Time to changeNurPhoto via Getty ImagesRepublished on February 11 with Googles statement on its latest AI update and further analysis on the implications for Gmail and other email platforms.With Google confirming that Gmail is under attack, warning users to change behaviors to stay safe, the stakes have rarely been higher. Fortunately, Google is pushing hard to upgrade Gmail for its 2.5 billion users, raising the bar for attackers. And while that means the usual server-side spam and malware protection, it also promises innovations like shielded email addresses this year to help stop the threat at source.But theres a glaring issue here email itself. This is a horribly archaic technology that has not really changed in a decade. Genuinely, where is the innovation and disruption? Our inboxes are still broadly open to anyone, anywhere. Spam and phishing remain a ridiculous problem, despite Google blocking more than 99.9% of it. The reality is that malicious emails still get through, despite obvious telltale signs. Yes, new AI-fueled threats will make everything worse, but its bad enough as it is.Email needs a rethink a total revamp. Something more akin to secure messaging, with consent-based contacts and aggressive filtering, rather than a modern interpretation of Microsoft Mail and Lotus Notes. Check out the video below from nearly twenty-years ago, and ask yourself how much has fundamentally changed.When Elon Musk teased that he might consider launching X-Mail as a disruptive alternative to Gmail, this is what he had in mind. Its the reason we turn to Slack or Teams or smartphone messaging apps instead of email. Less spam, shorter, snappier interfaces, more direct comms better aligned with how we work and play today. Even the concept of CCing lots of disinterested people into your emails has had its time.MORE FOR YOUAnd on the security front, Gmail and other leading email platforms are woefully far behind messaging. As I suggested last year, "we need a radically different approach:"On-device AI to flag spam and malicious email that beat central screening to reach inboxes. Too many emails make it though despite the email address and presentational sender address not matching, even when the the latter is a clear impersonation. How is it possible in 2024 that my inbox contains emails from Apple Support or X verification, when the senders have random email addresses such as sayio[at]hosai.co.jp.A better opt-in, known sender solutionmimicking secure messaging. Even the differentiation of trusted and unknown senders is too basic. Google has made email sender advances here, but its far from a wholesale solution. There needs to be better deployment of AI or an easy-button for user to opt into a trusted discussion and advocate for a sender.Rather than upping the ante centrally, email security needs to do a better front-end (device-side) job. This is where safe browsing and malware defenses are now heading, making use of new device AI processing. Email needs a complete rethink to do the same."We are seeing fast-paced innovation across edge devices to use private, on-device AI to make real-time calls as to when a message might be dangerous or spammy. For email, this would kill the fake Microsoft, X, Apple, FedEx, UPS, Google emails we get daily, but also the smaller volume, more targeted approaches. And its within reach. But the front-end apps and UIs need a start from scratch rethink. A device can use a unified approach to privately screen messages or emails on any platform, learning as it goes.With that in mind, look no further than Googles own new protections on Google Messages to help keep you safe. These were announced last October, and bring AI-powered filters and advanced security that protects users from 2 billion suspicious messages a month. And critically, these messaging innovations use on-device machine learning models to classify these scams, so your conversations stay private and the content is never sent to Google unless you report spam.GrapheneOS, which specializes in hardening Android, has raised the wider potential of the Android System SafetyCore app launched by Google that makes all this work. The app doesn't provide client-side scanning used to report things to Google or anyone else. It provides on-device machine learning models usable by applications to classify content as being spam, scams, malware, etc. This allows apps to check content locally without sharing it with a service and mark it with warnings for users.While its unfortunate that its not open source and released as part of the Android Open Source Project and the models also arent open let alone open source, meaning it will fail the transparency test for serious security applications, this approach can be adopted across multiple email platforms, in tandem with a new UI and consent-based approach to keep our inboxes locked beyond certain geographies or domains.This privacy-enhancing local screening as differentiated from the client side screening that has come in for significant criticism in the past is a game-changer. The Hacker News reports that Google has stepped in to clarify that a newly introduced Android System SafetyCore app does not perform any client-side scanning of content."In a statement provided to The Hacker News, a Google spokesperson explained that "Android provides many on-device protections that safeguard users against threats like malware, messaging spam and abuse protections, and phone scam protections, while preserving user privacy and keeping users in control of their data. SafetyCore is a new Google system service for Android 9+ devices that provides the on-device infrastructure for securely and privately performing classification to help users detect unwanted content. Users are in control over SafetyCore and SafetyCore only classifies specific content when an app requests it through an optionally enabled feature."As GrapheneOS says, Google Messages uses this new app to classify messages as spam, malware, nudity, etc. Nudity detection is an optional feature which blurs media detected as having nudity and makes accessing it require going through a dialog. Apps have been able to ship local AI models to do classification forever. Most apps do it remotely by sharing content with their servers. Many apps have already have client or server side detection of spam, malware, scams, nudity, etc. Classifying things like this is not the same as trying to detect illegal content and reporting it to a service. That would greatly violate peoples privacy in multiple ways and false positives would still exist. Its not what this is and its not usable for it."We are approaching a pivot-point with email. If it cant change, it cant work. In a world with AI-polished text and imagery, and tone crafted to mimic those we know or love, an open platform cannot be safe. Someone needs to grasp this nettle and take a different approach. I suspect only Google or Apple could do so. Whether its a new Gmail/email app or a more universal System SafetyCore style app, you do need a new app. And once that change is made, its inevitable that others will do the same. Id like to think that well see some form of device side AI defense this year, at least for smartphones, which will shift make protection more immediate and private and will finally eradicate the raft of emails that continue to break through the current dams.Unfortunately, Gmail attacks have never been more sophisticated and there are no signs yet of the server-side approach changing. And on the device AI side, Apples iOS 18 Mail upgrade has seriously failed to hit the mark. Were far from there yet.Whenever the subject of a wholesale change to email is brought up, it tends to bring out those that defend the incremental upgrades and improvements that platforms have made, rather than stepping back and looking at the technology set more widely. It remains an oddity that email has changed so little whereas our other communications mechanisms have been changed completely. Its time for this same, necessarily disruptive approach to be taken with email.Google has made strong progress with better securing Gmail through filtering and server-side AI and sender verification. But all of that is incremental. What hasnt yet happened in this new world of fully managed, cloud-based email platforms is that step-back review. Whats undoubtedly true is that given the immediacy of the world we now inhabit, and the fast-paced threat landscape we now face, if we were in a garage inventing the concept of email for the first time, we would not come up with anything akin to what we have now incremental improvements included.And while arguments made against this include the formality and auditibility and open access of email, I cant help but think these are just reactionary responses from an industry that wants to continue changing one nudge at a time. But if they wont disrupt, someone else eventually will. Thats why there was such a strong and interested response to X-mail when it was touted. And whether or not that ever comes to fruition, something will. Lets expedite that rethink now, please.