Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Security Communications The Internet

Does Gmail's 'Confidential Mode' Go Far Enough? (engadget.com) 160

Last month, Gmail's big redesign became default for everyone, changing up the aesthetic appearance of the email service and introducing several new features. One of the key features, Confidential Mode, lets you add an "expiration date" and passcode to emails either in the web interface or via SMS, but not everyone is so trusting of its ability to keep your private data secure. "Recipients of these confidential emails won't be able to copy, paste, download, print or forward the message, and attachments will be disabled," notes Engadget.

The Electronic Frontier Foundation (EFF) doesn't think this new mode is secure at all. It's not encrypted end-to-end, so Google could read your messages in transit, and the expiring messages do not disappear from your Sent mail, which means they are retrievable. What's more is that if you use an SMS passcode, you might need to give Google your recipient's phone number. Because of these reasons, Slashdot reader shanen doesn't believe the new feature goes far enough to secure your data. They write: [M]y initial reaction is that I now need a new feature for Gmail. I want an option to reject incoming email from any person who wants to use confidential mode to communicate with me. Whatever conspiracy you are trying to hide, I'm not interested. So can anyone convince me you have a legitimate need for confidential mode? The main features I still want are completely different. Easiest one to describe would be future delivery of email, preferably combined with a tickler system.
This discussion has been archived. No new comments can be posted.

Does Gmail's 'Confidential Mode' Go Far Enough?

Comments Filter:
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Sunday August 19, 2018 @11:21AM (#57154652)
    Comment removed based on user account deletion
    • by 110010001000 ( 697113 ) on Sunday August 19, 2018 @11:26AM (#57154682) Homepage Journal
      It doesn't. Completely stupid idea. Google is full of stupid ideas, but they have a lot of employees so they need to keep looking like they are busy doing stuff.
      • It doesn't. Completely stupid idea. Google is full of stupid ideas, but they have a lot of employees so they need to keep looking like they are busy doing stuff.

        That's why Google is a failing company with terrible ratings! Witch hunt!

    • by fyngyrz ( 762201 )

      yeah, this. I posted essentially the same thing. Your post wasn't here when I started typing - but I admit to drinking coffee and didn't get it written very fast. :)

    • As long as you don't use Google email you do can do anything you want to the message including copying, pasting, forwarding, and pasting.

      • by gweihir ( 88907 )

        That as well. But even if you use Gmail, you can do the same with a bit more effort.

      • So it doesn't send you to a secure portal if you're not a gmail user? That would be an immediate failure right there. Email contains only a link and instructions but Gmail client interprets and displays it would be so much smarter.

        • If I get an email that says I have to go to a secure portal to read the message then I'm deleting the email. It's way too easy for the spammers to copy, especially for initial messages. I also hate using webmail interfaces. That's why I choose to use a mail client application. There is a good solution for sending secure messages that works in many mail applications. No, it doesn't prevent me for copying, pasting, forwarding, or printing but if you want to put DRM on a message to me then don't send me the m

          • I'm only describing the type of system that a lot of medical providers use for HIPAA compliance. And it's set up this way specifically because it doesn't require you to set anything up in advance to be able to receive the message.

    • by novakyu ( 636495 )

      What it does is raise the stakes. It forces the sender to make "screenshot is photoshopped" accusation.

      But then, unless the message is CC'd to multiple people at the time of sending, it's not like there wasn't "email is forged" accusation available already, anyway. (While faking full headers might take more effort, unless the adjudicator has access to the mail servers—highly doubtful—they can't be verified against a third-party record anyway.)

    • Re: (Score:3, Insightful)

      by geekmux ( 1040042 )

      How does it stop someone from taking a photo of your displayed e-mail with another device? Even if it somehow stops me taking a screenshot, there's no way from keeping me from taking a shot of the screen...

      Uh, I hate to point out the obvious here, but there's not a single end-to-end encryption solution in the world that would prevent this, so it's rather difficult to classify this as mere "theater" without slapping that label on every other form of email encryption.

      • by gweihir ( 88907 ) on Sunday August 19, 2018 @12:40PM (#57155108)

        End-to-end email encryption is not "theater". Its security assurances do not include prevention of any use by the intended recipient though.
        So any claim to be able to control the intended recipient is a big fat lie ("theater"), but most people creating end-to-end email encryption do not make this claim in the first place.

        • End-to-end email encryption is not "theater". Its security assurances do not include prevention of any use by the intended recipient though. So any claim to be able to control the intended recipient is a big fat lie ("theater"), but most people creating end-to-end email encryption do not make this claim in the first place.

          Allow me to clarify. The vulnerability identified (taking pictures or recording video of the screen from another device) is a weakness that exists in every security solution today, so it becomes rather pointless to identify it as a weakness in this solution.

          Yes, Googles implementation is half-assed shit for multiple reasons, but if you were to exclusively count screen capturing from another device (which the parent did), then every security solution is half-assed shit. That was my point here. It's pointl

          • by gweihir ( 88907 )

            I disagree. _This_ solution claims to fix this problem, but it does not. So it is a vulnerability of this system and it needs to be identified here. Other solutions do not claim to fix this problem, so it is not a vulnerability there, but a known limitation instead.

            The problem is, in essence, Google lying to its customers about what its technology can do.

        • Mostly wishing I had a mod point to give you [gweihir], but largely for your signature. So far most of the comments seem to be completely missing the point, make that ANY point, of the topic, but at least the confusion about email security is a real concern. I'm not sure I should confess to being the source of the quote at the top... That would make me largely liable for the misdirection of the discussion?

          Let me try to clarify the distinction here. Private communication is fine. I don't think you can convin

      • Confidential mode is not about securing the email from third party eyes, as with encryption, but securing it's content's usage from the indended recipient's control, as such comparing it's benefits and shortcomings to encryption is erroneous and irrelevant.

        • Confidential mode is not about securing the email from third party eyes, as with encryption, but securing it's content's usage from the indended recipient's control, as such comparing it's benefits and shortcomings to encryption is erroneous and irrelevant.

          As is identifying taking pictures of a screen with another device, which was my entire point.

          That specific vulnerability exists in every security solution today, so it's pointless to label it as a weakness here. Even Google trying to prevent forwarding or printing of content is defeated by this rather simple tactic, just as Macrovision, DVD/Blu-Ray encryption, and many other types of security measures designed to prevent dissemination have been defeated in the past by recording the playback with a differen

        • by mysidia ( 191772 )

          They're trying to send DRM'ed E-mail. I absolutely despise this idea, because the most likely uses are (1) Extorting or bullying people, Or (2) Attempting to send messages regarding an illegal act and making sure the recipient doesn't keep evidence to use against the sender.

          Thus... I want a way to BLOCK confidential mode e-mail and ensure it gets rejected.

    • by gweihir ( 88907 )

      Indeed. The idea of a message that destroys itself is ages old. It cannot be implemented securely though. I have gone so far as making physical screenshots with a digital camera to get around it on a device not under my control. (It was a complicated error message, with no regular way to copy it.) This whole thing is a combination of a rather shameless marketing lie and the stupidity of the customer.

      • by AmiMoJo ( 196126 )

        It's not supposed to be secure. The help page even tells you that: https://support.google.com/mai... [google.com]

        The idea is to signal to the recipient that they should not forward or print the message. They can circumvent that with some effort but so can you easily copy documents marked "top secret" and "confidential". This feature prevents casual, thoughtless copying.

    • Your Google(TM) DRM compatible phone-camera would have a "do not record" subchannel which picks up a high frequency signal indicating that it should not record the scene.

      The subchannel is inserted by the hardware similar to HDCP. Only signed, compliant software with a guarantee from the hardware would be able to read and render the content.

      Well, that's the future anyway. Where nobody has analog cameras, and dedicated digital cameras are barely a thing anymore.

    • Comment removed based on user account deletion
  • Encryption is Key (Score:5, Insightful)

    by careysub ( 976506 ) on Sunday August 19, 2018 @11:26AM (#57154684)

    Every other secure mail service or add-on of which I am aware, Lavabit, Protonmail, PGP add-ons, etc., regard encryption is the very foundation of private email.

    Without that there really is no security that really matters.

    • But you need end-to-end encryption. Which means your recipient must have a compatible encryption tool. End-to-ISP or end-to-server is not the same thing. Until Google controls every email user, having encryption only for gmail users is short sighted.

    • by gweihir ( 88907 )

      Sure. But encryption gives you some things and others is does not. In particular, there is no way using encryption to prevent the intended recipient from doing whatever they like with an email. Making that claim is just a shameless lie. What they can see and read, they can copy, store, print, forward, etc.

      What end-to-end encryption does give you is confidentiality against 3rd parties and authenticity of the sender and these are both critical to have.

      • by ls671 ( 1122017 )

        What end-to-end encryption does give you is confidentiality against 3rd parties and authenticity of the sender and these are both critical to have.

        Sorry, to be more precise, encryption does NOT provide you with authenticity of the message at all. Signing your messages does and there is no requirement to encrypt for signing a message. I sign all my emails digitally and anybody can still read them. I sometimes encrypt also.

        Encryption is done with the public key of the recipient so it doesn't prove authenticity since anybody has access to the public key. Signing is done with the private key of the sender so it does prove authenticity.

  • Nonsense (Score:4, Insightful)

    by fyngyrz ( 762201 ) on Sunday August 19, 2018 @11:26AM (#57154688) Homepage Journal

    "Recipients of these confidential emails won't be able to copy, paste, download, print or forward the message, and attachments will be disabled," notes Engadget.

    This is utterly ridiculous bullshit. As long as you can do a screen capture or simply photograph the screen, the recipient can create a record of the email. "Confidential emails" my ass.

    • by gweihir ( 88907 )

      In addition, you can make screenshots on OS level, and you may even be able to do a direct copy on browser-level, depending on the browser. Browsers are not able to secure things they display. They can just make copying minimally harder.

    • They advertise it as purely means to prevent "accidental" copying, if you're determined to subvert expiration and copy it somewhere then not only you can do a screenshot but also use modified viewer that will net you original message in pristine form.
  • by Anonymous Coward on Sunday August 19, 2018 @11:28AM (#57154696)
    Hillary and her staff wish they had that feature. And regarding the sent folder, last I checked you can delete emails in there. And of course wipe you local HD, smash you smartphone.
  • by Anonymous Coward

    >google
    >confidential

    right, and facebook values your privacy, too

  • by Anonymous Coward

    The "confidential" mode only prevent someone who stole your unlocked phone from reading those particular messages.

    The contents of your messages is available to Google and U.S. intelligence services for years, and the metrics collected from the messages will be stored and available forever.

    This doesn't apply to just your gmail account, but every single account added to the GMail app, because that's how it's built, to collect information on you.

    Don't think for second that you have private communication when y

    • by jimbo ( 1370 )

      Indeed, this is for somebody trying to prevent their nosy spouse from discovering they are having an affair, nothing more.

      • by shanen ( 462549 )

        Interesting that the only comments that so far have struck me as substantive are from the senior citizens. I've been searching for any HINT of a good reason for this new feature. You [jimbo] mentioned another of the bad "reasons", but there are LOTS of them. I already addressed your focus more substantively in my longer comment above, but I'm just going to repeat my proposed solution here:

        If anyone EVER sends me a confidential-mode email, then the first thing I will do is take a picture of it. If the email

  • How are you going to complain about a fee service? Don't use it if you have a problem with the features.

    • Well, it's going to get my phone number into Google's hands, together with my email. That's going to let them link a lot more data to me.

    • by shanen ( 462549 )

      If I ever got a mod point, I think I'd give you a funny for the typo. Or was it?

      The problem with this confidential-mode service is NOT that I will never use it. The problem is that OTHER people will use it so they can accuse me of being a liar. If you can think of any legitimate use of confidential-mode email, then I'd be interested in hearing it. I think there are justifications for secrecy, but all of the legitimate ones (that I know of) go back to prior secrecy and I haven't found any pretense of justifi

  • by ravenspear ( 756059 ) on Sunday August 19, 2018 @11:35AM (#57154744)

    There are real tangible benefits to running a private email server if you are looking for more privacy for your email.

    That is, unless you are in a government job.

    • There are real tangible benefits to running a private email server if you are looking for more privacy for your email.

      Very true, but today's generation gets really offended when you ask them to pay for services like email and social media. It's against their religion or something.

      That is, unless you are in a government job.

      I dunno about that. Seems to have worked out just fine for Hillary Clinton. Got away with doing exactly that for years.

    • by kqs ( 1038910 )

      There are real tangible benefits to running a private email server if you are looking for more privacy for your email.

      Depends on who you want privacy from. Running a secure mail service is very very hard, and almost everyone who claims that they can do it are terribly wrong. I say this as someone who ran private mail servers for decades.

    • by gweihir ( 88907 )

      I have been doing that forever. Also prevents creeps from reading my email (well, on my side at least) and putting ads in it.

  • Exactly (Score:5, Insightful)

    by Artem S. Tashkinov ( 764309 ) on Sunday August 19, 2018 @11:38AM (#57154766) Homepage

    If something can be read with the bare human eyes, it can be copied, pasted, downloaded, printed and forwarded because it can be as easily captured by any digital camera, OCR'ed and reused any way you want. From the look of it Google's implementation and wording are clearly a sham or meant for hillbillies.

    Protonmail fares much better in this regard (real encryption and self-destruction beyond the expiration date) and they don't claim your recipient will not able to download or copy your message.

    • by gweihir ( 88907 )

      Self-destructing email is not implementable, unless you have full control over the receiver. Yes, that means they get searched for cameras before they are allowed to read email. But the idea is pervasive in bad spy movies and hence lots of stupid people keep asking for it. That is likely why Google implemented this fake security measure.

      • You again? I think I've already addressed some of your points in the longer reply above, but here I want to rehash the problem with the private email thing...

        Most people do not want to spend the time required to setup and maintain their own email server. It's actually a different kind of network effect. I've already addressed (though it was in a reply not addressed to you) the network effect of more users, which is why Gmail seems valuable to the google in the first place. However the private email server i

        • by gweihir ( 88907 )

          You again? I still have no clue what you are talking about, so I will ignore you now.

  • Every time I've received an encrypted email, I have regretted reading it. In general, the person who was really paranoid about people reading his email was really paranoid in general. So, years ago I made it my personal policy to reject them.

    • by 110010001000 ( 697113 ) on Sunday August 19, 2018 @11:47AM (#57154816) Homepage Journal
      No wonder you haven't been replying to my messages regarding the Moon "landings".
    • by novakyu ( 636495 )

      Why do you even have a public key [key-server.io] posted on a key server, then?

    • Don't you do a lot of advocacy work that requires coordinating with lawyers? Aren't lawyers using encrypted emails?

      • by Mashiki ( 184564 )

        Aren't lawyers using encrypted emails?

        Generally no. And I wish I was even kidding about that, in most cases unless it can be all wrapped into one nice little ball most don't want anything to do with it and still prefer dead-drops for anything important.

        • So it's a simplicity of GUI issue? Or it's a key management issue? I'm just curious what the exact pain points are, and why they aren't solved yet./p.

          • by Mashiki ( 184564 )

            The AC hit every single point. Hell the company I work for, there was a serious problems with upper level management and executives refusing to do so because "it's too complex." It absolutely has to be to the point of being seemless and not seen for them to use it. Just think on the bit with passwords, it's easier to use a FOB or FOB+biometrics in many cases because these people will use phrases that are easy to crack, or simply write them down.

            One case I remember, and this was a government office for a

      • Lawyers do not generally like to put their communications in a discoverable medium. This is even though they are protected by the attorney-client privilege and the federal rules of civil procedure. Anything important will be in a phone call.
        • The phone calls are all recorded, and voice recognition technology makes them just as searchable as text. Better to have a face to face meeting. In a bunker.

          • Discoverable in court is not the same as discoverable by NSA. In general, they just don't want their conversations to be admitted as evidence in a civil case.
      • The law firms who are my clients don't encrypt anything except the occasional PDF. Instead, they add nonsensical boilerplate to their signatures.

        A few days ago I sent a message with some questions in it, and the response came as a scanned image of my message with the attorney's hand-written notes scribbled onto it, embedded in a PDF. On the upside, the nonsensical boilerplate was absent. :-)

    • -----BEGIN PGP MESSAGE-----

      owE7HZzEEF25rNJZPTc/T8GpqDQ5VUchL79EIbUstahSIb0gXaG0OLVIIbNYoSCx
      KDEvPzNFT0EhPDGzREchJV+hMr9UISM1sQhI5GQm5xeUpBYV23MBAA==
      =11ux
      -----END PGP MESSAGE-----

    • More seriously, I guess that explains why your gpg keys are all revoked:

        gpg --list-keys perens
      pub 1024R/2C1FBBB2 2014-06-16 [revoked: 2016-08-16]
      uid Bruce Perens

      pub 1024R/F6599E8D 2014-06-16 [revoked: 2016-08-16]
      uid Bruce Perens

      But not all gpg users are paranoid and into conspiracy theories and whatnot.

      • I haven't ever taken them seriously enough to do good key management. As hardware tokens become more popular and as they get good hardware (not the case so far) and fully disclosed source code, this problem will be solved for a lot of people.
    • by gweihir ( 88907 )

      It seems some people have more sane friends than you. I never had that problem. Of course, I am not a public figure in any way, and that helps.

    • by shanen ( 462549 )

      WOW. Are you the famous person with that name? Surprised to discover that I haven't read any of your books, but I'll check the local libraries now... (Too bad. Only one, and not in English.) (But I'm sure I've read some of your articles or stuff on the Web.)

      Mostly reacting in surprise that you reject encrypted email, even though that is what I'm advocating (at least as a user option) for confidential-mode email. I actually think that people who want to send confidential-mode (or encrypted) email should be f

      • There's a big difference between digital signature and encryption. Being a public figure, transparency is important. So in general I'd rather sign my name to what I do and publicize it, and putting a digital signature to that wouldn't be bad. It's not the technology of encryption that I object to, just that people who want to hide things are often involved with things that I'd like to stay far away from.
        • Actually in the case of public figures, I'm still advocating for "celebrity" email. I think of it as a kind of mailbot for the dual of the spammer problem. Spam is a horde of fake senders with fake messages, whereas a public figure may face a horde of real people with real messages.

          As it might work in your case, the incoming email would be parsed searching for obvious topics and even the sender's sentiments about those topics. That analysis would be bounced back to the sender as a webform for confirmation o

        • By the way, I'm just finishing the book Phishing and Countermeasures by Jakobsson and Myers. About 30 pages left out of 700, and largely concerned with email and the security thereof. And pretty much obsolete before the ink dried, but I needed some light summer reading. Why mention it? Partly for the cred claim, but upon reflection I think it's mostly to ask for a more up-to-date reference... I think you're still at the leading edge of these things, so...

          How do you keep up?

    • by kqs ( 1038910 )

      Please describe a secure email system which will not be defeated by a screenshot or camera.

      • by gweihir ( 88907 )

        Very simple: It includes a big nasty person standing right next to you when you read email. This person also does a strip-search before you are allowed anywhere near your email and takes away all your devices. Unfortunately, this is not fully secure either. Somebody with the right kind of memory could just memorize the email and type it in again later. So that big, nasty person needs to hit you on the head periodically to clear your memory.

        Beyond that, nobody has ever come up with anything that works. Crypt

  • Is it that hard to conceive?
    Any electronic communication is intrinsically unsuitable.
    On either end there needs to be a moment when the information is plain text readable, thus copyable, thus insecure.
    If I can gain control of your end device, I can read it.

    Even DHT (and similar) are unsuitable for the same reasons. Maybe you get "in transit" confidentiality. But just that.

    You'd better meet your correspondent in a crowded and noisy place, change position frequently and talk by whispers while covering your mou

  • ... anything other than confidential.
    Wether Googles "confidentiality mode" is sufficient or not is to a larger extent probably a very silly question to ask, IMHO.

  • Thanks for all the neat new features, Google! but you missed one: How do I keep my email confidential from you? The only solution I see is to not use your service.

    Thanks again!
  • by shanen ( 462549 ) on Sunday August 19, 2018 @03:05PM (#57155852) Homepage Journal

    As one of one of the instigators of this discussion, I'm kind of disappointed... So let me try to summarize.

    There seems to be an extremely strong consensus that confidential mode is a bad idea badly implemented. I would go farther and count it as more evidence of the increasing badness and evil of the google, but there wasn't much discussion along such lines and assigning the blame doesn't matter too much anyway. This is a bad feature that keeps rising from the grave like any good zombie.

    I was unable to detect (in this discussion or anywhere else) any good reasons for this feature. Absence of evidence is not proof of absence, but if anyone does have a good reason for confidential mode email, then I hope you will share it. I'll continue searching the discussion (until it expires in a day or two), but obviously I'd be more likely to find your "good reason" if you reply to this comment...

    My first suggested solution was a way to reject incoming confidential-mode email. Some people seem to agree that would be good, but no one (whose comments I found here on Slashdot) actually pointed at a way to do it or at a way to persuade the google to give us that option. I would also count it as a solution if someone knew of and told me about a full-featured email system with the option (and I even consider this feature bad enough to justify the large effort of leaving Gmail).

    My second proposed solution is a sabotage pledge to subvert the intended confidentiality of any such email I do receive. Again, no local support, but now I wonder if it matters. I've realized that this feature may be doomed to disaster. Some people are going to take those obvious pictures of the confidential-mode email, and at some point the google is going to get dragged into a hefty lawsuit that may help the google realize the error of its ways. Kind of a shame that #PresidentTweety doesn't use Gmail, but I hope this feature persuades him to start. (Since the orange topic came up, I can't resist a link to this hilarious new music video and tribute to Aretha Franklin: https://www.youtube.com/watch?... [youtube.com])

    • by gweihir ( 88907 )

      This is a bad feature that keeps rising from the grave like any good zombie.

      Well, that is something I can agree to. I blame the self-destroying recorders in "Mission Impossible" and the like (they do not work either) for the broken idea that you can make any message be transmissible only over one hop. The reality is that this is against the very nature of data transmission and that any message, even analog, can be copied and passed onward with the right equipment.

      That Google offers this, even with (apparently) a claim in the documentation that this is only to prevent accidental co

    • One excellent use case for this feature is to make it much easier to classify the email you want to read from someone's mailbox using it instead of having to dig through all their email to find the juicy bits.

      So for Google Mail Administrators, for example, they can focus their reading time on people's confidential mode emails and ignore the rest, which is probably mostly spam anyway. See how useful that is?

      • I know you're being tongue in cheek and I might even give you the funny mod point if I ever got one to give, but you managed to hit another interesting note...

        If I were a nosy and intrusive government agency with a FISA court to appeal to, I would go for a blanket warrant on this feature, starting with a less intrusive meta-information version. "We don't wont to look at their email yet, but we just want to know who is using this feature so we can check the names against our other lists to see if any of them

  • This could only be more ironic if it were Yayhoo doing it.

  • ... or better put - doesn't even come close to the stuff that ensures privacy and anonymity, as opposed to, say, the many good suggestions in the great Intercept's tutorial for anonymous sources [theintercept.com].

    This makes you wonder if Google purposely created such a feature at the request of US authorities, in order to trick unsuspecting whistleblowers (and yes, criminals too) into a system that is already compromised and gagged by default. The OP does raise a relevant problem - we need a feature to prevent retieval, hell

  • by SeriousTube ( 2575581 ) on Monday August 20, 2018 @06:08AM (#57158392)
    Anyone sending me so called confidential mode email gets their mail dropped. If your server (mine is fastmail) supports sieve code - if exists "X-Gm-Locker" {reject "Google confidential mode emails are automatically rejected at this email address"; }

You know you've landed gear-up when it takes full power to taxi.

Working...