
Gmail confidential mode - brajesh
https://gsuiteupdates.googleblog.com/2019/03/keep-data-secure-with-gmail-confidential-mode-beta.html
======
drglitch
I feel that many of these pseudo-secure, proprietary enhancements to email
create a false sense of security for non-tech-savvy users. Given the smoke-
and-mirrors presentation of this as a way to "secure your email^tm" and the
plethora of recent info leaks, i am sure some poor c-level exec will get
caught inadvertently sharing something with an external recipient thinking
that it will disappear in a few days, but then find themselves in a middle of
a publicity nightmare.

In my utopia world, i'd love to see basics of information privacy and personal
security be taught in schools akin to Driver's Ed or Sex Ed classes.

~~~
gibba999
There are two schools of thought:

1) Security has to be enforced by code

2) Your employees are reasonable, and won't try to maliciously bypass security
controls

I'm firmly in camp #2. In a normal corporate setting, a locked door or a
locked cabinet is security, even with a cheap, easily pickable lock.

That's all this is. And for 95% of corporate applications, that's good enough.
If you have high-level executive crime, or a scandal where you killed a few
people, this won't help, of course. But if you'd like to keep an upcoming
merger confidential, or maintain a trade secret, or anything vaguely normal,
this is more than good enough.

This also helps with email retention policies. Sometimes you want ephemeral
communications you don't want a record of. This isn't necessarily malicious
either; in more litigious industries, emails can be obtained through discovery
and quoted out-of-context. Things like typos can get you (goodness knows I've
made enough of those). Sending an email which communicates something and
disappears in a week is helpful.

~~~
beatgammit
That only works for internal communications. Once it leaves Google's servers,
you lose all control. I don't know the specifics here, but the only ways to
guarantee that an email server somewhere isn't caching your emails (and I
don't trust Google to not cache them either) is to either encrypt them (GPG)
or require hitting your server to read the email (potentially what Google is
doing), and that doesn't prevent the user from copying it (but at least you
can know _who _ copied it or let it be copied).

I don't know how external access works, so maybe they're doing more than they
say they are, but I don't trust my coworkers, I shouldn't trust Google either.
Client-side encryption is the only acceptable solution IMO.

~~~
derefr
I think this _is_ only for internal communications. They were talking about
this feature being “enabled by your GSuite domain administrator.” Presumably
it only works for email sent between members of the affected domain (though
I’m not sure why they’d fail to mention that.)

~~~
eitally
No. It does, definitely, work with external recipients.

Source: am googler, have used.

~~~
myrandomcomment
How? If you send an email with this on to me@protonmail.com and I download the
message to my IMAP client how does google magically reach out and delete it
from my hard drive? Is the email HTML only that only displays the text when
the user is online and that text is fetched from the Google server? Let us say
it is and I view the email, how does Google stop me from cutting and pasting
that email using my thunderbird, et.al. IMAP client?

~~~
Spoom
You view the message on a Google server through a browser. The message body is
never actually sent to the recipient's address.

"When someone sends a confidential mode message, Gmail removes the message
body and any attachments from the recipient's copy of the message. These are
replaced with a link to the content. Gmail clients make the linked content
appear as if it's part of the message. Third-party mail clients display a link
in place of the content."

From
[https://support.google.com/a/answer/7684332](https://support.google.com/a/answer/7684332)

~~~
myrandomcomment
Thank you for explaining. Also I guess I will be able to write an auto reply
message that say “Sorry, I refused to received messages of this nature.”

------
jimbobimbo
There's a phrase that large companies often use to explain "puzzling" features
like this to detractors: you are not the target audience. Often this phrase is
mis-used to cover up straight up bad ideas, but in this case it's right on the
money.

The target audience for this feature are CIOs of organizations Google sells
G-Suite to. Companies do need IRM on emails, to prevent leaks that could
happen by accident or intentionally; to limit email audience; to avoid endless
replies-to-all on announcements; to put an expiration date on the "perishable"
bits of information; etc. I'm pretty positive that they have to have this to
compete with Office 365, which had IRM [1] for a very long time.

Yes, it's not perfect, however, if it's there, it mitigates a lot of the
issues I mentioned above. Note the wording: "mitigates", not "fixes".

It's interesting that they still list screenshots as a possibility: email
clients (e.g. Outlook) are able to utilize OS mechanisms to prevent those as
well. I thought that browser protected media APIs would allow Gmail opt-in to
this kind of protection too.

[1]: [https://docs.microsoft.com/en-
us/office365/SecurityComplianc...](https://docs.microsoft.com/en-
us/office365/SecurityCompliance/information-rights-management-in-exchange-
online)

