Gmail’s new ‘Confidential’ features aren’t that private after all, report claims
The Electronic Frontier Foundation has accused Google of overselling Gmail's new "Confidential Mode", claiming that a lack of encryption and other problems prevent the functionality from offering much additional security.
For the uninitiated, Google rolled out a sizeable update to its flagship Gmail email service earlier this year, and added a host of new functionality. Chief amongst this was a new ‘Confidential Mode’, which allows you to set your emails to expire, to prevent them from being forwarded on, or to require two-factor authentication before they can be opened.
But the EFF claims that this functionality isn’t quite as secure as Google’s claims suggest (via HotHardware).
Firstly, while you can prevent someone from forwarding an email, you can’t stop them from screenshotting it and sending the image on.
Next, expiring messages aren’t fully deleted and stick around in other locations such as the sender’s sent emails folder, potentially making them vulnerable to being retrieved.
Finally, enabling two-factor authentication relies on you giving Google the email recipient’s phone number, which is information they might not want to be shared with the company.
Stopping short of encryption
The biggest security issue that Gmail currently faces is that its emails aren’t encrypted by default. This has a number of implications, most obviously the fact that Google itself can read your emails if it so chooses, even if it chooses not to.
Yet there’s a method of email encryption that’s existed for decades that barely anyone uses. It’s called OpenPGP, and although a vulnerability was recently discovered called EFail, the underlying encryption is still sound and many email clients have now issued patches for the vulnerability.
Yes, you can manually enable OpenPGP in Gmail using browser extensions like FlowCrypt, but email is generally only as secure as its weakest link, and most people are unlikely to download and use an extension to secure their email.
What’s your secure communication channel of choice? Let us know @TrustedReviews.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.