
Gmail confidential mode is not secure or private - rahuldottech
https://protonmail.com/blog/gmail-confidential-mode-security-privacy/
======
cfmcdonald
The point of confidential mode is for _corporate_ users. When the CEO sends
out that confidential mail to the company, it adds a speed bump to users who
are about to copy out data that they have been told they should not, so they
get a chance to realize they should not do this, and then removes all
plausible deniability when they choose to bypass that speed bump.

~~~
sorokod
It is almost as if calling it "confidential" may be misleading.

~~~
lern_too_spel
It matches the name of an existing Outlook/Exchange feature that people have
used for many years. Naming it anything else would have been confusing.

~~~
anjsimmo
In Outlook's docs, they also refer to it as "IRM-protected mail", which seems
clearer to me. [https://support.office.com/en-ie/article/mark-your-email-
as-...](https://support.office.com/en-ie/article/mark-your-email-as-normal-
personal-private-or-confidential-4a76d05b-6c29-4a0d-9096-71784a6b12c1)

Both Google and MS provide a disclaimer that explains Information Rights
Management can't prevent "malicious programs" from by bypassing the
restrictions.

------
dewey
> It can still be accessed by Google and potentially exposed to governments or
> hackers.

The article makes the classic mistake of assuming everyone has the full
security apparatus of a country after them.

This feature is obviously not built as an alternative to Signal or for the
Snowdens of this world. These probably know better than using unencrypted
email already. For the average user it's an improvement of the current status.

~~~
mulmen
So you reference Snowden then pretend dragnet surveillance doesn't exist?

If you are on the internet the NSA _is_ spying on you and everyone else.

This is not an improvement because it makes guarantees that simply aren't
true. These compromises are made to further Google's bottom line, not protect
users. Don't pretend this is some kind of incremental improvement. It's a
marketing gimmick.

~~~
lern_too_spel
> If you are on the internet the NSA is spying on you and everyone else.

Citation needed.

> This is not an improvement because it makes guarantees that simply aren't
> true.

No, ProtonMail pretended it made guarantees that it doesn't make. Just like
the exact same Exchange/Outlook feature that people have used for years, this
is to prevent _accidental_ copying of emails and their contents.

~~~
bitexploder
Is a citation really needed about the NSA collecting basically all the data on
the Internet? This is "common knowledge" in information security circles. Go
look up the battles the EFF has fought with the NSA about their data
collection practices. The NSA is continually building giant data warehouses
everywhere... they probably have more data centers than any other organization
in existence. They collect all the data.

~~~
slips
It's pretty common for people to throw out "citation needed" when they don't
want to believe or admit something, but can't plausibly deny it. Sort of the
same way people use the term "fallacy" these days.

~~~
Fnoord
IMO "Citation needed" is a quick way to say "do you have a source for me?",
and "fallacy" (hardly used without also mentioning the specific fallacy) is a
quicker way to say "I recognized logic flaw X in your argument".

You are free to see harm in these statements but telling me they are always
meant as harmful as you mentioned is your own negative reflection. Not mine or
ours, we are free to have our own interpretation as well.

~~~
bitexploder
I think citation needed carries a connotation of “I don’t believe this is
true.” It is just a lazy way to converse if you are engaged in a genial
conversation in good faith. “This is new to me, can you share some
references?” I appreciate we can be technical and to the point, but given the
context, I felt my response was appropriate.

~~~
Fnoord
I do understand you interpret it as "I don't believe this is true" but my
explanation "do you have a source for me?" is also a likely explanation. If I
then apply the HN rules where the reader must assume good faith and interpret
posts in the most positive way, I'm leaning towards assuming "do you have a
source for me?"

------
dheera
"Options for recipients to forward, copy, print, or download this email's
contents will be disabled."

I simply don't understand how they think they can get away with this
foolishness. I can forward, copy, print, or download ANYTHING that passes over
my ethernet cables. Your silly UI will ultimately never stop me from
wiresharking my own cables in my own home and doing whatever the hell I want
with any bits of information that enter my space.

All it does is fool a bunch of less-tech-savvy people into a false sense of
security.

~~~
derefr
Consider for a moment: a company or school set up as an Enterprise Mobile
Device Management provider, handing everyone out ChromeOS devices, setting up
their GSuite domain so that nobody can connect to their GSuite GMail accounts
except through the ChromeOS device (or an equivalent MDMed mobile device), and
setting up an automatic, un-disable-able VPN on those devices for accessing
Google domains.

I think that’s the scenario Google had in mind when designing this feature.
For enterprise users, where the enterprise controls the hardware, the policy-
level controls actually have teeth, because people don’t have root over the
devices in their possession. For everyone else, it’s not “real security”, but
rather just a gateway drug to get you used to the _workflow_ that “real
security” would provide in an enterprise context.

(Context: I used to work at IBM, and they had a very similar setup—company
issued laptop, app that enforces MDM profile installation, VPN that checks
with the app to ensure MDM is active before connecting, email servers only
accessibly _through_ said VPN, and, on top of all that, a policy-enforcing
email app [IBM Notes] where you can delete already-sent things out of other
enterprise-users’ inboxes, send expiring emails, etc.)

