Gmail Confidential Mode: Privacy Vulnerabilities, Beta, and How It Works

Gmail's new confidential mode is about to become the default. 

Gmail!

Google is getting ready to make a new privacy feature called Gmail confidential mode generally accessible for G Suite users on June 25, 2019.

While the feature has been around since 2018, the move is certain to affect a lot of school and work emails for users who are unlikely to have the feature turned on. Confidential mode allows users to set various permissions on their emails to make them more private, including the ability to limit how long an email was available for, and even require a passcode to view it. Right now the function is in beta for G Suite — meaning it is opt-in and must be turned on — but on July 25, it will become the default.

The features will likely be helpful. But they have also drawn some scrutiny from privacy experts who take issue with the term “confidential,” as there are still some features in confidential mode that are exploitable or that would render your emails viewable to outside parties. Google didn’t respond to a request for comment about these vulnerabilities, but we will update if we hear back.

Here’s how to use Gmail confidential mode, and what privacy vulnerabilities you should know about before you start trusting it to protect your workplace communications.

What Is Gmail Confidential Mode?

Gmail’s new confidential mode is a suite of privacy protection features that let you add additional layers of security — for example two factor authentication — in order to access certain emails.

If it’s not on already, you may soon notice a new logo of a clock overlaid on top of a lock in the bottom right corner of your formatting bar. This is how you toggle confidential mode on or off, and where you’re able to set an expiration date for the email you’re sending. When confidential mode is turned on, you will also prompted to choose whether to include a passcode, which would be generated by Google and required by the recipient in order to access the email.

Gmail confidential mode
Image of the Gmail options bar, including the icon for confidential mode. 

If you don’t choose to use an SMS passcode, users of the Gmail app will be able to open the email directly, but people who don’t use Gmail will be emailed a passcode that’s required to open the email.

If you do choose to use an SMS passcode, then the recipient will get a passcode via text message. You will need to enter the recipient’s phone number for them to get the code.

Gmail confidential mode
Popup to set options for confidential mode. 

There are some other security features with confidential mode. For one, it can help you keep the contents of the email more secure by preventing forwards, copies, and other means of duplication. At the top of the options popup, Google informs you that “options for recipients to forward, copy, print, or download this email’s contents will be disabled.”

You also have the ability to revoke access to the email before the time limit you set expires. To do so you just have to go into the sent folder, open the confidential email, and click “remove access”.

If you’re an administrator on a G Suite account, come June 25, you’ll have the ability to turn confidential mode on or off for your organization or company. You can do so in Admin console by going to Apps, then G Suite, followed by Settings for Gmail, and then finally under User settings you’ll have the ability to toggle confidential mode on and off.

Google Confidential Mode: Pros of Using It

Gmail confidential mode has a number of admirable goals. Chiefly, it will help you limit the dissemination of an email and give it the ability to self destruct. This development comes as more companies have started to embrace privacy as a business tactic given the public’s focus on the issue. Secure email clients are often clunky to use, and Google provides a fairly easy user-interface to engage with. That being said, using it at work may raise some eyebrows. Even if your administrator leaves it on, it still might look weird if you’re the only one who seems to be taking the precautions. On the other hand, it may be a good way to send a confidential memo to a limited number of people.

Gmail confidential mode
Gmail user interface including confidential mode

Why You Shouldn’t Use Gmail Confidential Mode

The release of the Gmail confidential mode did draw criticism from privacy experts, who take issue with Google calling the service “confidential.”

The Electronic Frontier Foundation (EFF) published an extensive blog post on the matter, contending that Google has the ability to store your emails indefinitely, regardless of any “expiration date,” and that by forgoing end-to-end encryption, they are ensuring that your emails aren’t really private, because Google itself can still read them. Additionally, you can easily screenshot or take a photo of an email, and then forward that around, with no consequences.

Paradoxically, some of these privacy features will help Google acquire even more personal information about users. As EFF also points out, opting to send an SMS passcode may require entering the recipient’s phone number. In some cases, users might wind up giving Google this information without the consent of the recipient.

Finally, some privacy advocates have argued that the system could still be exploited in phishing attacks, points out Mike Elgan. If only one party is using Gmail — and the other isn’t — emails come through as a password protected link. This link can be forwarded on, but without the password, people are unable to access it. When someone clicks a forwarded link, they’re asked for their Google login information so Google can tell if they’re the person who was supposed to receive the email.

This welcomes a link-based phishing attack, in which people would click on a link, and be prompted to enter their information into a page that only looks like a Google login page, when in fact an attacker would be capturing the info needed to access their Google account. Once in, well, they’d have access to those “confidential emails.”

None of this is to say that confidential mode’s features are worse than the alternative. It is more secure than general email. But don’t be under the illusion that it’s completely secure. For the messages you truly don’t want others (including huge tech companies) to access, you’d be better off using a program like Signal or ProtonMail.