As part of Gmail’s redesign in 2018, Google introduced the Confidential Mode to protect sensitive information sent by email. However, the Electronic Frontier Foundation (EFF), an international nonprofit digital rights group, notes that calling this new mode “confidential” is misleading as it lacks the privacy features needed to be considered a reliable and secure communications option for most users.
To understand the potential problems with Gmail’s Confidential Mode, your first need to understand how it works.
How the Confidential Mode Works
Gmail’s Confidential Mode is designed to protect sensitive information by:
- Allowing you to set an expiration date for an email, thereby limiting the amount of time the recipient has to view it
- Allowing you to immediately revoke access to an email you already sent, regardless of its expiration date
- Preventing the email’s recipient from forwarding, copying, printing or downloading the email’s contents
- Requiring the recipient to enter a one-time passcode to view the email (this is optional)
The Confidential Mode is possible because Google stores the email’s message (the body of the email) and any attachments on its servers, creating a link to the stored information. It then sends the email’s subject line and link to the recipient using a standard email protocol (Simple Mail Transfer Protocol, or SMTP).
What the recipient sees depends on the email address to which the message was sent. If the email is sent to a Gmail address, the message and attachments will automatically render. The email will appear like any other, except it will include a note like that shown in Figure 1.
If the email is sent to a non-Gmail address, the recipient will be sent the link, which they can click to access the message, as Figure 2 shows.
The Potential Problems
Some security experts warn that emails sent using the Confidential Mode might not be private nor secure. One of the EFF’s main concerns is that Google can read the confidential emails people send because end-to-end encryption is not used. In addition, the EFF is concerned that Google has the technical capability to store these emails indefinitely, regardless of their expiration date. Google is not sharing any information about how long they are keeping them. “We’re not able to comment on internal procedures,” stated one Google official.
Online copies of expired confidential emails might also exist in a different location: in the “Sent” folders of the people who emailed the messages. When a Gmail user sends a confidential email, the full email (including the body of the email and any attachments) remains in the person’s “Sent” folder until it is manually deleted.
Another concern with confidential emails is the ease in which the recipients can share the messages, despite the forward, download, and copy options being disabled in confidential emails. A recipient could simply take a screenshot or photo of the email’s message and share it with others. So, using the Confidential Mode to provide proprietary or sensitive business data is not a good idea.
Furthermore, using the Confidential Mode might violate a company’s email retention policy. Failing to adhere to this policy could potentially put the business in harm’s way if it must comply with regulations such as the Sarbanes-Oxley Act (SOX) in the United States.
Finally, all businesses — even those that do not use the Confidential mode — need to watch for phishing attacks that use spoofed confidential emails. The emails sent to non-Gmail addresses (like the one in Figure 2) would be ideal for spoofing since they tell recipients to click a link to view the confidential message.
Because of all the potential problems, you might want to avoid using Gmail’s Confidential Mode. There are more secure ways to share sensitive information with people outside your company, including:
- Using an email to let someone know the information is available and having that person log in to an access-controlled share on a company’s network or server
We can help you set up a secure system that will protect your business’s data.