May 14, 2013 at 6:21 PM ET
When will the cloak-and-dagger world learn? Or those of us trying to keep private things private? Gmail — or any Web-based email for that matter — does not guarantee privacy. To anyone.
The latest example of skullduggery gone awry involving the world's most popular email client was made public Tuesday, when Russia claimed an American diplomat was trying to recruit a Russian intelligence official to work for the CIA, and urged the potential recruit to set up a Gmail account through which they would communicate.
This has not worked well in other cases — at all. Former CIA Director David Petraeus resigned last year after it was discovered he was having an affair with Paula Broadwell, using a shared Gmail account to communicate. In recent years, Google itself accused China of spying on Chinese human rights activists who used Gmail, and the Gmail account of an Associated Press staffer was broken into in China in 2010. In the corporate world, a Netherlands company won a court order requiring Google to release information related to a Gmail "spybox" believed to be set up by a high-level company executive.
Gmail is now the world's largest Web-based email provider, according to comScore, followed by Yahoo, Microsoft's Hotmail (now Oulook), and China-based QQ.COM and Russian-based Mail.Ru.
"I have a Gmail account, but assume my email will be read at some point that I didn't intend," James Barnett, a retired U.S. Navy admiral and former chief of public safety and homeland security for the Federal Communications Commission, told NBC News.
He added: "I know people in the intelligence community who say they never surf the Web," much less use Web-based email.
Eddie Schwartz, vice president and chief information security officer at RSA, the security division of EMC, worked in information technology for the U.S. State Department before going into the private sector.
"Gmail certainly is a great tool for personal email," Schwartz told NBC News. "And Gmail offers a lot of excellent security features in terms of ways to both encrypt and authenticate email. The issue is, most people don't use those security features.
"They don't use for example, the two-factor authentication in Gmail," which means providing two proofs of identity. One might be a password; the other a temporary code, sent to a cellphone or generated by an app.
"It's not a culpability of Gmail," Schwartz said. "Rank-and-file people, including high-profile individuals, don't understand the security features, behind it. That's true for all Web-based email."
The Associated Press Tuesday translated the letter from Russian that Moscow says was used in the alleged recruiting. The document said in part:
To contact us again, please open a new Gmail account, which you will use only for communicating with us, in an Internet cafe or a cafe with a WiFi connection. When signing up, do not use any personal information that could be used to identify you and the new account. So do not offer any real contact information, i.e. your telephone numbers or other email addresses.
If Gmail asks for your personal information, please, start the registration process again and try not to give them any information. After you register the new inbox, send an email to the address unbacggdA(at)gmail.com, and then check the inbox again exactly one week later to see if you have received our reply.
Schwartz said there's a bigger issue for anyone considering communicating on the sly, or even just privately.
"Are the things we're doing on public-facing services, like Gmail or on social media, is that an appropriate forum for some of the things we're doing that may have a personal or sensitive nature, or a business nature, or a secret government nature? Should we really be conducting that kind of business over that kind of service?"