The National Security Agency's snooping is about to get more difficult.
The tool, called End-to-End, uses an open-source encryption standard, OpenPGP, that will allow users to encrypt their email from the time it leaves their web browser until it is decrypted by the intended recipient. It will also allow users to easily read encrypted messages sent to their web mail service. The tool will require that users and their recipients use End-to-End or another encryption tool to send and read the contents.
This could be a major blow to the N.S.A. Despite numerous cryptographic advances over the past 20 years, end-to-end email encryption like PGP and GnuPG is still remarkably labor-intensive and require a great deal of technical expertise. User mistakes — not errors in the actual cryptography — often benefited the N.S.A. in its decade-long effort to foil encryption.
"It's important that the government not overstep," Eric Grosse, Google's chief of security, said in an interview last week. "We don't want any government breaking the security of the Internet."
Google's new tool may make the NSA and other intelligence agencies' jobs more difficult. While end-to-end encryption does not eliminate the potential for an attacker or government agency to read a target's messages, it forces them to hack directly into their computer to read messages rather than catching them in transit, or gathering them through a secret court order to their communications provider.
Speaking by videoconference at the South by Southwest conference in Austin, Tex., this year, Edward J. Snowden, the former N.S.A. contractor, challenged technologists to offer easier end-to-end encryption, saying it would result in a "more constitutional, more carefully overseen enforcement model."
Until now, technology companies have been hesitant to provide end-to-end encryption because it excludes companies like Google and Yahoo from gathering data from messages that can be sold for targeted advertising. None of the major technology providers have signed on to Dark Mail Alliance, a partnership announced last year by Silent Circle and Lavabit, two privacy-conscious communications providers, that offered companies like Microsoft, Google and Yahoo a new end-to-end encrypted email protocol.
Privacy activists have criticized Google and other companies for not supporting end-to-end encryption sooner.
"Google wants to sit between you and everyone you interact with and provide some kind of added value," Christopher Soghoian, the principal technologist of the American Civil Liberties Union, said on the SXSW panel with Mr. Snowden. "They want to be in that connection with you, and that makes it difficult to secure those connections."
But Google's announcement on Tuesday showed that the company has heard those concerns.
"We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection," Stephan Somogyi, a Google privacy and security product manager, wrote in a company blog post. "But we hope that the End-to-End extension will make it quicker and easier for people to get that extra layer of security should they need it."
It will take more time for users to put End-to-End into effect. On Tuesday, Google released the early draft of its open source End-to-End code for cryptographers, privacy activists and engineers to inspect for mistakes and back doors. Google's bug bounty program, called its Vulnerability Reward Program, offers security researchers money if they find security bugs in the code, for End-to-End and other products.
Separately, Google released new numbers on Tuesday in a report showing how far companies still need to go to secure user communications. Google automatically encrypts web traffic as it travels from its servers around the Internet, but if the communications provider on the other end does not also support encryption, then the communications aren't protected.
Google said 40 to 50 percent of emails sent between Gmail and other email providers are not encrypted. Less than 1 percent of traffic between Google and Comcast is encrypted, for example, while more than 95 percent of traffic between Google, Yahoo, Facebook, Twitter, Craigslist and Amazon remains encrypted.
Charlie Douglas, a Comcast spokesman, said the company was currently testing encryption with large websites and email providers and planned to turn on encryption with Google in a matter of weeks. He said Comcast engineers would be on a conference panel next week to discuss best practices and road maps for switching on encryption with other email providers as well.
"We are supportive of, and want to drive adoption of, encryption," Mr. Douglas said.
Microsoft, which announced earlier this year that it planned to switch on encryption by the end of the year, still has some work to do. Roughly only half the traffic between Google and Microsoft services like Hotmail stays encrypted.
Google's data will no doubt be used by privacy activists to shame companies that do not support encryption. And indeed, on Tuesday afternoon, Mr. Soghoian had already tweeted a link to Google's report. "They name," he wrote. "We shame."