~~~
lawfulcactus
It's worth mentioning that all these measures can be fairly trivially defeated
by the analog loophole[1]. I suppose it's harder to prove authenticity in that
case, however.

[https://en.wikipedia.org/wiki/Analog_loophole](https://en.wikipedia.org/wiki/Analog_loophole)

~~~
afandian
Allow me to sell your organisation some VR goggles with iris-reading DRM
protection. Your browser won't display on any other screen. And Google
Services won't work in any other browser.

~~~
rndgermandude
I can still remember the message (or at least important bits) and can write it
down when at home or tell it to other people.

~~~
wyxuan
Yeah but it is still a helluva lot harder to leak it, and it isn't as good as
showing an email exchange.

~~~
rndgermandude
Sure it's harder, and it will not stand up in a court of law probably. But
there probably have been and still are a ton of spies, national and
industrial, who do exactly this, memorize things.

------
rolltiide
All of this applies to making a new protonmail account too

Requires SMS verification or an impassable captcha loop if over TOR

And payment with a credit card

The cryptocurrency payment option with non-user identifiable info only being
available to existing protonmail accounts where that info was already
harvested

So it is ironic to see protonmail calling out those specific things about
gmail confidential

~~~
slips
Protonmail does those thongs to try and prevent bad actors or bots from making
encrypted accounts to hide their shady tracks. Not for data collection that
they'll sell for a profit. Don't be so glib as to state you can't see the
difference.

~~~
rolltiide
From their home page:

> Secure Your Communications with ProtonMail

> Anonymous Email

> No personal information is required to create your secure email account.

 _requires personal information to create the secure email account_

"Protonmail does those thongs to try and prevent bad actors or bots from
making encrypted accounts to hide their shady tracks."

oh okay, pack it up everyone, don't listen to glib ole me coming to a rational
conclusion

its IRONIC that I have to trust them as much as I have to trust Gmail
confidential's claims about what they may actually do with the data
collection. or what they may be coerced to do with the data collection. "Swiss
law" doesn't prevent that.

------
privateSFacct
Wow, marketing spam from a competitor.

We send confidential docs regularly to users, who need access to those docs
for perhaps 1 week at most. No one wants / needs to keep these around, but no
one goes through their email carefully to delete these items.

If that users email was hacked -> they have a big problem. If we can mark the
items for a 3 week retention and then expire those items for them, that great
- and this lets us do that.

The whole I can wireshark my network -> 99.9% of the confidential info we send
goes to other folks who ALSO want to keep it confidential. Getting rid of
stuff you no longer need to maintain is a key way of helping avoid big
document dumps.

The proof is in the pudding. Either this will help google sell to business (it
will in our case in a big way). Or folks will say it is a stupid feature and
decide idiots like Protonmail who can't seem to understand the point of these
features now deserve our business. My confidence in a place like protonmail
goes down based on this, and I'd love to get a feel for their security history
and overpromises (ie, webmail client has got to easily be able to log and hack
encryption etc).

~~~
icedchai
These sort of features are really just security theater. If someone really
wants to share your "confidential" docs they'll screenshot every page to do
it.

~~~
privateSFacct
BOTH parties want to avoid it sticking around in their email forever.

Do folks not work with partners who are sloppy with security? You send over
you stuff. No one wants to leak it but someone's email is hacked. Do you want
your stuff in their email still 5 years later?

Do folks not work in business? Bob sends sue draft of updated raises, sue
edits and adds some notes and sends them back. A final decision is reached.
After some time the big list of salary info by position -> folks want that out
of their emails. This would keep it out.

This is a REAL security benefit. It goes to show that folks like protonmail
and other security experts don't have a good real world understanding of risks
to info people face. It's not all state level hacking, it's folks being lazy,
not cleaning out their email, then getting hacked.

~~~
icedchai
I agree there is some benefit. But it also may lull people into a false sense
of security thinking that information cannot possibly be copied outside the
organization.

------
mulmen
"When we launched ProtonMail nearly five years ago, we pioneered a new kind of
email service: one that gives you control of _our_ own data."

This is a very unfortunate typo.

------
lern_too_spel
This is a feature that Outlook already has and corporate users expect. It's
for making forwarding sensitive emails or any of their content require intent
instead of being accidental.

~~~
dheera
If "accidental" is the true worry, display a confirmation/warning box before
forwarding.

There are valid reasons to need to forward even e-mails marked confidential,
including lawsuits, harassment cases, or even just asking your own lawyer
before signing an agreement, among others.