~~~
judge2020
Would like to note more IRM for DLP (data loss prevention) is an upcoming
feature:

[https://support.google.com/a/table/7539891](https://support.google.com/a/table/7539891)

> Information Rights Management (IRM) for DLP

> Enable IRM enforcement as a DLP remediation action.

> In development

------
saagarjha
> Recipients who have malicious programs on their computer may still be able
> to copy or download your messages or attachments.

“Malicious programs” such as any standards-complaint email software?

~~~
Zarel
If I were implementing something like this, it would just be a link to an
auto-expiring viewer page, if you opened the email in a third-party email
client.

And according to Google, that's exactly how it's implemented:

[https://support.google.com/mail/answer/7674059](https://support.google.com/mail/answer/7674059)

"Malicious programs" here most likely refers to things like keyloggers.

~~~
incompatible
You aren't really sending email any more, just a link to a website.

~~~
lotu
This is unfortunately how lots of people and companies think "secure" email
needs to work. Any message from my bank or doctor works this way even it is
something as simple as an appointment reminder. It is massive waste of user's
time and programing effort, but I'm afraid that is where the world is moving.

~~~
racingmars
Unfortunately doctors have to do this because the common legal interpretation
of HIPAA and HITECH Act is that they have to.

Dates of service for a patient are protected health information. Most covered
entities and business associates won't risk sending any PHI using methods that
are not covered under the safe harbor provisions of the HITECH act. So...
endless proliferation of "secure email" systems instead of using email. (And I
don't see S/MIME taking off anytime soon as an alternative, even though that
would be sufficient to qualify for safe harbor.)

------
ktpsns
> removing options for recipients to forward, copy, print, and download

Oh please... Everybody can do a screenshot nowadays, and even Google itself
integrated OCR into its Screenshot tool at Android a few years ago. What a
waste of time to make the life of people harder who must use this "security"
feature!

~~~
reustle
The Airbnb app prevents screenshots on certain pages on the OS level on
Android, I'm sure the Gmail app will do the same.

~~~
enriquto
> The Airbnb app prevents screenshots on certain pages on the OS level on
> Android

it is creepily dystopian that this sort of behavior is even possible

~~~
Cthulhu_
I think you're overreacting there and misappropriating that term to express
your outrage, without thinking of realistic use cases. It's a security
feature. Bank apps and 2FA apps probably have it as well when displaying
sensitive information. In Airbnb it's probably a protective measure to avoid
sharing information via screenshots instead of links to the app / website
though. That's not dystopian either though.

~~~
realusername
It's not a "security" feature, anything which can be displayed can be
captured, you can even take a picture of your phone with another phone if you
want, it just makes users annoyed without adding any security.

~~~
Spivak
Just because you can get around a policy doesn't make it ineffective. I'm sure
that slight barrier reduced the number of people taking screenshots of their
bank app 99%. Perfect is the enemy of good.

~~~
realusername
It just gets user annoyed for no reason, why can't they take a screenshot of
their bank account anyway? It just makes no sense. I understand banks like it
because they are full of regulatory security which don't make sense in real
life, that's probably one more to add to the list.

------
wooptoo
This has the potential to create a huge legal headache.

We can no longer rely on email to be there in our archive and presented as
evidence in court, but now have to worry about expiry.

