How secure or private is Gmail's new confidential mode? - gHacks Tech News

How secure or private is Gmail's new confidential mode?

Google launched a redesign of the Gmail web interface last month. The the focus of the update was to bring the interface in line with other Google products.

While the update was cosmetic at its core, Google did introduce several new features to the web interface such as direct access to attachments or a new confidential mode for emails.

Confidential mode sounds like a business-only feature but it is available for home and business users alike on Gmail. But what is it?

Confidential mode on Gmail adds access restrictions to emails that you sent using the mode. Designed to protect sensitive information, it enables you to set time limits and passcodes. The mode blocks certain actions, forwarding, copy and paste, downloading of the email, and printing as well automatically.

Using Confidential mode on Gmail

gmail confidential mode

It is simple to make certain emails on Gmail confidential. All you need to do is compose a new email or reply to one, and click on the new "confidential mode" icon in the send button row of the compose interface.

A click on the icon opens the confidential mode configuration overlay which gives you two options:

  1. Set an expiration date for the email. Available options are 1 day, 1 week, 1 month, 3 months and 5 years. The expiration date is displayed next to the selection menu so that you know immediately when the email expires.
  2. Enable the SMS passcode feature. Recipients need a mobile phone for that and Google will sent recipients a passcode text message which they need to unlock the email.

Gmail highlights confidential mode by adding a "content expires" message to the email. You can edit the requirement or click on the x-icon to remove it again before you hit the send button.

gmail passcode email expiration

What happens when you hit send? If you selected the passcode option, you are asked to type the phone number of the recipient. This is mandatory and the only option that you have when you don't want to enter the phone number or don't have it is to go back to the compose window to remove the passcode requirement.

What happens when you type the wrong phone number? Nothing at first, Google accepts any number at this stage.

File attachments are not supported by the mode and you will receive a warning when you have selected confidential mode and added an attachment to the email. Your options are to disable confidential mode or remove the file attachment.

The email that you receive does not contain the message. Google uses the selected subject and shows the sender of the email, but instead of displaying the content, it informs you that you have received a confidential email which you can only open on Gmail directly.

In other words: Google sends you a notification by email that a confidential email was sent to you and that you may click on the link to open it.

If you are not a Google user, you are asked to sign in to a Google account to continue and view the email message.

You can sign in to any Google account at this point in time (if the recipient email address is not a Google account). If passcode was enabled during setup, you are informed that a one-time passcode will be sent to the phone number the sender entered during setup.

You can only select "send passcode" and see only the last two digits of the phone number. There is no option to change the phone number; if it is wrong, you cannot open the email and it will expire eventually unread.

How secure and private is the whole thing?

The short answer: it depends. Gmail's confidential mode protects the email by not sending it to the recipient directly. The same result -- that the email cannot be read during transit -- can be achieved with secure email providers or using encryption technology such as PGP.

The actual implementation blocks some options to download, copy or share messages but it does not protect against all. It is still possible to create a screenshot of the email and print it that way, write it down, or take a photo of the computer screen using any camera.

There is another issue that needs to be addressed. Recipients get an email with a link asking them to click on the link and even sign in to a Google account if they are not already to view it. If that does not sound a lot like phishing I don't know what does.

Recipients may not want to click on the links. Ironically, attackers who use phishing as an attack vector may exploit the new functionality to steal user credentials.

Closing Words

Gmail's Confidential mode feature is not the right option when you need to send confidential messages to others. Email is not the right format for confidential messages unless you use PGP or another secure form of communication.

Now You: What's your take on Gmail's confidential mode feature?

Summary
How secure or private is Gmail's new confidential mode?
Article Name
How secure or private is Gmail's new confidential mode?
Description
Google introduced Confidential mode recently on Gmail promising that it would enable users of the service to send confidential messages securely and privately to recipients.
Author
Publisher
Ghacks Technology News
Logo

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. John Fenderson said on May 11, 2018 at 3:58 pm
    Reply

    So it’s not actually email, then, and I can think of a whole bunch of ways to bypass the “security”. Personally, if I receive one of these, I’ll just have to tell the sender that I can’t see whatever it is that they sent. I’m certainly not going to give Google my cell phone number or log in to see a message.

