Schmidt was speaking at a recent event at Stanford University where he and Condoleezza Rice, the former US secretary of state and current Stanford professor of political science, addressed congress employees on cyber security and the risks facing online users.
And following on from recent announcements from Google and Yahoo that both are committing to encrypting webmail traffic from end-to-end, it was perhaps little surprise that Schmidt suggested that technology – rather than legislation – will win out as users increasingly look for ways to protect their online activities.
"Everything is going to have to be encrypted all the way,” said Schmidt, in comments first reported by the Stanford news website.
He went onto say that unbreakable end-to-end encryption – where data leaving the browser is encrypted until decrypted by the intended recipient - may be possible “within our lifetime” and added, somewhat confusingly considering the recent launch of Google Glass, that voice, text and face recognition by cameras and computers could pose a privacy threat in years to come.
In the UK, the Information Commissioner's Office has already warned that wearable devices like Glass may contravene data protection laws.
Schmidt's conversation with Rice was part of Stanford's inaugural week-long cyber security boot camp for ‘key congressional staffers who deal with cyber security issues'. One of the participants was Larry Kramer, former dean of Stanford Law School and current president of the William and Flora Hewlett Foundation, who spoke about the foundation's new USD$ 20 million initiative on countering cyber threats against the government, businesses and individuals.
End-to-end encryption has been available for many years in the shape of PGP for email, OTR for instant messaging and the likes of Tresorit for cloud-storage, but do not always guarantee complete security, with some having exploitable backdoors.
Google and Yahoo recently committed to offering encrypted end-to-end webmail following Edward Snowden revelations. Google currently provides a Chrome extension (called ‘End-to-End') that uses the open-source OpenPGP, while Yahoo CISO Alex Stamos told Black Hat attendees that this will be possible next year. This is part of a collaborative effort between the two firms who – as well as allowing Yahoo Mail users to send and receive encrypted messages from Yahoo and Gmail users, for example – will also work together on a PGP encryption tool that will encrypt data contained in messages, but not the sender/receiver's email addresses or the subject line.
Schmidt's comments received praise in some quarters in the industry although ACLU privacy researcher Christopher Soghoian criticised Google for having no default encryption on the Android operating system.
“Now that Eric Schmidt loves crypto, perhaps he should talk to the Android team, which still doesn't use encryption crypto by default,” he said on Twitter.
George Anderson, director at security firm Webroot, added in an email to SCMagazineUK.com that encryption alone ‘cannot guarantee complete security' – as evidenced by Lavabit giving over encryption keys to US government – and said that an unbreakable code is unlikely to be in the short-term.
“There is a lot of work to be done before the industry is able to create an ‘unbreakable' code. While it's true encryption will raise the barrier to immediate access to sensitive data by the man in the street, it will not stop state actors or equally well resourced cyber-criminals. Organisations that need absolute security for compliance or sensitive data reasons must take a layered approach, using encryption to help put them on a more equal playing field with hackers,” said Anderson.
Rowland Johnson, CEO at security consultancy Nettitude, added in an email to SC that encryption deployments are on the rise.
“It's certainly true that encryption deployments are on the rise. We are seeing increasing demand for encryption from our own clients, which today more than ever recognise that if they have data worth stealing, they need to do everything possible to protect it,” Johnson said.
“This has perhaps been helped by the fact that encryption technology has become more advanced in recent years, and now has less of an impact on the system performance and working practices. Therefore, it's possible for firms to encrypt far more of their data than they used to, whether it's at rest or on the move.”
He added: “If encryption technology continues to evolve at this pace then Eric Schmidt's prediction of end-to-end encryption within our lifetime may come true, but it's a bold statement to say it'll be unbreakable. If there's one thing we've all learnt from recent hacks and cyber-attacks it's that the ‘bad guys' are usually one step ahead of security vendors and their customers, and are successfully breaking into networks that were deemed secure.”
Crypto expert Bruce Schneier has previously cast doubt on claims of ‘unbreakable' encryption, suggesting that these terms were often bandied around by people with little work in the field.
Considering similar claims from Lancaster University in April – where researchers claimed to have found following the way human lungs and hearts constantly communicate with each other – Schneier said:
“Regularly, someone from outside cryptography -- who has no idea how crypto works -- pops up and says "hey, I can solve their problems." Invariably, they make some trivial encryption scheme because they don't know better.
“Remember: anyone can create a cryptosystem that he himself cannot break.”