Google recently rolled out a feature called “confidential mode”, which claims to prevent disclosure of an email message to anyone other than its intended recipient. The message can only be viewed by the person you send it to, and cannot be forwarded or copied.
Or can it?
What’s that old saying? Oh yeah: “If it can be seen, it can be copied.”
Let me show you how by sharing one of my so-called “confidential” messages.
Become a Patron of Ask Leo! and go ad-free!
Composing confidential email
Compose a new message in Gmail, and you’ll see a combined padlock and clock icon near the bottom of the message.
Click that to set confidential mode options.
There are three basic characteristics of confidential mode:
- The message cannot be forwarded, copy/pasted, downloaded, or printed. This is not optional, as it is the basis for confidential mode.
- The message can expire, meaning it’s available to be read only for a certain period of time. After that time, the message cannot be retrieved.
- The message can require an SMS passcode to be viewed. As we’ll see shortly, if this isn’t selected, a passcode will be emailed instead.
For our example, I’ll simply leave these as the default: one week, and no passcode. Click Save to apply confidential mode to the message.
When a message has confidential mode applied, a warning appears at the bottom of the message before you send it, along with the option to edit the settings if you change your mind.
With confidential mode applied, click Send to send the message.
Receiving confidential email
Instead of receiving the message directly in their inbox, the recipient will get a message from Google containing a link that must be clicked in order to view the message.
This is the way most confidential and some email tracking services operate: the message is not displayed as an email message in your email interface or program, but as a webpage. The service has significantly more control over what the user can do while viewing the message as a webpage.
Click on View the email and Google will indicates it will send a passcode to the email address the message was originally sent to.
This almost-two-factor authentication is what restricts access to the email only to the intended recipient. The notification email above can be forwarded. But in order to actually view the message, you must still prove you have access to the original email address the notification was sent to.
Once you enter the passcode and click Submit, the message is displayed.
What’s wrong with this picture?
That’s how Gmail’s confidential mode works. It’s kinda nice, for what it is.
But it’s not confidential. At best, it puts up a few barriers and makes forwarding, copy/pasting, or downloading the message more inconvenient …
… but still possible.
In fact, I just did it.
See that last image of the supposedly confidential message above? I just shared it with you. All I had to do was take a screenshot. I can forward or download that screenshot; I could even run the image through OCR to put it back into editable text format.
Or I could post it on a public webpage.
That’s not particularly confidential, as far as I’m concerned.
What’s wrong with this picture is that I can take a picture. And even if screen-shots were disabled somehow, there are other techniques to capture it, including simply taking a photograph of the screen.
“If it can be seen, it can be copied.” No exceptions.
Expectations and trust
Confidentiality is a matter of trust, and there are several scenarios where trust can break down:
- Your recipient has malicious intent. They can clearly save a copy of “confidential” email as long as they like, and use it however they want to.
- Your recipient might just want to save things for their own records. Again, they can clearly save a copy of “confidential” email as long as they like, for any reason.
- Your recipient might have malware, and malware can easily take screenshots as I have above. With malware, all bets are off.
I’m not saying confidential mode might not be helpful in some scenarios. My concern, though, is that promoting this as truly confidential sets an unrealistic expectation. In reality, the recipient can easily breach confidentiality.