According to privacy advocates, Google has a problem with truth in labeling.
No, not about its surreptitious tracking of users who have turned their Location History off, which has sucked up most of the headline space over the past few weeks. This is about the rollout of their allegedly “confidential” Gmail feature.
Confidential mode doesn’t ensure confidentiality
As Google explains, confidential mode (which became the default for consumer users a month ago and is now available for mobile devices) allows users to send self-destructing emails with printing, copying, and forwarding restrictions. Senders can configure an email to require an SMS passcode to open it, and to delete itself after a certain amount of time—one day to five years. They can even remove access to an email after sending it.
And if users send an email by mistake, they can click “Undo” immediately after sending it (an existing feature that just recently came to the mobile app).
Confidential mode works with other email providers because the recipient doesn’t receive the actual email—it is hosted on Google servers. If you’re the recipient, you have to log in to confirm it.
All of which, on the face of it, sounds pretty confidential. But Google itself acknowledges, on its Gmail support page, that confidential doesn’t mean completely private.
“It doesn’t prevent recipients from taking screenshots or photos of your messages or attachments. Recipients who have malicious programs on their computer may still be able to copy or download your messages or attachments,” the company said.
Which are just a couple of reasons the Electronic Frontier Foundation (EFF) is not impressed. In a post a month ago by Gennie Gephart and Cory Doctorow, the two said that while a number of its features “sound promising,” confidential mode doesn’t provide what its name says it does: confidentiality.
The probable results, EFF says, are that it will be “less likely for users to find and use other, more secure communication alternatives” and that it could “push users further into Google’s own walled garden while giving them what we believe are misleading assurances of privacy and security.”
Concerns about confidential mode
How is confidential mode not confidential? Let them count the ways (some of which, as noted, Google has acknowledged):
- Those emails are not end-to-end encrypted, which means “Google can see the content of your messages and has the technical capability to store them indefinitely, regardless of any ‘expiration date’ you set.” While the company has said it doesn’t routinely read those emails, it does have access to them to investigate a bug or abuse.
- Google relies on information rights management (IRM), a concept EFF says Microsoft coined a decade ago that is supposed to allow a sender to disable printing or forwarding of a document. But Gephart and Doctorow call this “a very brittle sort of security”: “If you send someone an email or a document that they can open on their own computer, on their own premises, nothing prevents that person from taking a screenshot or photo of their screen that can then be forwarded, printed, or otherwise copied.”
- An expiration date doesn’t guarantee expiration for both parties to the communication. “Contrary to what the ‘expiring’ name might suggest, these messages actually continue to hang around long after their expiration date”—in your Sent folder, for example. That means both Google and the sender can retrieve them.
- If a sender chooses the SMS passcode option, Google generates a two-factor authentication code and sends a text to the recipient, which means the sender has to give Google the recipient’s number—something the recipient might not want.
Beyond that, confidentiality could be compromised if the recipient is using a malware-infected computer. And as a few users have noted, confidential mode doesn’t have a feature to let you know whether the recipient has opened and read the email.
The dark side of email “privacy”?
All this should serve as a warning to users that while confidential mode might offer a bit more privacy, that privacy is, as EFF noted, brittle.
Sammy Migues, senior member, technical, at Synopsys, noted that the service “has all those issues and more, such as problems for organizations that are legally required to keep copies of all communications.”
He agreed that working around those controls is even more trivial than what EFF noted, “in that the Firefox style editor will let you set a configuration that undoes most of the confidential mode attributes.”
Migues said some have said confidential mode amounts to “DRM [digital rights management] for individuals, but it’s not. To me, it’s just a reasonable ploy to get more people into the Google ecosystem so they have more data to analyze, so they have more to learn, so they have more to sell.”
Got confidential data? Professional Services can help you secure it.
*** This is a Security Bloggers Network syndicated blog from Software Integrity authored by Taylor Armerding. Read the original post at: https://www.synopsys.com/blogs/software-security/gmail-confidential-mode-not-confidential/