In many countries an exchange of emails which represents a series of terms,
restrictions, an offer, and finally acceptance can be considered a legally
binding contract between parties and can be presented in court.

With expiry and email DRM we now have entered the alternative reality of such
contracts written with disappearing ink.

~~~
krageon
Is this situation not the same as verbally binding legal contracts? What you
need is to record your expiring messages otherwise it'll just devolve into a
they said, they said in the courtroom.

~~~
wooptoo
It's not the same. In business Email is established as a written form of
agreement.

~~~
krageon
This isn't email, so I don't see how that is applicable.

~~~
fouc
Applies to any written form of communication

------
parliament32
If anyone is curious how it works with external accounts, I just tested it:

1) Mail arrives (subject intact) with text like "John Doe has sent you an
email via Gmail confidential mode" and a "View Email" link

2) The link takes you to a "To view this email, you must first confirm your
identity. A one-time passcode will be sent to (your email)" page.

3) Entering the separately-emailed passcode lets you see the email body in-
browser. Selecting text is disabled in the body (so no copy-paste), trying to
print the page blanks out the body area -- I'm sure you could bypass either
with a bit of JS wizardry. Printscreen/screenshot work as expected.

~~~
X-Istence
Ugh... there are companies that did this sort of stuff for Outlook users, and
it's a royal pain in the ass.

It's not searchable, it can't be archived for legal purposes this way, this is
a nightmare for anyone that does business with you.

------
newsbinator
I love the concept as a sender, I hate the concept as a receiver.

It means a ton more mental overhead: "do I need to jot down the info from this
email somewhere (manually?) now because at some point it's going to expire or
my access is going to be revoked?".

Frustrating. It's the opposite of all the benefits of gMail search.

~~~
prepend
This will result in one of two things from me: 1) auto forward everything to a
non-gmail archive account 2) if blocked, finally leave gmail

~~~
X-Istence
Someone posted further up that when you send a "secure" email to an outside
the company email address, they get a link to ope the email and have to enter
a one-time code that is emailed to them.

So even forwarding is broken, as is search for those of us that search our
emails a lot.

------
maltalex
Proprietary "extensions" to email make me nervous.

~~~
glitchc
This, thousand times this. Google is trying to remake the internet so that
only Google's browser works with Google's version of the internet that
operates entirely on Google servers.

~~~
agentdrtran
outlook had this for years.

------
bambax
This is very bad and makes me angry. If you send me an email I need to not
worry about being able to save the information forever. Once somebody sends
out something it is no longer theirs. But now the cancer of DRM leaks into our
personal lives???!?

At the very least receivers should be able to automatically reject any such
email.

~~~
Kamshak
This isn't for your personal E-Mail, it's for professional E-Mail via GSuite

------
kernelPan1c
Confidential...as in only you, the recipients, Google, the NSA, and other
intelligence agencies the NSA shares information with can read these emails.

------
sverige
The title made me think Google was announcing that they won't read my email
any more. Alas.

~~~
Jabbles
Define "read" \- you obviously don't mean "process" because that wouldn't make
any sense. So you must be talking about something more specific?

~~~
Dylan16807
The email should be received, filtered, and put into a database with an index.
If any information escapes this database, outside of going to the user's email
client, then we have a privacy problem with google "reading" the mail.

This definition isn't _perfect_ but it should be enough for to you understand
the intent.

~~~
kevin_thibedeau
You agreed to their use of all data when signing up for your free account with
gigabytes of free storage.

~~~
Dylan16807
Yeah, but we should clearly distinguish it as a price.

------
lrvick
This is so incredibly stupid and irresponsible on so many levels.

Beyond obvious lock-in "Gmail Confidential Mode" tells users SMS is secure (it
isn't), teaches users they can prevent message printing (they can't), and
teaches users to open links in emails from strangers to then put in their
Google credentials to view the message!

Was anyone on the Google Security team given a chance to look at this before
it got shoved out there? I know there are people at Google smarter than this.

This is a massive setback in educating users about actually useful security
measures.

