58. SeeInternet Engineering Task Force, The Transport Layer Security (TLS) Protocol Version 1.2, (last visited Oct. 29, 2009). 59. Netcraft, January 2009 Web Server Survey, 01/16/january_2009_web_server_survey.html (noting that Apache is used by more than 50% of the servers on the web).
2010] CAUGHT IN THE CLOUD 377 downside is that [HTTPS encryption] can make your mail slower. Your computer has to do extra work to decrypt all that data, and encrypted data doesn’t travel across the internet as efficiently as unencrypted data. That’s why we leave the choice up to you.60For encryption to be a “choice,” Google’s customers would need to receive notice of the risks if they do not seek out this largely unadvertised option.61The company does not provide its customers with this information, and so it is unlikely that most users would believe that the issue of encryption protection for email is something they have affirmatively decided. However, while the company argues that this issue is one of choice, the company has forced encryption (with no option to turn it off) for users of some of its other products. Google’s Health service enables users to browse through and manage their private health information online. Google’s Voice service lets customers initiate VOIP phone calls, send text messages, and manage voicemail inboxes. However, unlike with its Docs, Spreadsheets and Calendar products, Google only provides access to Health and Voice via HTTPS encrypted communications sessions, perhaps recognizing the highly sensitive health and call record information users entrust to Google. Likewise, Google’s AdWords and AdSense products, which form the backbone of Google’s advertising business, can only be managed by customers using a secure HTTPS connection. In June 2009, 38 industry and academic experts from the fields of computer security, privacy, and law wrote an open letter to Google’s Chief Executive Officer to chastise the company for its poor HTTPS defaults (full disclosure: the author of this article was the author and organizer of that open letter).62Seven months later, the company enabled HTTPS encryption by default for all of its Gmail users, although users of its Docs, Spreadsheets and Calendar services must still proactively connect via a HTTPS based URL in order to protect their sessions against hijacking.6360. Rideout, supra note 57. 61. Appelbaum, supranote 42 (“[Google] currently does very little to educate its users, and the sparse information describing encryption options is hidden, and presented in terms that few members of the general public will understand.”). 62. Ryan Singel, Encrypt the Cloud, Security Luminaries Tell Google—Update, WIRED, June 16, 2009, (“Google is putting millions of users at risk of fraud from hackers and needs to enable encryption by default on its most popular web apps, including Gmail and Google Docs, a gaggle of security researchers told the search giant Tuesday in an open letter.”); see alsoAppelbaum, supranote 42.