Google responds to security concerns over online apps

HTTPS should be opt-out, rather than opt-in, for services such as Google Docs

Google chief executive Eric Schmitt has responded to questions about the security of the search firm's online applications.

A group of 38 computer scientists, law professors and security experts highlighted their concerns in an open letter to Schmitt, claiming that default settings put customers at risk unnecessarily.

"Google's services protect usernames and passwords from interception and theft. However, when a user composes email, documents, spreadsheets, presentations and calendar plans, this potentially sensitive content is transferred to Google's servers in the clear, allowing anyone with the right tools to steal that information," the letter reads.

Signed by such luminaries as Dr Ian Brown, from the Oxford Internet Institute, Jeff Moss, founder of the Defcon hacking conference, and Bruce Schneier, chief security officer for the BT Group, the letter urges Google to make HTTPS opt-out rather than opt-in, and to increase the visibility of encryption services.

Google has been quick to respond to the criticism. In under 24 hours the company had replied on the Google online security blog with a promise to introduce HTTPS into all Google apps as soon as possible.

"We are planning a trial in which we will move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their email," said Alma Whitten, a software engineer in Google's Security and Privacy teams.

"Unless there are negative effects on the user experience, or it is otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users. We are also considering how to make this work best for other apps, including Google Docs and Google Calendar."