Between you, me, and Google: Problems with Gmail's “Confidential Mode”
documents, and hides the decryption keys where users aren’t supposed to be able to find them.
This is a very brittle sort of security: if you send someone an email or a document that they can open on their own computer, on their own premises, nothing prevents that person from taking a screenshot or a photo of their screen that can then be forwarded, printed, or otherwise copied.
But that’s only the beginning of the problems with Gmail’s new built-in IRM. Indeed, the security properties of the system depend not on the tech, but instead on a Clinton-era copyright statute. Under Section 1201 of the 1998 Digital Millennium Copyright Act (“DMCA 1201”), making a commercial product that bypasses IRM is a potential felony, carrying a five-year prison sentence and a $500,000 fine for a first offense. DMCA 1201 is so broad and sloppily drafted that just revealing defects in Google IRM could land you in court.
We think that “security” products shouldn’t have to rely on the courts to enforce their supposed guarantees, but rather on technologies such as end-to-end encryption which provide actual mathematical assurances of confidentiality. We believe that using the term “Confidential Mode” for a feature that doesn’t provide confidentiality as that term is understood in infosec is misleading.
“Expiring” messages
Similarly, we believe that Confidential Mode’s option to set an “expiration date” for sensitive emails could lead users to believe that their messages will completely disappear or self-destruct after the date they set. But the reality is more complicated. Also sometimes called “ephemeral” or “disappearing” messages, features like Confidential Mode’s “expiring” messages are not a privacy panacea. From a technical perspective, there are plenty of ways to get around expiring messages: a recipient could screenshot the message or take a picture of it before it expires.
But Google’s implementation has a further flaw. Contrary to what the “expiring” name might suggest, these messages actually continue to hang around long after their expiration date for instance, in your Sent folder. This Google “feature” eliminates one of the key security properties of ephemeral messaging: an assurance that in the normal course of business, an expired message will be irretrievable by either party. Because messages sent with Confidential Mode are still retrievable—by the sender and by Google—after the “expiration date,” we think that calling them expired is misleading.
Exposing phone numbers
If you choose the “SMS passcode” option, your recipient will need a two-factor authentication-like code to read your email. Google generates and texts this code to your recipient, which means you might need to tell Google your recipient’s phone number—potentially without your recipient’s consent.
If Google doesn’t already have that information, using the SMS passcode option effectively gives Google a new way to link two pieces of potentially identifying information: an email address and a phone number.
This “privacy” feature can be harmful to users with a need for private and secure communications, and could lead to unpleasant surprises for recipients who may not want their phone number exposed.
Not so confidential
Ultimately, for the reasons we outlined above, in EFF’s opinion calling this new Gmail mode “confidential” is misleading. There is nothing confidential about unencrypted email in general and about Gmail’s new “Confidential Mode” in particular. While the new mode might make sense in narrow enterprise or company settings, it lacks the privacy guarantees and features to be considered a reliable secure communications option for most users.
Gennie Gebhart is Researcher, and Cory Doctorow is Special Advisor, at the Electronic Frontier Foundation (EFF). This article is published courtesy of the Electronic Frontier Foundation (EFF).
