Gmail confidential mode

(gsuiteupdates.googleblog.com)

260 points | by brajesh 1836 days ago

37 comments

  • drglitch 1835 days ago
    I feel that many of these pseudo-secure, proprietary enhancements to email create a false sense of security for non-tech-savvy users. Given the smoke-and-mirrors presentation of this as a way to "secure your email^tm" and the plethora of recent info leaks, i am sure some poor c-level exec will get caught inadvertently sharing something with an external recipient thinking that it will disappear in a few days, but then find themselves in a middle of a publicity nightmare.

    In my utopia world, i'd love to see basics of information privacy and personal security be taught in schools akin to Driver's Ed or Sex Ed classes.

    • gibba999 1835 days ago
      There are two schools of thought:

      1) Security has to be enforced by code

      2) Your employees are reasonable, and won't try to maliciously bypass security controls

      I'm firmly in camp #2. In a normal corporate setting, a locked door or a locked cabinet is security, even with a cheap, easily pickable lock.

      That's all this is. And for 95% of corporate applications, that's good enough. If you have high-level executive crime, or a scandal where you killed a few people, this won't help, of course. But if you'd like to keep an upcoming merger confidential, or maintain a trade secret, or anything vaguely normal, this is more than good enough.

      This also helps with email retention policies. Sometimes you want ephemeral communications you don't want a record of. This isn't necessarily malicious either; in more litigious industries, emails can be obtained through discovery and quoted out-of-context. Things like typos can get you (goodness knows I've made enough of those). Sending an email which communicates something and disappears in a week is helpful.

      • naravara 1835 days ago
        2) Your employees are reasonable, and won't try to maliciously bypass security controls

        Corollary: unless those controls impede their ability to do their jobs. This goes into a bit of UX design thinking, where you have structure your security controls to be minimally invasive or invisible, if not complementary to the business' operations.

        >That's all this is. And for 95% of corporate applications, that's good enough. If you have high-level executive crime, or a scandal where you killed a few people, this won't help, of course. But if you'd like to keep an upcoming merger confidential, or maintain a trade secret, or anything vaguely normal, this is more than good enough.

        Kind of. Partly you only get there by having a company culture where people value this sort of thing. Company cultures where everyone is out for themselves are likely to see worse compliance. But a company like Apple, which is famously secretive, are likely to do better. On the other hand, even Apple employees screw up in some pretty boneheaded ways, like that time a dude left a prototype iPhone in a bar that would up getting sold to Gizmodo.

      • ABCLAW 1835 days ago
        No, these records will remain discoverable through Vault, unless I'm reading things wrong.

        In fact, these records will be even more discoverable than the standard inbox dumps because they're pre-curated with messages that the senders thought were sensitive.

        It appears the only point where there's an extra hoop to jump through is with an external sender. In cases where that sender is in another jurisdiction or the investigation is purely internal, the added cost will likely stop further inquiry.

        I can see legal departments requesting filters to block acceptance of external messages as a result. Just takes the metadata from one confidential email a competitor sends you to make it look like you're a bad colluding boy.

        • smolder 1835 days ago
          Agreed, this almost seems geared towards enhancing spying in that sense.
      • ptero 1835 days ago
        I agree with your stance -- in a vast majority of corporate setting trying to enforce security with code tends to cause more problems than it solves. It alienates users and makes them skip sanity checks and use loopholes (whatever is allowed by the security must be OK to use). Informing users of the policy and providing tools for them to voluntarily check compliance when needed works much better.

        > This also helps with email retention policies. Sometimes you want ephemeral communications you don't want a record of.

        This IMO is a lost battle. Once "Sent" gets pressed you should assume the message is out in the wild (any retention policies only complicate experience and can be ignored/countered by clients). If you want ephemeral communication, pick up the phone or talk face to face. My 2c.