    1. Anonee said on May 12, 2018 at 12:51 am
      Reply

      You need to read the article again.
      It’s not YOU who hands over your phone number, it’s the SENDER who does so.
      So that means that if your friend/coworker/whatever sends you a confidential email and uses the SMS option then Google already has your phone number now, even if you choose not to open the link.

      1. John Fenderson said on May 12, 2018 at 5:28 pm
        Reply

        Yes, you’re right. Fortunately, the people who have my cellphone number already know that if they were to do such a thing, I’d be angry about it.

    2. dark said on May 12, 2018 at 2:19 pm
      Reply

      We are going to need decentralized email service based on bitcoin/blockchain/ethereum technology that can rival Gmail.

      1. John Fenderson said on May 12, 2018 at 5:26 pm
        Reply

        The email system is already decentralized. All people have to do is to stop using GMail. At least in my social circle, that change is mostly complete. Most of the people I know who used GMail in the past no longer do so.

        Which is good for me! I avoid sending emails to Gmail accounts as much as possible, and if I have to, then I tend to keep them as brief as possible.

  2. basicuser said on May 11, 2018 at 7:23 pm
    Reply

    Evidently, Google doesn’t think linking phone numbers and email is a privacy/security issue. A bit ironic for a security feature.

    So basically, this is a new way to reap mobile phone numbers and link them to email accounts. It also pressures those without a Google account to “sign up”.

    1. John Fenderson said on May 11, 2018 at 11:06 pm
      Reply

      Google doesn’t believe that there is any security issue with giving them data. It’s a fiction they must maintain since, like Facebook, their entire business model depends on gathering as much surveillance of the general public as they can get.

  3. Fizziebaunz said on May 11, 2018 at 7:31 pm
    Reply

    Seems like this is the reason why I have been constantly asked to verify my email via phone the last couple of days. Not all of us are willing to connect our email addresses and phone numbers.

  4. Mikhoul said on May 11, 2018 at 10:31 pm
    Reply

    Even if I work as I IT I don’t have a cellphone, I don’t need it at all I only have a landline and a phone that I use as a camera or agenda and on the wifi sometime.

    If someone need to reach me I have a voicemail and they just have to leave message I don’t really need that anybody reach me when I’m not at my desk.

    So I could even not receive one of those message even if I wanted 😜

  5. Adam Smith said on May 11, 2018 at 11:44 pm
    Reply

    Thank you for the very informative article

    This is the trend in technology:

    New features:
    1)Are no improvement over the existing ones
    2)Likely to reduce rather than improve productivity
    3)Fundamentally seek to change your workflow without enough research to see if the feature is actually wanted
    4)Change for change sake, and poorly thought out
    5)No longer optional

    The Confidential mode, asking the recipient to log in, is exactly like a phishing scam, and the risk is that you will send an email that will never be opened

  6. Adam Smith said on May 11, 2018 at 11:49 pm
    Reply

    We need to push back against technology companies and their increasingly intrusive motives

    As someone else has posted, this new Confidential email feature is possibly a way to force every one to link and provide both an email address and a cell phone number
    It is also a way to force nonGmail users to sign up, to receive the Confidential email

    Lets invent a technical term that indicates a feature that compromises security, for example “A trojan feature”
    This Confidential email feature is a “trojan feature” which seeks to mine a lot of linked email addresses/cell phone numbers

    It seems a very clunky solution to ensuring emails remain confidential, and I would have expected more from the Google research team

    But then again, putting “Confidential” and “Email” in the one sentence is a nonsense in this era

  7. ULBoom said on May 12, 2018 at 12:44 am
    Reply

    Seems lately with all the weird mistakes in software updates that no one’s vetting any of this stuff. This thing is a non-starter, encryption’s already available in gmail, it’s easier to use than this and there’s no attempt to get recipients’ data.

    I refuse to give google my phone number, it’s not needed for anything, all it does is increase spam phone calls; I’d never give it out to read an email. Delete. :)

  8. Wayfarer said on May 12, 2018 at 12:59 am
    Reply

    Not a question of whether or not it’s confidential. Totally a question of how far we believe Google that it’s confidential.

