Time to change
With Google confirming that Gmail is under attack, warning users to change behaviors to stay safe, the stakes have rarely been higher. Fortunately, Google is pushing hard to upgrade Gmail for its 2.5 billion users, raising the bar for attackers. And while that means the usual server-side spam and malware protection, it also promises innovations like shielded email addresses this year to help stop the threat at source.
But there’s a glaring issue here — email itself. This is a horribly archaic technology that has not really changed in a decade. Genuinely, where is the innovation and disruption? Our inboxes are still broadly open to anyone, anywhere. Spam and phishing remain a ridiculous problem, despite Google blocking “more than 99.9%” of it. The reality is that malicious emails still get through, despite obvious telltale signs. Yes, new AI-fueled threats will make everything worse, but it’s bad enough as it is.
Email needs a rethink — a total revamp. Something more akin to secure messaging, with consent-based contacts and aggressive filtering, rather than a modern interpretation of Microsoft Mail and Lotus Notes. Check out the video below from nearly twenty-years ago, and ask yourself how much has fundamentally changed.
When Elon Musk teased that he might consider launching X-Mail as a disruptive alternative to Gmail, this is what he had in mind. It’s the reason we turn to Slack or Teams or smartphone messaging apps instead of email. Less spam, shorter, snappier interfaces, more direct comms better aligned with how we work and play today. Even the concept of CCing lots of disinterested people into your emails has had its time.
And on the security front, Gmail and other leading email platforms are woefully far behind messaging. As I suggested last year, “we need a radically different approach:
- “On-device AI to flag spam and malicious email that beat central screening to reach inboxes. Too many emails make it though despite the email address and presentational “sender” address not matching, even when the the latter is a clear impersonation. How is it possible in 2024 that my inbox contains emails from ‘Apple Support’ or ‘X verification,’ when the senders have random email addresses such as ‘sayio[at]hosai.co.jp’.
- A better opt-in, known sender solution—mimicking secure messaging. Even the differentiation of trusted and unknown senders is too basic. Google has made email sender advances here, but it’s far from a wholesale solution. There needs to be better deployment of AI or an easy-button for user to opt into a trusted discussion and advocate for a sender.
- Rather than upping the ante centrally, email security needs to do a better front-end (device-side) job. This is where safe browsing and malware defenses are now heading, making use of new device AI processing. Email needs a complete rethink to do the same.”
We are seeing fast-paced innovation across edge devices to use private, on-device AI to make real-time calls as to when a message might be dangerous or spammy. For email, this would kill the fake Microsoft, X, Apple, FedEx, UPS, Google emails we get daily, but also the smaller volume, more targeted approaches. And it’s within reach. But the front-end apps and UIs need a start from scratch rethink. A device can use a unified approach to privately screen messages or emails on any platform, learning as it goes.
With that in mind, look no further than Google’s own “new protections on Google Messages to help keep you safe.” These were announced last October, and bring “AI-powered filters and advanced security that protects users from 2 billion suspicious messages a month.” And critically, these messaging innovations “use on-device machine learning models to classify these scams, so your conversations stay private and the content is never sent to Google unless you report spam.”
GrapheneOS, which specializes in hardening Android, has raised the wider potential of the Android System SafetyCore app launched by Google that makes all this work. “The app doesn’t provide client-side scanning used to report things to Google or anyone else. It provides on-device machine learning models usable by applications to classify content as being spam, scams, malware, etc. This allows apps to check content locally without sharing it with a service and mark it with warnings for users.”
While “it’s unfortunate that it’s not open source and released as part of the Android Open Source Project and the models also aren’t open let alone open source,” meaning it will fail the transparency test for serious security applications, this approach can be adopted across multiple email platforms, in tandem with a new UI and consent-based approach to keep our inboxes locked beyond certain geographies or domains.
We are approaching a pivot-point with email. If it can’t change, it can’t work. In a world with AI-polished text and imagery, and tone crafted to mimic those we know or love, an open platform cannot be safe. Someone needs to grasp this nettle and take a different approach. I suspect only Google or Apple could do so. Whether it’s a new Gmail/email app or a more universal “System SafetyCore” style app, you do need a new app.
Unfortunately, Gmail attacks have never been more sophisticated and there are no signs yet of the server-side approach changing. And on the device AI side, Apple’s iOS 18 Mail upgrade has seriously failed to hit the mark. We’re far from there yet.
Let’s expedite that rethink now, please.