Deciding when a piece of information should not have been forwarded is the job
of the workplace or law, not the e-mail client.

~~~
lern_too_spel
> If "accidental" is the true worry, display a confirmation/warning box before
> forwarding.

Gmail supports other MUAs using IMAP and POP, so that doesn't work.

The fact that there are valid reasons to forward sensitive emails is why there
is an escape hatch. It's only the accidental forwards and copies that this is
meant to stop.

~~~
dheera
We can invent a new e-mail header X-Confidential: true, and clients will start
to adopt the warning behavior over time. If Gmail supports it off the bat it
will already cover a huge fraction of the market.

~~~
inlined
Interesting idea. I’d tweak it just a bit.

When designing APIs I find that bools are often a smell or a missed
opportunity. What if, for example, there was an X-Intended-Audience?

That could be integrated with Active Directory, Groups, IAM etc within an
organization to make the warning only pop up when a potential violation is
occurring which helps avoid seeing the warning so often that it gets ignored
(or accidentally send to the wrong confidential party as in medicine or law).
It could also inform IT after the fact.

------
lern_too_spel
All of this is clearly explained in the setting to enable the mode for a
domain. It's for making forwarding sensitive emails or any of their content
require intent instead of being accidental, and people who are used to
Exchange/Outlook already understand this feature. Domain administrators still
need to keep copies for legal compliance.

------
ijpoijpoihpiuoh
Modes like this are not intended to provide hard security. They are not
designed to deal with malicious recipients. Rather, they're intended to
provide a barrier to _accidental_ or _unthinking_ dissemination of
confidential content. It is also designed to prevent permanent retention and
the ongoing risk that represents. It solves or limits the fallout from the
"silly friend" and "new enemy" problems.

There is no way to convey information to a malicious human s.t. that human
cannot convey it onwards to unwanted recipients. The best you can do is
provide strong disincentives. Some options for doing this: make sure that your
recipients generally don't want to hurt you. Make them fear you (even that
doesn't always work, see [1]).

[1]:
[https://en.wikipedia.org/wiki/Reality_Winner](https://en.wikipedia.org/wiki/Reality_Winner)

------
mfer
I like posts being out there like this. I expect many non-technical users will
get the wrong impression about confidential mode. Impression is different from
the stated words and can be filled in by our subconscious thoughts about the
space between what is said.

When words are explicitly said it can cause people to think things through.

~~~
lorenzobr
Except that most non-technical users will never read ProtonMail blog.

------
hitpointdrew
Article makes good points. But clearly they are promoting their own product,
over Gmail, and compete directly with them.

One thing I find troubling is that they seem to be making their own false
claim.

>Because we do not have access to the recipient’s private key, we are never
able to read the message. We do have access to metadata, like the email
addresses, timestamp, and subject line.

I am not sure how proton could send messages to anyone if they didn't know the
recipients address!

EDIT: I'm stupid, please disregard this. They clearly state that the DO have
access to metadata (for some reason my head read it as DO NOT).

~~~
kdmccormick
I don't see where they claim they don't know the recipient's address.

~~~
hitpointdrew
I'm an idiot. I miss read the sentence.

------
idlewords
Email in general is not secure or private. It bugs me to see ProtonMail making
claims like 'end-to-end encryption' about a webmail service.

------
craftyguy
This 'article' is a Proton Mail spam piece.

------
tantalor
> This is not an expiring email. It can still be accessed by Google and
> potentially exposed to governments or hackers.

This "expiration" could protect the receiver from subpoena/discovery ("Sorry I
don't have it anymore") but it sounds like the sender is still liable to
produce the original message on demand.

------
cotelletta
Protonmail's Android app still doesn't do threads.

Posting this just to embarrass them into fixing it.

------
dboreham
I first had this argument (obviously I was on the sane side of the argument)
in 1994. Amusing to see it persist for 25 years and to even permeate Google.

------
weliveindetail
Jeopardy: An email option that encourages people to add OTHER people's phone
numbers to Google's database.

------
david927
_Gmail confidential mode is not secure nor private_

------
paul7986
Google knows more about you then your mom!

Sorry and personally that’s too much for me!

------
kabwj
Does Gmail give away your data to the Swiss government, though?

~~~
silversconfused
Yes, and without a warrant too.

------
bo1024
Nor is it email!

------
CraftThatBlock
In other news, water is wet. More at 11

~~~
OrgNet
most users don't know about this feature and more importantly don't know that
Google is lying... so more publicity is better.

