Google Can Still Read Gmail’s Confidential Messages

Google’s previously announced “confidential mode” is now live in Gmail across all devices, but the feature may not be as privacy-focused as Google would like us to believe.

Gmail Confidential Mode

Earlier this year, Google announced confidential mode, a security feature for the new Gmail interface. The feature should sound familiar to Snapchat users. It works in a similar way in which all emails with the feature enabled will self-destruct after a set amount of time. Users can also choose to enable a “SMS passcode,” which is generated by Google.

The confidential mode has now gone live, and Gmail users that have enabled the new interface are able to use it on both desktop and mobile. Senders are not only able to control when the email messages self-destruct, but they can also remove the recipients’ access to messages from their own Sent folder whenever they want. The senders are able to do this because the confidential emails can only be read using Gmail, so Google controls the experience at all times.

Google Can Still Read Confidential Messages

Google is offering confidential mode primarily so users who have their accounts hacked don’t expose old emails with private information. Most people don’t delete their emails, so this could be a way to automatically keep their inboxes, as well as the inboxes of their friends, clean and secure.

However, unlike services that use end-to-end encryption, Google can still read all of those emails. Additionally, Google doesn’t allow users to set their own symmetric encryption passwords for emails, as that password is automatically generated by Google and sent to recipients via SMS. This achieves two things for Google. First, it encourages users to give Google their phone numbers and link them to their email addresses, and second, Google remains in control of decrypting those emails at all times.

(Image credit: Google)


After Edward Snowden’s revelations, Google seemed eager to adopt end-to-end encryption for Gmail. The company eventually abandoned that project. Since then, some end-to-end encrypted email services, such as ProtonMail, have continued to gain popularity, so confidential mode seems to be Google’s answer to that.

However, this seems like a superficial answer that doesn’t solve any of the problems that ProtonMail and other end-to-end encrypted services do. Furthermore, it may actually increase users’ risk to phishing attacks, as now attackers could start pretending that they need user credentials before the confidential emails are shown to recipients.

Additionally, we keep learning more and more that SMS security is vulnerable, so Google’s SMS-reliant solution doesn’t seem too future-proof.

"DRM for the Web"

The Electronic Frontier Foundation (EFF) has also criticized Gmail’s confidential mode as being some sort of “DRM for the web.” According to the EFF, Google has the ability to store your emails indefinitely, regardless of whether or not your emails have “self-destructed.” 

Much like DRM, which stands for digital rights management, Google has a feature called “Information Rights Management” (IRM) that allows the company to disable certain Gmail features, such as forwarding, on confidential emails. To prevent the forwarding of confidential emails on other email services, Google encrypts the confidential email messages so that only Gmail users can read them (whether or not the sender has set-up a SMS passcode). Like DRM, the security benefits of this feature also depend on Section 1201 of the Digital Millennium Copyright Act, which makes bypassing the IRM lock a potential felony, carrying a five-year prison sentence and a $500,000 fine for the first offense.

What this means in the real world is that competitors will not be able to reverse-engineer Google’s IRM and read the confidential emails. The EFF also believes that Google calling messages that have supposedly self-destructed “expired” is misleading because the sender, as well as Google, can continue to see those emails indefinitely.

Gmail's confidential mode could still prove useful in some situations, if users care enough to enable it, but ultimately it's nowhere near as secure as an end-to-end encrypted email message that only the sender and the receiver can read. 

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Solandri
    I'm not really sure what people expect. The fundamental problem has been and still remains that the email protocol is not secure. If you send email from a gmail account to a hotmail account, it is sent as plain text readable by anyone with direct access to anyone on any of the networks between the gmail server and hotmail server. End-to-end encryption only works if both the sender and recipient agree to use and implement the same form of encryption. Since there's no standard, an email provider like Google cannot implement it on their own without having to field countless user complaints that "my friend at friend@another.email-provider.com cannot receive encrypted emails." Google cannot fix that - another.email-provider.com has to fix it - but ignorant people will still blame Google for it. So they don't even bother trying.
    Reply
  • elitech
    21253968 said:
    I'm not really sure what people expect. The fundamental problem has been and still remains that the email protocol is not secure. If you send email from a gmail account to a hotmail account, it is sent as plain text readable by anyone with direct access to anyone on any of the networks between the gmail server and hotmail server. End-to-end encryption only works if both the sender and recipient agree to use and implement the same form of encryption. Since there's no standard, an email provider like Google cannot implement it on their own without having to field countless user complaints that "my friend at friend@another.email-provider.com cannot receive encrypted emails." Google cannot fix that - another.email-provider.com has to fix it - but ignorant people will still blame Google for it. So they don't even bother trying.

    I do not think that is the point of this article. No-one is talking about non-implementation of encryption on both sides of different email services. Not to mention, there are multiple email protocols, but that is not the point here either.

    Google "confidential" works only for users that use gmail. Both sides, not one. So it is purely a google thing. While the sender can regulate access to emails and information sent to others via this service, google itself can still read these emails and store them for as long as it wants. So, if your main concern is privacy and protection from spying in general (someone else reading your private emails), then google confidential is not the answer.

    Best regards.
    Reply