------
samuelfekete
I would like to see Gmail offer end-to-end encryption for "confidential"
emails.

~~~
ymolodtsov
How are they supposed to do that on the protocol level?

~~~
tcd
Protonmail allows you to add PGP key. Not sure if the user just sees 'garbage'
data inside the email but it's entirely possible to send E2EE email already,
just encrypt the contents of the message and send that across.

If the person has the key, they can decrypt it.

~~~
codebook
Do you really want to hand over your private PGP key to 3rd-party company? I
never ever won't do that. If I will use PGP key for web email service, it is
only when the service provider gives a way to communicate with my local
machine so that the email text is SIGNED IN MY MACHINE and send it back to the
email provider, then send to the recipients. For encryption, it can be done
with public key of the recipients.

------
nukeop
They're cocky enough now to think that they can take on the e-mail as a de
facto standard and do the Embrace, Extend, Extinguish dance with it.

This is akin to DRM and just like DRM it will be ineffective - if I can see
it, I can forward it, copy it, and print it, and do whatever I want with it.
Users are being led to believe that they can enforce these sorts of controls
over email but they can't.

~~~
josteink
Google loves DRM though.

They helped launch WebDRM. Now we have EmailDRM, with a Google-account being
mandatory for all recipients.

What’s the next standard Google plan on ruining?

~~~
nukeop
I think they've got their eyes on tcp and http now.

------
ukthrowaway123
A lot of people are posting that this is for gsuite. I've had this in my
regular gmail for a couple of weeks now.

------
miki123211
Will this be a lock in feature that makes it harder for people using external
mail clients?

~~~
brajesh
Won't it simply fallback to regular email view on external clients, like
outlook's "recall email" function?

~~~
alkonaut
The reasonable implementation would be to not send anything more than a link
to a site where the receiver can view the content.

~~~
X-Istence
Which is exactly what this does... and now I can't search my email for
relevant information anymore.

This is a step back.

------
NetBeck
AOL 4.0 had a similar function [1].

[1]
[https://web.archive.org/web/20130115034301/http://americansh...](https://web.archive.org/web/20130115034301/http://americanshelflife.wordpress.com/2008/05/26/ode-
to-aols-unsend-function/)

------
lalos
Great way to have your users label their own data to improve their ML models
by tagging it as confidential or not.

------
kerng
Outlook has had this for very long time. Even consumer versions have some of
the rights management features.

At my new job I am using Gmail via GSuites for first time and I didnt know how
antiquated Gmail is. Lots of missing features and rather confusing UI.

