communication is concluded, (that includes admins and systems).

Only the sender and recipient hold the keys necessary for encryption and decryption.

With Chat, one Workspace user to another, Google holds all the keys, which is also why you can read the conversation between your two users in Vault after it has taken place.

Now... most people don't actually need E2EE!

Not even when they say and think they do. They do need proper encrypted communication, though.

For that Chat and Meet (AFAIK) does the trick). Encrypted communication, impossible for an outsider to access.

Even Gmail, with Hosted S/MIME (also not at all E2EE, not even with Client Side Encryption!!!, as someone else hosts the keys - albeit not Google) is encrypted communication, if the recipient also uses S/MIME.

So, you don't necessarily need a third-party system to be compliant. You just need to know what you are doing, and be able to articulate it when some silly security person tries to say you're doing it wrong.

OR... Everyone should always only use proper E2EE systems for all communication! 🙂

Then there would be no signals telling the eavesdropping agencies that this person over here is communicating over an encrypted channel, that looks suspicious.... 🙂

***

Personally, I moved my entire family, children, siblings and parents over to Signal a few years ago, when Facebook tried to force all WhatsApp users to have an FB account, which my father didn't have. Signal is a true E2EE service, for both individual and group communications. Not quite suited for organisations with hundreds of thousands of user, though, and not integrated with Docs and Sheets. 🙂

--
https://wheretofind.me/@NoSubstitute

Kim_Nilsson · ‎12-10-2024

I need to add that with CSE (client side encryption) it is technically possible for your organisation to hold the keys, and then make it 99% E2EE. It's just complex and probably cheaper to buy the key holding service.

--
https://wheretofind.me/@NoSubstitute