Gmail was used by 20% of the world population in 2018, and the numbers must have increased since then. No wonder Google has to invest to keep all these people safe.
One must admit that Google is really good at communicating how secure its products are. Confidential Mode was conceived on that end. According to the firm, with that feature “users can help protect sensitive information from unauthorized or accidental sharing. Confidential mode messages don't have options to forward, copy, print, or download messages or attachments.” The mode allows you to do 3 main things:
- Set a message expiration date
- Revoke message access at any time
- Require a verification code by text to open messages
This looks interesting on paper. Finally gaining control over everyday emails that could contain sensitive information, isn’t it a cool feature?
Except that from an outcome-based view, Confidential Mode is no more secure than a regular communication. TL;DR: It is useful to reduce the likelihood of accidental sharing messages. Not much more.
Before understanding why, let’s quickly see together how the Mode works. If you want to jump right to the conclusion, you can skip the next parts.
How Confidential Mode works
On the Google documentation we can read: “When a message is sent in Gmail confidential mode, Gmail replaces the message body and attachments with a link. Only the subject and link are sent, using SMTP.”
In concrete terms, if your recipient uses a third-party email client, they will see a link instead of the message (a picture of that bellow). If they use Gmail, the original message will be embedded in the confidential one, making it appear like a regular email.
How to send a confidential email using Gmail
When composing an email, click on the locker icon at the bottom right.
As we have seen, you have 2 options: Expiration & SMS Passcode.
Chose what fits you best, and click Save.
FYI a confidential email looks like this:
If you selected the SMS Password option, enter the phone # of your recipient.
Your recipient receives that email.
They have to click on Send Passcode to go further (if the option was activated).
He or she will receive the validation code, and has to submit it.
That’s it. Your recipient can now access the email until the date you set up.
The drawbacks of Confidential Mode
It does not work with attachments
For starters, Confidential Mode only works with text or embedded attachment such as images. So if you want to share confidential documents, you cannot take advantage of that mode.
It does not prevent screenshots
As Google points out themselves, “[Confidential Mode] can't prevent recipients from taking screenshots or photos of your messages or attachments.” That means that if your recipient wants to share the information they received after all, they are able to do so.
It can be used for malicious purposes
Even worse, while Google says users cannot forward the email, they actually can. The layer of security that Gmail adds here is that only the intended recipient can open the link leading to the original email. To see it, you have to be connected on your Google account as the legitimate recipient (see image bellow).
Google may think they added an additional step for security here, but what I see is a fantastic opportunity for a phishing email. I won’t explain more here, but I know that we will quickly insert that template in the Cyrius app…
For companies: Confidential messages can still be stored in your Google Vault (if the sender is internal to your organisation)
The thing with Confidential Mode is that it gives an illusion of privacy to your users, whereas you can still access the content of what they sent. Boundaries must be drawn so that your employees clearly know what they can expect from such features.
And of course, you have to trust Google for the privacy of your data
No more comments on that part, the use of Gmail and Google products in general is conditioned to your trust in them. Alternative email providers are available, I will write more on that topic in the future.
Final thoughts
Concerns about privacy and data security are growing, which is a good thing overall. Confidential Mode is a good first step to reclaim some control on how you share information, whether it is as an individual or an employee.
Yet it’s no silver bullet, and it turns out that it is only a modest contribution for actual data security. One must be careful about the real capabilities and limitations of so-called “confidential” features. They can even mislead us into thinking we are safe when we are not.
As a company, maybe you want your employees to be more aware of why data security matters. Cyrius can help you:
- Create a healthy cybersecurity culture within your organisation
- Teach your employees best in class security practices for today’s modern workplace
- Train them with real-world examples
- Nudge them to create and keep safer habits