    My email for this posting is Gmail – but I wouldn’t dream on transmitting anything confidential over the service – I use a Proton account for such things.

    Personally, I wouldn’t take Gmail’s word for privacy – normal or with this enhanced service – if they had both hands, both feet, and both bum-cheeks on Bibles.

  9. Mola Ram, CEO Microsoft said on May 12, 2018 at 3:12 am
    Reply

    Google… privacy? LOL

    1. John Fenderson said on May 13, 2018 at 4:45 am
      Reply

      @Mola Ram

      Glass houses, Microsoft, glass houses.

  10. Chris said on May 12, 2018 at 4:58 am
    Reply

    Google’s incessant desire to collect everyone’s phone numbers is getting old.

  11. buck said on May 12, 2018 at 6:32 am
    Reply

    Google’s entire business model is data collection.

    It is why the company exists.

    People are really surprised their email data is not private?

    Really?

    Use services like ProtonMail, Tutanota or Lavabit if you truly value your privacy.

    If you don’t care about privacy then use Google, but FFS don’t compain about it.

    I am luckily of an age where I have never directly used any google services.

    1. Klaas Vaak said on May 12, 2018 at 3:58 pm
      Reply

      Lavabit was closed down after Snowden fled.

      1. John Fenderson said on May 16, 2018 at 7:30 pm
        Reply

        “Use services like ProtonMail, Tutanota or Lavabit if you truly value your privacy.”

        All of those options are better than GMail, but I would argue that if you truly value your privacy then you should be running your own mailserver rather than using someone else’s. It’s pretty easy to do these days.

  12. Sebas said on May 12, 2018 at 7:51 am
    Reply

    People are blissfully ignorant. I know a police officer, who is heavily criticizing the Dutch government for it’s policy regarding immigrants, is using Gmail and Facebook. That has nearly cost him his job.

    I do have a Google account, which I only log in from time to time to suspend all registration of my search history. (Sometimes I need the google search engine). Never have given them my phone number.

    A question to my fellow geeks: is it easy to add my pop email account to Proton Mail, in the sense of using proton mail together with my paid mail account from a Dutch provider at the same time? I only use this provider for my email account. It is not my internet provider.

    1. techamok said on May 13, 2018 at 8:44 pm
      Reply

      ProtonMail is not secure at all, and is run by some rather suspicious characters. Wouldn’t be surprised if it was another data collection operation. Just look at their Terms/Policy pages where they say that the data/their services are stored inside secure Swiss data centers so one should ask: secure by whose measures, who has access to them, and how etc.

  13. asd said on May 12, 2018 at 12:27 pm
    Reply

    If I am going through the trouble of sending someone a password by SMS… I might as well use PGP which is actually trustworthy, unlike Gmail’s security/privacy show.

  14. MarkCB said on May 12, 2018 at 2:49 pm
    Reply

    This is defeated by a screenshot. I’m scratching my head here thinking how on earth this is actually confidential at all?

  15. chesscanoe said on May 12, 2018 at 2:57 pm
    Reply

    If Google wants to provide secure email they should implement the idea explained and demonstrated here.
    https://newatlas.com/fontcode-text-code/54588/

  16. LostMailer said on May 12, 2018 at 7:52 pm
    Reply

    As usually for an article like this, all the privacy conundrums surfaces from among the commentators, and EU seem to be clamping down on these tech giant regarding how data related to users is used, or is this all just smoke and mirrors??

    E-mail is after all sent over the internet in plain text although there are some e-mail services that can relay the e-mail encrypted, one example if I remember it correct is when sending e-mail between Protonmail and Gmail.

    So, If someone in EU wants to use a trusted e-mail service, what are the choices if Gmail now is “questionable”??

  17. jan said on May 13, 2018 at 12:29 pm
    Reply

    After reading the article and comments I conclude:
    1.) It is surely not for my needs
    2.) It falls into the Facebook-type services that give me a better “life experience”
    3.) It is a “POS” (Piece Of Shxx)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.