Alongside the major Gmail design refresh, which brought a new UI, offline support, and many other smart features, Google also rolled out a new privacy-focused feature called Confidential Mode.
As the name suggests, this new feature is focused on providing you a secure channel to exchange e-mails but the Electronic Frontier Foundation (EFF) believes that such claims are simply misleading. The confidential emails get deleted automatically after a fixed expiry period and do not allow users to print or forward them, but it still has huge gaping security issues.
Firstly, the EFF says that emails you send using this feature are not as confidential as Google claims they’re not end-to-end encrypted (E2E) and can be seen by Google’s email reading systems. Yes, you might set a passcode or an expiration date but the contents of the email are not completely hidden from the tech giant, who does store a copy on its servers.
This means that expiring messages have no meaning for the sender as the messages are not completely ephemeral. The confidential email may vanish from the recipient’s inbox, but they can take a screenshot and or a photograph of it.
Plus, that’s not all. It has been found that confidential emails do not fully disappear from the sender’s sent folder. As you can see in the screenshot below, we had tested the confidential email feature when it was rolled out in May, and we are able to retrieve the contents even today.
Further, EFF goes on to point out that the confidential mode feature can expose the phone number of the recipient and give malicious actors access to two very important pieces of information at once – an email address and the associated phone number, since this piece of information is required for the passcode feature to work. A lot of the time the recipient’s mobile number would be entered without their consent, which is another privacy concern.
In addition, cybersecurity officials from the Department of Homeland Security (DHS) have claimed that Gmail has vulnerabilities that could lead to phishing attacks and expose the personal data of users. The DHS says confidential mode requires you to click a link to view the message, which could be a window for hackers to trick unsuspecting users.
While the ‘confidential mode’ sounds fun and safe, all of the aforementioned points should make you wary of using it. And even if it’s not exploited by malicious actors, it’s certainly not as secure as Google made it out to be.