Google’s previously announced “confidential mode” is now live in Gmail across all devices, but the feature may not be as privacy-focused as Google would like us to believe.
Gmail Confidential Mode
Earlier this year, Google announced confidential mode, a security feature for the new Gmail interface. The feature should sound familiar to Snapchat users. It works in a similar way in which all emails with the feature enabled will self-destruct after a set amount of time. Users can also choose to enable a “SMS passcode,” which is generated by Google.
The confidential mode has now gone live, and Gmail users that have enabled the new interface are able to use it on both desktop and mobile. Senders are not only able to control when the email messages self-destruct, but they can also remove the recipients’ access to messages from their own Sent folder whenever they want. The senders are able to do this because the confidential emails can only be read using Gmail, so Google controls the experience at all times.
Google Can Still Read Confidential Messages
Google is offering confidential mode primarily so users who have their accounts hacked don’t expose old emails with private information. Most people don’t delete their emails, so this could be a way to automatically keep their inboxes, as well as the inboxes of their friends, clean and secure.
However, unlike services that use end-to-end encryption, Google can still read all of those emails. Additionally, Google doesn’t allow users to set their own symmetric encryption passwords for emails, as that password is automatically generated by Google and sent to recipients via SMS. This achieves two things for Google. First, it encourages users to give Google their phone numbers and link them to their email addresses, and second, Google remains in control of decrypting those emails at all times.
After Edward Snowden’s revelations, Google seemed eager to adopt end-to-end encryption for Gmail. The company eventually abandoned that project. Since then, some end-to-end encrypted email services, such as ProtonMail, have continued to gain popularity, so confidential mode seems to be Google’s answer to that.
However, this seems like a superficial answer that doesn’t solve any of the problems that ProtonMail and other end-to-end encrypted services do. Furthermore, it may actually increase users’ risk to phishing attacks, as now attackers could start pretending that they need user credentials before the confidential emails are shown to recipients.
Additionally, we keep learning more and more that SMS security is vulnerable, so Google’s SMS-reliant solution doesn’t seem too future-proof.
"DRM for the Web"
The Electronic Frontier Foundation (EFF) has also criticized Gmail’s confidential mode as being some sort of “DRM for the web.” According to the EFF, Google has the ability to store your emails indefinitely, regardless of whether or not your emails have “self-destructed.”
Much like DRM, which stands for digital rights management, Google has a feature called “Information Rights Management” (IRM) that allows the company to disable certain Gmail features, such as forwarding, on confidential emails. To prevent the forwarding of confidential emails on other email services, Google encrypts the confidential email messages so that only Gmail users can read them (whether or not the sender has set-up a SMS passcode). Like DRM, the security benefits of this feature also depend on Section 1201 of the Digital Millennium Copyright Act, which makes bypassing the IRM lock a potential felony, carrying a five-year prison sentence and a $500,000 fine for the first offense.
What this means in the real world is that competitors will not be able to reverse-engineer Google’s IRM and read the confidential emails. The EFF also believes that Google calling messages that have supposedly self-destructed “expired” is misleading because the sender, as well as Google, can continue to see those emails indefinitely.
Gmail's confidential mode could still prove useful in some situations, if users care enough to enable it, but ultimately it's nowhere near as secure as an end-to-end encrypted email message that only the sender and the receiver can read.