With Gmail’s new design rolled out to more and more users, many have had a chance to try out its new “Confidential Mode.” While many of its features sound promising, what “Confidential Mode” provides isn’t confidentiality. At best, the new mode might create expectations that it fails to meet around security and privacy in Gmail. We fear that Confidential Mode will make it less likely for users to find and use other, more secure communication alternatives. And at worst, Confidential Mode will push users further into Google’s own walled garden while giving them what we believe are misleading assurances of privacy and security.
With its new Confidential Mode, Google purports to allow you to restrict how the emails you send can be viewed and shared: the recipient of your Confidential Mode email will not be able to forward or print it. You can also set an “expiration date” at which time the email will be deleted from your recipient’s inbox, and even require a text message code as an added layer of security before the email can be viewed.
Unfortunately, each of these “security” features comes with serious security problems for users.
DRM for Email
It’s important to note at the outset that because Confidential Mode emails are not end-to-end encrypted, Google can see the contents of your messages and has the technical capability to store them indefinitely, regardless of any “expiration date” you set. In other words, Confidential Mode provides zero confidentiality with regard to Google.
But despite its lack of end-to-end encryption, Google promises that with Confidential Mode, you’ll be able to send people unprintable, unforwardable, uncopyable emails thanks to something called “Information Rights Management” (IRM), a term coined by Microsoft more than a decade ago. (Microsoft also uses the term “Azure Information Protection.”)
Here’s how IRM works: companies make a locked-down version of a product that checks documents for flags like “don’t allow printing” or “don’t allow forwarding” and, if it finds these flags, the program disables the corresponding features. To prevent rivals from making their own interoperable products that might simply ignore these restrictions, the program encrypts the user’s documents, and hides the decryption keys where users aren’t supposed to be able to find them.
This is a very brittle sort of security: if you send someone an email or a document that they can open on their own computer, on their own premises, nothing prevents that person from taking a screenshot or a photo of their screen that can then be forwarded, printed, or otherwise copied.
But that’s only the beginning of the problems with Gmail’s new built-in IRM. Indeed, the security properties of the system depend not on the tech, but instead on a Clinton-era copyright statute. Under Section 1201 of the 1998 Digital Millennium Copyright Act (“DMCA 1201”), making a commercial product that bypasses IRM is a potential felony, carrying a five-year prison sentence and a $500,000 fine for a first offense. DMCA 1201 is so broad and sloppily drafted that just revealing defects in Google IRM could land you in court.
We think that “security” products shouldn’t have to rely on the courts to enforce their supposed guarantees, but rather on technologies such as end-to-end encryption which provide actual mathematical assurances of confidentiality. We believe that using the term “Confidential Mode” for a feature that doesn’t provide confidentiality as that term is understood in infosec is misleading.
Similarly, we believe that Confidential Mode’s option to set an “expiration date” for sensitive emails could lead users to believe that their messages will completely disappear or self-destruct after the date they set. But the reality is more complicated. Also sometimes called “ephemeral” or “disappearing” messages, features like Confidential Mode’s “expiring” messages are not a privacy panacea. From a technical perspective, there are plenty of ways to get around expiring messages: a recipient could screenshot the message or take a picture of it before it expires.
But Google’s implementation has a further flaw. Contrary to what the “expiring” name might suggest, these messages actually continue to hang around long after their expiration date for instance, in your Sent folder. This Google “feature” eliminates one of the key security properties of ephemeral messaging: an assurance that in the normal course of business, an expired message will be irretrievable by either party. Because messages sent with Confidential Mode are still retrievable—by the sender and by Google—after the “expiration date,” we think that calling them expired is misleading.
Exposing Phone Numbers
If you choose the “SMS passcode” option, your recipient will need a two-factor authentication-like code to read your email. Google generates and texts this code to your recipient, which means you might need to tell Google your recipient’s phone number—potentially without your recipient’s consent.
If Google doesn’t already have that information, using the SMS passcode option effectively gives Google a new way to link two pieces of potentially identifying information: an email address and a phone number.
This “privacy” feature can be harmful to users with a need for private and secure communications, and could lead to unpleasant surprises for recipients who may not want their phone number exposed.
Not So Confidential
Ultimately, for the reasons we outlined above, in EFF’s opinion calling this new Gmail mode “confidential” is misleading. There is nothing confidential about unencrypted email in general and about Gmail’s new “Confidential Mode” in particular. While the new mode might make sense in narrow enterprise or company settings, it lacks the privacy guarantees and features to be considered a reliable secure communications option for most users.