Is Gmail’s Confidential Mode a safe bet?

When email goes boom, it’s usually because somebody’s account got hacked, and his dirty laundry has exploded all over the Internet. But Google now offers a feature in Gmail that can help prevent the private contents of your messages from leaking out. It’s called Confidential Mode, and you can think of it as self-destructing email.

Confidential Mode, which is available in Web browsers, as well as Gmail apps on iOS and Android, offers several privacy-forward features. It enables senders to set a self-deleting timer.

It prevents recipients from copying, downloading, forwarding, or printing the message or its attachments. And it lets senders lock messages, such that they can be opened only with a code sent by text message.



READ MORE ON EMAIL SECURITY


“You can send messages and attachments with Gmail’s confidential mode to help protect sensitive information from unauthorized access,” Google explains in its guide to the feature.

“You can use confidential mode to set an expiration date for messages or revoke access at any time.”

Confidential Mode, similar to the self-destructing limitation on messages sent in Signal and Wickr, provides consumers with a bit more control over sensitive data in email. It seems to be a more secure way to send credit card or passport numbers over email than to email them in a standard email. However, there is nothing stopping the user from taking a screenshot or photo of the contents of the message. And Confidential Mode isn’t yet offered with Google’s enterprise email, G Suite.

To use Confidential Mode with consumer Gmail, first open a new message window. In Web browsers, choose the lock-and-timer icon in the bottom right of the composition window. On Android and iOS devices, tap the three dots in the upper right, and choose Confidential Mode.

Next, set an expiration date and passcode. You choose among five options for expiration, ranging from one day to five years, and whether to protect the message with an Google-generated SMS passcode. When no SMS passcode is used, recipients using Gmail can automatically open the message. If the recipient is not using Gmail, a non-SMS passcode will be sent to them in a separate email.

If you choose to implement an SMS passcode, you must subsequently enter the recipient’s mobile phone number. In the Android and iOS apps, Google will show a prompt to add “Missing Information.” Tap that, then add the phone number. Gmail appears to remember the device the on which email has been opened, but if you switch from browser to app, it’ll ask to send you a new passcode.

A Google representative said those phone numbers are deleted from Google’s servers when the sender’s message is deleted.

Users can also change self-destruct settings before sending an email by clicking or tapping Edit after choosing Confidential Mode. After a Confidential Mode email has been sent, users can prevent the recipient from further reading the email by viewing the copy of the email in the Sent folder, then choosing Remove Access.

Despite its security advancements, some experts worry that the service, as it’s currently implemented, could create another way to fool Gmail users into clicking on a phishing link.

“Basically, you’ve got something that’s meant for “high security” situations that is primed for phishing for credentials,” tweeted Christopher Budd, senior threat communications manager at Palo Alto Networks’ Unit 42 security research group. His concern, shared by others, is that phishers could send emails that look like they’re sent via Confidential Mode but that are designed to trick recipients into divulging personal data.

Google declined to respond directly to questions about these concerns. A representative said the goal of Confidential Mode is to improve Gmail security.

Fears over phishing and security theater—the notion that Confidential Mode makes users think Gmail is more secure than it actually is—drove the digital-rights group the Electronic Frontier Foundation to criticize the service as creating “expectations that it fails to meet.”
“We think that “security” products shouldn’t have to rely on the courts to enforce their supposed guarantees, but rather on technologies such as end-to-end encryption, which provide actual mathematical assurances of confidentiality,” Gennie Gebhart, associate director of research at the EFF, and Cory Doctorow, author and special advisor to the organization, wrote in a blog post. “We believe that using the term “Confidential Mode” for a feature that doesn’t provide confidentiality, as that term is understood, in infosec is misleading.”