------
m3kw9
Google and privacy in the same sentence, no one would bet their house on it if
they were to choose

~~~
idlewords
Google is very good at protecting data from unauthorized access. Many of the
people who work there see themselves, with justification, as the guardians of
privacy in that narrow sense.

------
ddingus
This makes as much sense as the Outlook recall feature did.

User Bob would like to recall email titled, "that sex party last night"

Riiiight

~~~
ben509
Recalls make a lot of sense if mass announcements are sent with mistakes, so
people aren't confused by having the incorrect version in a busy inbox.

~~~
ddingus
Yes, exactly.

For benign purposes, some sense is seen.

Otherwise, the whole idea is silly.

------
silversconfused
This makes all the pointy hair bosses out there demanding faxes and hardcopies
seem wise. Imagine, getting an email that tried to block forwarding... the
nerve.

------
threwawasy1228
Protonmail is a fantastic service, I switched to an account with them in the
last few years and have not logged into my gmail since. Can't say enough good
things about their offerings. I'm glad to see them making arguments like these
in public to out their competitors practices.

~~~
slenk
You mean creating blog spam that misses the point?

------
AndrewKemendo
I'm always curious how the Project Managers working on these projects think
about posts like these. It's a very public call-out, effectively saying "this
product is not what they say it is and is dangerous." Especially when it's
obviously true, I'd be curious if anyone here can speak to the mental state of
someone on the receiving end.

For example I was publicly put on blast for something that was false about me.
So in that case I just blew it off because it was wrong, and no reaction was
really necessary. It was still very stressful though personally and for my
family. I wonder how these product teams across Google and FB primarily feel
in these cases.

~~~
Spooky23
They probably eye-roll the deliberate misinterpretation of the feature by a
competitor. Particular ironic given that that company's marketing schtick is
that the first listed security feature is "We are incorporated in Switzerland"

Outlook has had the same feature for 20 years.

------
cmsimike
Gmail has no incentive to create anything secure or private because that would
prevent them from going through your email to show ads. [This is wrong]

Update! Gmail changed this behavior a while ago. Went under my radar:
[https://variety.com/2017/digital/news/google-gmail-ads-
email...](https://variety.com/2017/digital/news/google-gmail-ads-
emails-1202477321/)

Thanks!

~~~
lloydde
“We will not scan or read your Gmail messages to show you ads.”

[https://support.google.com/mail/answer/6603?hl=en](https://support.google.com/mail/answer/6603?hl=en)

~~~
cmsimike
You're absolutely right. Turns out they changed this behavior in 2017. Thanks
for making me look into it.

~~~
lloydde
You’re welcome. I found it fascinating at the time of the change, and still
do, that email is sacred, but all other activity is open for manipation-based-
advertising.

~~~
wibble10
If they don’t scrape your email how is this page generated then?

[https://myaccount.google.com/purchases](https://myaccount.google.com/purchases)

~~~
jvolkman
Nobody said the emails aren't scanned; they're just not used as context for
ads. Obviously they're scanned, otherwise spam filtering wouldn't be possible.

~~~
wibble10
I think there’s a difference between scanning all incoming mail for spam and
keeping a details list of my purchase history by scanning my inbox for
receipts somehow... If they aren’t using this data for context ads it must be
being used for something else otherwise why would they do it?

~~~
smacktoward
The critical words in the statement are not "We will not scan or read your
Gmail messages"; they are "to show you ads."

In other words, they reserve the right to scan or read your Gmail _for any
purpose other than_ showing you ads. So they can still read your email for
things like creating that purchases list, as well as a myriad of other tasks.
As long as that task doesn't involve showing you an ad, your Gmail is wide
open to them.

------
gyaniv
Yes, Google isn't untrustworthy and doesn't care about the users privacy, we
knew that, but the general public that isn't as aware (at this point it's hard
to be completely unaware) also doesn't read this private company blog, so it
doesn't really help much (except advertise the company).

We should be thinking of ways to improve the situation for everyone (not
saying I have the solution), but personally (and unfortunately) I don't think
this would have any impact.

~~~
mda
I would trust Google and Gmail way more than protonmail and whatever company
behind it for protecting my private data to be honest.

~~~
okmokmz
You'd trust a company thats primary business model is based on the mass
collection, analysis, and monetization of user data to protect your private
data? Not saying I trust proton mail, but as far as I'm concerned Google is a
malicious actor when it comes to my data same as Facebook, and I believe it's
in individuals's best interest to limit their exposure

~~~
dymk
I trust the company who is under global regulatory scrutiny 24/7, and watched
like hawks by every major news organization in the world for them to slip up.

If Protonmail fucks up, there's not going to be a NYT article about it.

~~~
srfilipek
Think about the different user bases and sources of revenue.

If google screws up, they might see a small blip in add revenue before
recovering.

If Protonmail screws up, then they'll lose paying customers which is their
only source (presumably) of revenue.

~~~
joshuamorton
I can't say for sure, but I'd guess that Gmail has many more paying customers
than protonmail. This feature exists specifically for those paying
(enterprise/gsuite) customers.