      • beatgammit 1835 days ago
        That only works for internal communications. Once it leaves Google's servers, you lose all control. I don't know the specifics here, but the only ways to guarantee that an email server somewhere isn't caching your emails (and I don't trust Google to not cache them either) is to either encrypt them (GPG) or require hitting your server to read the email (potentially what Google is doing), and that doesn't prevent the user from copying it (but at least you can know _who _ copied it or let it be copied).

        I don't know how external access works, so maybe they're doing more than they say they are, but I don't trust my coworkers, I shouldn't trust Google either. Client-side encryption is the only acceptable solution IMO.

        • ghaff 1835 days ago
          Pretty much anything that can be consumed (read, viewed, listened to) by a person can be recorded and retransmitted in some form. This has always been true to a certain degree of course. With everyone carrying around a recording device almost everywhere, it's even truer today.

          Sneaking a photo of a screen used to at least require a certain premeditation that was spy movie stuff. Today, it's casually pulling a smartphone out of a pocket.

          If anyone can see or hear somewhere, barring the seeing or hearing being confined to a secure environment it can be easily and casually recorded.

        • derefr 1835 days ago
          I think this is only for internal communications. They were talking about this feature being “enabled by your GSuite domain administrator.” Presumably it only works for email sent between members of the affected domain (though I’m not sure why they’d fail to mention that.)
          • eitally 1835 days ago
            No. It does, definitely, work with external recipients.

            Source: am googler, have used.

            • myrandomcomment 1835 days ago
              How? If you send an email with this on to me@protonmail.com and I download the message to my IMAP client how does google magically reach out and delete it from my hard drive? Is the email HTML only that only displays the text when the user is online and that text is fetched from the Google server? Let us say it is and I view the email, how does Google stop me from cutting and pasting that email using my thunderbird, et.al. IMAP client?
              • Spoom 1835 days ago
                You view the message on a Google server through a browser. The message body is never actually sent to the recipient's address.

                "When someone sends a confidential mode message, Gmail removes the message body and any attachments from the recipient's copy of the message. These are replaced with a link to the content. Gmail clients make the linked content appear as if it's part of the message. Third-party mail clients display a link in place of the content."

                From https://support.google.com/a/answer/7684332

                • myrandomcomment 1835 days ago
                  Thank you for explaining. Also I guess I will be able to write an auto reply message that say “Sorry, I refused to received messages of this nature.”
            • voxic11 1835 days ago
              What happens if domains have conflicting policies set?
          • atonse 1835 days ago
            Does that mean I then can't use a native mail client?
      • lrvick 1835 days ago
        Camp #2 is naive and dangerous thinking if your company protects anything of value. Even if every employee is honest today, one of them can be extorted tomorrow. If you allow your employees easy access to substantial value without hard technical controls to enforce accountability then you are creating a situation where someone has reason to threaten or harm your employees.

        Gas stations have "Never more than $200 in the drawer" for a reason. Criminals knowing that is the case deters most of them and if it doesn't you are out $200 at most.

        • seventhtiger 1834 days ago
          As an information security analyst for an organization that deals with highly valuable info assets, I agree. The comment you replied to sounded like how employees argue for less security. They don't understand the scope or environment of information security.

          95% isn't nearly secure enough. You're actually looking for the one malicious agent among thousands. If you conduct contracting bids, you have to realize that at any moment your employees can be offered incentive to leak, and their leaks will cost millions of dollars.

          So when we apply our strict need to know policies and data transfer tracking, it's not about trusting individual employees. It's about finding a needle in a haystack.

      • gruez 1835 days ago
        >Sending an email which communicates something and disappears in a week is helpful.

        There's nothing on the page that says google will purge all copies after the deletion date. I'd imagine that because google keeps backups, it'd still be available by subpoenaing google.

        • azurezyq 1835 days ago
          It explicitly said yes:

          > Additionally, if your users send or receive messages in Gmail confidential mode, Vault will retain, preserve, search and export confidential mode messages. The message body of received messages will be accessible in Vault only if the sender of the message is from within your organization. Learn more about how Vault works for confidential mode messages here.