But adding more security options and giving users control is good.

~~~
Spivak
Coming from O365 the thing I miss most is sweeping rules.

------
twotwotwo
Work is the one place this seems OK: if the company provides the email
service, it can hide the forward button or whatever if it thinks that advances
its interests.

Still think disclaimers about the limits (in the UI, not just the blog post)
have to be be stronger. It could help avoid accidental leakage and communicate
your intent to keep the contents confidential, but it's absolutely no use
against someone hostile. I feel like the name should be more like "mark as
confidential" or something, to clearly get across it's a strong suggestion but
has no hard enforcement behind it.

------
bo1024
Naming this technology "confidential mode for email" is extremely dishonest
and misleading to users about what it actually does. Very frustrating
decision.

------
AngeloAnolin
Interesting take from a friend overseas who is into a lot of Security and Data
Surveillance.

Me: So, what do you think about Google's Confidential Mode settings? Are you
going to use it in your company?

Friend: It is one of the topics heavily debated right now. Especially by our
management.

Me: Is that so? Why?

Friend: Lots of legal implications that needs to be addressed.

Me: How about you? What's your take?

Friend: Well, for a start, given Google's history of surveillance, this type
of enhancement only just gives them more power and capability to focus on
information that are being deemed sensitive by an individual or an
organization.

Me: You think so?

Friend: Absolutely. Imagine if this person sends out approximately 100 emails
in a day, and marks 5 of them as sensitive or confidential or whatever terms
you would like. Google can then sequence the emails to track based on the
confidentiality that was set forth on it.

Me: Never thought of things in that perspective.

Friend: Yes. Further to that, they could then add more focus on confidential
emails which would have a very specific expiry dates. This becomes more
specific to their focus, where they can direct their resources specifically on
this.

Me: (Intently listening)....

Friend: It's like this. Assume you have boxes in your house. Each box contains
different stuff. Some box may contain your cash, or jewelry or any other
important stuff. Now, you have a burglar going inside your house. With a 100
boxes, they would certainly only spend a couple of time to rummage through the
boxes. If they can only open 5 boxes, with the possibility of those boxes
containing nothing but garbage, then the burglars are not successful in
getting your prized stuff. Now imagine having those boxes labeled with stuff
like 'MONEY', 'JEWELRY', 'CONFIDENTIAL', 'IMPORTANT TO DISPOSE BY DATE YYYY-
MM-DD', etc. Doesn't that give the burglar an easier way to run through the
boxes? This eliminates for them wasting on boxes that may have no importance
at all.

Me: That is certainly a possibility if you would think of it.

Even though such scenario may be far-fetched from a corporate (Google for
Business) standpoint, it is still worthy of a discussion. IMHO.

------
targ2002
When I was using lotus notes there was a similar feature, but it didn't work
very well. As the message was sent to you inbox, you could modify the
properties on the message, I created a button to unprotect the message because
there were several people in my group who always had their message
confidential and the information needed to sent to others quite frequently.

------
nmstoker
Looks like they should clarify the bounds of this functionality. Obviously
they know who they're talking about, but good communication wouldn't assume
the reader does.

Presumably it's only working within a G Suite organisation (equivalent to
aspects of similar features in Exchange)

------
bachmeier
It's not clear what the use case is for something like this. Why wouldn't you
use an alternative communications channel like Slack in this situation? I
mean, if you don't want to use email, don't use email. Why go through all the
complications this introduces.

------
thefounder
What a stupid thing. You may think that Google doesn't know how email works in
the first place. Expiring emails?? DRM(rebranded as IRM) ?? Thank god we have
so many email providers and these "features" are worthless outside of gmail.

------
xivzgrev
What happens if you send an email to a non gmail address? I assume this mode
has no effect.

~~~
rocqua
I believe your message is put behind a link which, after the message expires,
no longer directs you to the contents of your email.

------
visarga
What if I take a screenshot of the email? How can they prevent that? Or use a
phone to take a shot of the screen displaying the email.

~~~
DontSueMeBro
[https://en.wikipedia.org/wiki/Analog_hole](https://en.wikipedia.org/wiki/Analog_hole)

------
emgee_1
I never use Gmail in a browser. This means that this functionality is not
available for me? ( using iSync msmtp mu mu4e emacs setup)

------
dontbenebby
Will this work with non-gsuite users? Gmail has a big marketshare, and setting
a message to expire to them could be useful

------
howard941
Plausible deniability for those times when the sender would rather not have
email evidence preserved.

------
sidcool
Question: Does this only work GMail to GMail or also across email platforms?

~~~
TrueDuality
This only works inside Gmail and specifically only within the web interface.
It does not protect emails accessed / forwarded / stored from IMAP and POP
clients (though if the messages are only stored server side the IMAP one will
still get deleted).

------
rospaya
Will this work only for Gmail/Gsuite clients?

~~~
Spivak
No, they're just sending a link in the email with some UI fluff to make it a
little more transparent in GMail.

An enterprise feature that doesn't work with Outlook might as well not exist.

------
teddyh
Embrace, extend, …

~~~
Spivak
If you think sending an expiring link is EEE then a lot of companies have been
extinguishing email for a while now.

------
Simon_says
They're about two weeks early for April Fools.

~~~
itronitron
'con' was auto-corrected to 'confidential'

------
aw4y
"gmail" and "confidential" in the same sentence. sure.

~~~
arsenico
I do not understand your sarcasm here - the feature is for GSuite, which is at
some level of confidentiality, isn't it?

