Gmail's new 'Confidential Mode' is flawed and misleading
Google recently rolled out a big update to Gmail, introducing a number of welcome new features.
One the big new additions is 'Confidential Mode' which you can enable from the compose window. This is designed to restrict how the emails you send can be viewed and shared, and you can also set an expiration date for messages. If you have the need to send and receive emails of a sensitive nature, then you might think this is the prefect solution. There’s just one problem -- messages sent using it aren’t confidential.
- How to stop your private Gmail messages being read by third parties
- Gmail's new 'Smart Compose' feature writes replies for you
- Google rolls out massive Gmail redesign -- here's what's new and how to access it
This isn’t just my opinion. The Electronic Frontier Foundation (EFF) says of the new feature:
At best, the new mode might create expectations that it fails to meet around security and privacy in Gmail. We fear that Confidential Mode will make it less likely for users to find and use other, more secure communication alternatives. And at worst, Confidential Mode will push users further into Google’s own walled garden while giving them what we believe are misleading assurances of privacy and security.
So what exactly is the problem with Confidential Mode? Well, for starters, the messages aren’t end-to-end encrypted, which means Google can read them, and the expiration date doesn’t mean anything to the search giant, which can store the messages indefinitely.
That’s not all. Google prevents recipients from printing and forwarding messages using IRM (Information Rights Management), but obviously the recipient can easily get around the restrictions by taking a screenshot or photo of the message. That isn’t the only problem with it, however. As the EFF explains:
The security properties of the system depend not on the tech, but instead on a Clinton-era copyright statute. Under Section 1201 of the 1998 Digital Millennium Copyright Act ("DMCA 1201"), making a commercial product that bypasses IRM is a potential felony, carrying a five-year prison sentence and a $500,000 fine for a first offense. DMCA 1201 is so broad and sloppily drafted that just revealing defects in Google IRM could land you in court.
We think that "security" products shouldn’t have to rely on the courts to enforce their supposed guarantees, but rather on technologies such as end-to-end encryption which provide actual mathematical assurances of confidentiality. We believe that using the term "Confidential Mode" for a feature that doesn’t provide confidentiality as that term is understood in infosec is misleading.
Messages with an expiration date also continue to live on in your sent folder.
As if all that wasn’t bad enough, the EFF points out that:
If you choose the "SMS passcode" option, your recipient will need a two-factor authentication-like code to read your email. Google generates and texts this code to your recipient, which means you might need to tell Google your recipient’s phone number -- potentially without your recipient’s consent.
If Google doesn’t already have that information, using the SMS passcode option effectively gives Google a new way to link two pieces of potentially identifying information: an email address and a phone number.
The EFF sums up its findings about the new mode thusly:
Ultimately, for the reasons we outlined above, in EFF’s opinion calling this new Gmail mode "confidential" is misleading. There is nothing confidential about unencrypted email in general and about Gmail’s new "Confidential Mode" in particular. While the new mode might make sense in narrow enterprise or company settings, it lacks the privacy guarantees and features to be considered a reliable secure communications option for most users.