          • cryptonector 1835 days ago
            I would not read that to imply that the message is not available for discovery. Legal pressure is legal pressure, and data is very hard to delete.
            • naniwaduni 1835 days ago
              I would read that as explicitly available.
      • jnty 1835 days ago
        Yep - It's a good and useful feature. But it's very poorly pitched. Calling it 'retention management' or something would have made it sound like the boring administrative management tool it is, rather than a magic self-destruct button.
      • ken 1835 days ago
        Corporations and governments have shown remarkable fickleness when it comes to definitions of words like "reasonable" or "malicious". Everyone thinks they themselves are reasonable.

        If the government comes knocking with a secret subpoena, what is "reasonable"? If someone malicious breaks in to your system, does it matter that this person isn't an employee?

        For "95% of corporate applications", even plain email is good enough.

      • throwawaymath 1835 days ago
        > There are two schools of thought: 1) Security has to be enforced by code

        2) Your employees are reasonable, and won't try to maliciously bypass security controls

        Huh? These aren't competing ideas. They're orthogonal, and should be covered by separate, complementary forms of security assurance.

      • gtsteve 1835 days ago
        Exactly. You might just forward an e-mail to someone with an action without thinking of the e-mail chain below.

        But if you're taking screenshots or photos of a secure e-mail because it doesn't allow you to copy the text, you know you're doing wrong.

        • mattkrause 1835 days ago
          I’m not so sure.

          I can easily imagine this system “training” users to take screenshots, especially if their correspondents are a little to eager to use this feature. It would only take a few rounds of “I sent you this”/“No you didn’t” with the boss, or the computer “eating” important documents.

          Now you’ve normalized this deviance and emails are now spread all over creation (including personal devices) and in a much less searchable format....

        • dragonwriter 1835 days ago
          > But if you're taking screenshots or photos of a secure e-mail because it doesn't allow you to copy the text, you know you're doing wrong.

          Plenty of office workers use screenshots to copy and paste text into emails, etc., just because, so unless you first break them of this habit, using screenshots to copy secure email isn't really much of a signal of awareness of wrongness.

    • teekert 1835 days ago
      Huh? Can't print this email? Let me forward to my non-secure other address.

      Huh, message is going to expire? Better make a screenshot that syncs who knows where.

      If they were serious, they'd create a mode that mirrors Protonmail, where they can't even read your stuff. And make it easy to use PGP.

      As suggested below/above, the fact that our company Office365 Android env stops me from copy pasting text to other apps does one thing: It makes me forward certain mails to my home address.

      • tracker1 1835 days ago
        I'm curious how they prevent printing.. is it a custom chrome configuration, and they only allow viewing in chrome? Even then... Copy/Paste, F12, copy/paste, etc.

        Agreed on the forward thing. Though, fortunately I'm not currently as locked down as your android config, it would seem.

        It's a relatively nifty feature for users emailing from/to gmail only and then likely just to match a couple of feature people have come to expect when using Outlook/Exchange(or office 365). But definitely oversold on security.

        • scintill76 1835 days ago
          I think it would be easy with standard CSS: @media print * { display: none } Yes, it's circumventable, but they're going for accidental leaks, not intentional.
      • freshm087 1835 days ago
        In real life, most of the corporate leaks are accidental. Disappearing messages, and sharing/printing restrictions can perfectly augment employee training, reminding them that some things require more careful touch, and reduce the chance of making thoughtless mistake. Sure, making email e2e-encrypted is a good thing, but completely different one.
    • numbsafari 1835 days ago
      How long before someone makes a chrome browser plugin that will automatically screenshot and download any message flagged in this manner?

      Completely agree with your last sentiment. We all assume that "kids these days" grow up well aware of these things, but my experience to date has been that new hires are disturbingly unaware of these things.

