Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Gmail’s Confidential Mode Isn’t

Google recently rolled out a feature called “confidential mode”, which claims to prevent disclosure of an email message to anyone other than its intended recipient. The message can only be viewed by the person you send it to, and cannot be forwarded or copied.

Or can it?

What’s that old saying? Oh yeah: “If it can be seen, it can be copied.”

Let me show you how by sharing one of my so-called “confidential” messages.

Become a Patron of Ask Leo! and go ad-free!

Composing confidential email

Compose a new message in Gmail, and you’ll see a combined padlock and clock icon near the bottom of the message.

Composing a message

Click that to set confidential mode options.

Confidential Mode Options

There are three basic characteristics of confidential mode:

  • The message cannot be forwarded, copy/pasted, downloaded, or printed. This is not optional, as it is the basis for confidential mode.
  • The message can expire, meaning it’s available to be read only for a certain period of time. After that time, the message cannot be retrieved.
  • The message can require an SMS passcode to be viewed. As we’ll see shortly, if this isn’t selected, a passcode will be emailed instead.

For our example, I’ll simply leave these as the default: one week, and no passcode. Click Save to apply confidential mode to the message.

When a message has confidential mode applied, a warning appears at the bottom of the message before you send it, along with the option to edit the settings if you change your mind.

Confidential message with warning

With confidential mode applied, click Send to send the message.

Receiving confidential email

Instead of receiving the message directly in their inbox, the recipient will get a message from Google containing a link that must be clicked in order to view the message.

Receiving a confidential message

This is the way most confidential and some email tracking services operate: the message is not displayed as an email message in your email interface or program, but as a webpage. The service has significantly more control over what the user can do while viewing the message as a webpage.

Click on View the email and Google will indicates it will send a passcode to the email address the message was originally sent to.

Send passcode

This almost-two-factor authentication is what restricts access to the email only to the intended recipient. The notification email above can be forwarded. But in order to actually view the message, you must still prove you have access to the original email address the notification was sent to.

Passcode entered

Once you enter the passcode and click Submit, the message is displayed.

The confidential message, displayed

What’s wrong with this picture?

That’s how Gmail’s confidential mode works. It’s kinda nice, for what it is.

But it’s not confidential. At best, it puts up a few barriers and makes forwarding, copy/pasting, or downloading the message more inconvenient …

… but still possible.

In fact, I just did it.

See that last image of the supposedly confidential message above? I just shared it with you. All I had to do was take a screenshot. I can forward or download that screenshot; I could even run the image through OCR to put it back into editable text format.

Or I could post it on a public webpage.

That’s not particularly confidential, as far as I’m concerned.

What’s wrong with this picture is that I can take a picture. And even if screen-shots were disabled somehow, there are other techniques to capture it, including simply taking a photograph of the screen.

“If it can be seen, it can be copied.” No exceptions.

Expectations and trust

Confidentiality is a matter of trust, and there are several scenarios where trust can break down:

  • Your recipient has malicious intent. They can clearly save a copy of “confidential” email as long as they like, and use it however they want to.
  • Your recipient might just want to save things for their own records. Again, they can clearly save a copy of “confidential” email as long as they like, for any reason.
  • Your recipient might have malware, and malware can easily take screenshots as I have above. With malware, all bets are off.

I’m not saying confidential mode might not be helpful in some scenarios. My concern, though, is that promoting this as truly confidential sets an unrealistic expectation. In reality, the recipient can easily breach confidentiality.

Podcast audio

Play

Video Narration

30 comments on “Gmail’s Confidential Mode Isn’t”

  1. Based on the “you can take a picture of it” statement. Nothing in the world is confidential. Tell a friend a secret, they could record it. The Mission Impossible tape recordings could have been recorded as My Phelps listened to them. Top secret government documents have been compromised electronically and via film cameras.

  2. I differed with the other commenters here. I didn’t assume screenshot. I just assumed ‘intercept the email’

    If the actual content isn’t displayed in an email client, it’s not an email. it’s a web page.

    Pedantic and semantic…yes, but. This isn’t confidential, nor is it email.

  3. Inspired by the article, “Gmail’s Confidential Mode Isn’t”, the comments from Gary T and Bill really hit the nail on the head.
    The article points to a very large matter with another dubious indication from Google. The giant that it is and the useful services we may easily appreciate from Google, can blind any one of us. Sure, we want very much to float about within an atmosphere of personal freedom and security. But can we?
    Seems there are more and more boxes adjoining sentences and paragraphs that ought to to be checked and unchecked.

    • Actually I have heard of ways to disable screen shot capabilities, which would impact its ability to do what it does. But as I said in the article there are ways around that.

    • Yes, and even if they don’t have the Snipping Tool, the PrtSc (Print Screen) key will save the screen shot to the clipboard which can then be pasted just about anywhere.

    • If it is a text message, you can do that. If it is an image, you have a photo of the message and not text. You can try to OCR the image but that is frequently iffy from screen shots.

  4. As soon as I started reading I thought “CaptureWiz,” a more powerful screenshot program with scrolling that I use. I’m not sure that this new “feature” does anything but create a false sense of security. The sender gets no confidentiality benefit since the receiver can do whatever they like with an image of the message. For the recipient, unless the SMS option is selected for two stage ID, anyone with access to the email account in the first place can have the passcode sent to the same email account! And in the case of a spouse snooping on their mate’s phone, that goes out the window too.
    The feature itself is a nothingburger and the false sense of security created can actually have the opposite effect.

  5. I never put anything on the Internet (Facebook, email, etc.) that I do not want to see on the front page of the New York Times tomorrow.

  6. Even if it’s from Google, it seems to have enough problems calling themselves features to look like spam/an exploit to those that have never heard of this. Am I correct that you have to enter a passcode to view it? How would non-Gmail users know what to do with it, and what if you’ve set your email/webmail to reject such things?

  7. I take it to mean that only the recipient can read the message. What the recipient can do with the message is out of anyone’s control, no matter hoe the message is sent – even if encrypted. The confidential mode just ensures that someone else besides the recipient gets to read the mail, especially if sms authentication is used. Nothing is safe if it can appear on a screen unencrypted.

  8. that reminds me, leo
    every now and then it happens to me that somebody says to me ‘you shouldn’t have forwarded this eMail’
    had i recognized a confidential content i wouldn’t
    is there a kind of netiquette which i’m not following?

  9. Of course, once the recipient has it, all bets are off – but that applies to anything. The question is how to transmit information confidentially, and it’s a big one – this is still the reason I am frequently given for certain organizations refusing to communicate by email (still fax only!) – medical information, for one, but many other situations as well. It doesn’t always matter that the recipient can record or re-transmit it – once they get it, it may well be theirs to do with as they please, but still *your* responsibility to make sure that no one but them receives it. There is a difference between the *message* being confidential and the *transmission* being secure, and being able to transmit securely is of *huge* importance to many organizations.

    • While I absolutely understand what you’re saying, the way Google is positioning this is all too easily misunderstood — especially that part about “can’t be forwarded”. I don’t want people to be mistakenly thinking that the feature is more than it really is.

  10. If after all the technological effort garnered at ensuring confidentiality could not work, what can we then do?
    By the way please, I was once asked to mail a screenshort when I encountered a problem; I could not provide the screenshort. How do I?

  11. Nothing is private or confidential once it is on a computer or sent through cyberspace/internet. There is another work around using the printer functions. Screen shot/Print screen then paste or take a pic of the monitor screen and upload it to the computer. There is a print feature which allows changing the print source from one printer to another. It also has a Microsoft feature: Save as PDF, document, the open the pdf doc and print, share or whatever. As I often tell ppl new to computers, Nothing is private or safe on the Internet. Once it is put out into Cyberspace it is open for hackers to intercept or access it. I tell ppl not to put anything on the Internet, esp social media programs, that you wouldn’t want the world population/general public to know. Facebook has become widely used by employers to spy on their employees and to check out applicants for a job. Same with all social media. Bottom line, if its on your computer or has been sent through Cyberspace/Internet, it is accessible by hackers or anyone with the knowledge to access programs. 10 and 11 year old kids have the knowledge to do so.
    The first virus, Elk Cloner, was created in 1982 by a 15 year old called Rich Skrenta who was in the 9th grade at the time. The virus was initially created as a joke and was only meant to be part of a game. Skrenta had absolutely no clue that his creation would reach such commendable heights. The virus spread via floppy disks, which were very popular at the time, and attached itself to Apple 3.3 operating systems.
    source: https://blogs.quickheal.com/the-first-pc-virus-was-designed-for-an-apple-computer-by-a-15-year-old/

  12. How come….
    Everyone seems to be bashing Google for the Confidential mode. Claiming it is not secure, because screen shot can be taken and forwarded.
    Come on guys. Why are you seeing only the holes in the cheese? This applies to any secure communication; your login to public online services, your online banking website, any S/MIME encrypted email, etc. Now, just because it does not protect against stupidity – it is still a great add on to allow users that do not have the major setup for secure emailing, to send a message, protected by HTTPS and with a fairly secure option for SMS second factor login.
    Of course Google can technically read it as well, but hey – if it is that SECRET, do not use Google at all.
    please explain, what is it I do not get here….

    • It’s not a question of bashing Google’s confidentiality mode. It’s a warning of the limitations so that people don’t expect it to do more than it can do.

  13. hi, i think this is a great mistake on the part of google. Your article nails it on the confidentiality side, but there’s another edge to this, which is the problem it creates for organizations that use email as a central part of their operating procedures. Suppose there is a small company that sells products via email purchase orders ? how can you trust a email purchase order when it can be wiped out whenever the buyer wants ??? Im surprised very few people talk about this side of the problem. I read a little further, and I suggest every company that uses email for operating procedures, should do 2 things :
    1.- At domain level disable the use of Confidential Mode for EVERY account in the domain. We don´t want our own employees messing around with erasable mails, and
    2.- Also at domain level, create a content policy to block ALL confidential mode mails, and send a warning to the sender stating that confidential mode mails are not accepted as company policy.
    Both rules can be enforced quite easily

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.