Privacy experts concerned over Google cloud services

Necessary security is not turned on in default settings, claim experts

Gmail does not use https by default

A number of high-profile privacy and information security experts have written to Google chief executive Eric Schmidt demanding the search firm change its privacy settings to improve users' security.

They are concerned that Google's default privacy settings for some of its cloud-based services are not adequate.

The letter says: "We write to you today to express our concern that many users of Google’s cloud-based services are needlessly exposed to an array of privacy and security risks."

Unless a user enables specific security options any email, document, spreadsheet, presentation and calendar plan is transferred to Google’s servers without encryption.

The letter adds: "We ask you to increase users’ security and privacy protection by enabling by default transport-level encryption (HTTPS) for Google Mail, Docs and Calendar, a technology already enabled by default for Google Voice, Health, AdWords and AdSense."

Widely available tools known as packet sniffers make it easy for even amateur hackers to intercept users’ confidential files and communications as they are transmitted between a user’s laptop or handheld device and Google’s servers, if security options are not enabled.

Users can easily "enable" these security option by ticking the "always use https" option in the settings tab.

But as the letter points out, few will be aware of this option.

In 2008, a year after first being notified of the flaw, Google announced the release of a new configuration option in Gmail to protect authentication cookies and to force the use of HTTPS for Gmail sessions, but switched the option to " off" by default.

Users of Microsoft Hotmail, Yahoo Mail, Facebook and MySpace are also vulnerable to these attacks, and have no option to switch to https.