Posted by Taylor Armerding on September 10, 2018
According to privacy advocates, Google has a problem with truth in labeling.
No, not about its surreptitious tracking of users who have turned their Location History off, which has sucked up most of the headline space over the past few weeks. This is about the rollout of their allegedly “confidential” Gmail feature.
As Google explains, confidential mode (which became the default for consumer users a month ago and is now available for mobile devices) allows users to send self-destructing emails with printing, copying, and forwarding restrictions. Senders can configure an email to require an SMS passcode to open it, and to delete itself after a certain amount of time—one day to five years. They can even remove access to an email after sending it.
And if users send an email by mistake, they can click “Undo” immediately after sending it (an existing feature that just recently came to the mobile app).
Confidential mode works with other email providers because the recipient doesn’t receive the actual email—it is hosted on Google servers. If you’re the recipient, you have to log in to confirm it.
All of which, on the face of it, sounds pretty confidential. But Google itself acknowledges, on its Gmail support page, that confidential doesn’t mean completely private.
“It doesn’t prevent recipients from taking screenshots or photos of your messages or attachments. Recipients who have malicious programs on their computer may still be able to copy or download your messages or attachments,” the company said.
Which are just a couple of reasons the Electronic Frontier Foundation (EFF) is not impressed. In a post a month ago by Gennie Gephart and Cory Doctorow, the two said that while a number of its features “sound promising,” confidential mode doesn’t provide what its name says it does: confidentiality.
The probable results, EFF says, are that it will be “less likely for users to find and use other, more secure communication alternatives” and that it could “push users further into Google’s own walled garden while giving them what we believe are misleading assurances of privacy and security.”
How is confidential mode not confidential? Let them count the ways (some of which, as noted, Google has acknowledged):
Beyond that, confidentiality could be compromised if the recipient is using a malware-infected computer. And as a few users have noted, confidential mode doesn’t have a feature to let you know whether the recipient has opened and read the email.
All this should serve as a warning to users that while confidential mode might offer a bit more privacy, that privacy is, as EFF noted, brittle.
Sammy Migues, senior member, technical, at Synopsys, noted that the service “has all those issues and more, such as problems for organizations that are legally required to keep copies of all communications.”
He agreed that working around those controls is even more trivial than what EFF noted, “in that the Firefox style editor will let you set a configuration that undoes most of the confidential mode attributes.”
Migues said some have said confidential mode amounts to “DRM [digital rights management] for individuals, but it’s not. To me, it’s just a reasonable ploy to get more people into the Google ecosystem so they have more data to analyze, so they have more to learn, so they have more to sell.”
Get the latest Software Integrity news, thought leadership, and more.