      • beatgammit 1835 days ago
        On that note, I wonder if Firefox's new screenshot utility has an API for extensions...
      • 908087 1835 days ago
        The "kids are tech savvy these days" narrative seems pretty ridiculous once you consider the fact that most of them have never so much as manually installed a piece of software that didn't involve an "app store" on a touchscreen device.
        • UI_at_80x24 1835 days ago
          This 1000x

          They don't know computers any more then they know toasters. They push a button and get a result. If not reboot it and push button again.

    • jimbojones2 1835 days ago
      this is nothing more than a "me-too" feature to stack up one more checkbox in the gmail vs exchange sales pitch

      https://support.office.com/en-us/article/mark-your-email-as-...

      • sam_goody 1835 days ago
        I imagine they will show confidential emails to other gmail users inline, but make a link for non gmail users.

        It is in Google's interest to make GMail less and less the same as "plain mail", until you are forced (for practical reasons) to create a Gmail account to interact with other Gmail users.

        Together with Amp and Chrome, eventually we will be at a point where the decentralized internet is replaced by Google's servers and software.

    • jwr 1835 days ago
      > In my utopia world, i'd love to see basics of information privacy and personal security be taught in schools

      Yes! This should be required, beginning in primary school and extended into high school.

      Concepts like authentication, encryption, man-in-the-middle attack, why authentication without encryption isn't very useful for communication, etc — this is not "technical" (I hate this word; it is used as an excuse not to think). It should be taught as part of basic education.

      • sokoloff 1835 days ago
        In a world where basic civics, economics, and other life skills are not pervasively and effectively taught (at least in the US), I doubt our ability to teach this more complex and somewhat less obviously relevant content.
    • dontbenebby 1835 days ago
      >I feel that many of these pseudo-secure, proprietary enhancements to email create a false sense of security for non-tech-savvy users.

      OTOH, circumventing a security measure means deliberately violating someone's boundaries.

      For example, I communicate with my friends and partnets with Signal often. We usually keep the disappearing messages setting on so that over time, our ephermeral conversations drift away. (Especially useful since even if someone is not malicious, a stolen or compromised device could leak sensitive conversations).

      I suppose someone could capture and save an embarasing conversation. But if they did that, I would turn around and shame them - for violating my boundaries, for breaking my trust, and using that trust to bully me.

      I suspect that given how the conversation on privacy has shifted, it would be viewed worse to steal someone's nudees, gripes about friends/coworkers, or jokes made in poor taste than it was to do the original communication.

      Total security is impossible, but I can ensure that it will be abundantly evident you are an untrustworthy, phony, and malicious person if you circumvent access controls to leak my communications.

    • milankragujevic 1835 days ago
      If it makes you feel better, I had an "security online" course in middle school and high school, but had no drivers ed or sex ed at all, from primary to high school to college :) Serbia is the country.
    • jnty 1835 days ago
      It's disappointing that the article doesn't lead with this limitation. We (and everybody who's used Snapchat) know that self-deleting messages aren't truly possible, but there's no reason everybody should.

      This is definitely a useful feature to manage sensitive documents within organisations where good faith (but not necessarily diligent policy adherence) can be assumed, but it's pitched dangerously wrong as you say.

    • mmis1000 1835 days ago
      I though 'secure' here is misleading. The feature here actually sounds more like an accident prevent tool to prevent your coworkers from accidentally forward / share the contents to someone it should not to. And does not provide any sense of 'security' at all. Thinking it is 'secure' actually open up a big security loophole instead provide any extra security to you.
    • Spivak 1835 days ago
      This feature isn't about security. Email is already pretty secure with TLS and DKIM. This is basically the equivalent of the "DO NO FORWARD" header people use for internal-only information but with a little more UX polish.
      • kzzzznot 1835 days ago
        I think what the parent is saying is that they feel this DO NOT FORWARD header feature is being presented as a security feature. I probably agree
        • anticensor 1835 days ago
          This is an algorithmically enforced one, though.
          • