In "Yahoo, Google Envision Spy-Free Emails" the Wall Street Journal writes that Yahoo is joining Google (and potentially Microsoft) to provide end-to-end email encryption. The goal is to have "spy-proof email", clearly a response to revelations of various government agencies' wide-spread email analysis.
There are two major issues that must be considered. First,
The tool will rely on a version of PGP encryption, a long-tested way of scrambling data that hasn't yet been cracked. Unlike traditional webmail services that rely on tech companies holding passwords and usernames for consumer accounts, PGP relies on users having their own encryption key stored on laptops, tablets and smartphones.
PGP has been around for decades. I first used it with UNIX command-line mail programs (in the early 1990s?). Currently I have the GPG (very similar to PGP) extension for Mac Mail. The problem isn't the core technology. It is usability. Simply providing the capability won't change anything. Providing the capability so that mere mortals (i.e., not the typical Google employee) can easily turn it on and use it without friction will be the challenge.
Second, if these major email providers can make end-to-end encryption easy to use, what effect will it have on organizations' security infrastructures?
Many network-based IDS signatures, next-generation firewalls, data loss prevention systems, and other security in the network technologies all presume visibility into the network data. End-to-end encryption not only stops government spies from looking at your content, it also prevents many of your security tools from looking at the content.
Organizations should begin thinking, "What if Google, Yahoo, and Microsoft are successful, and end-to-end encryption becomes common place in 2-3 years?" What is your plan?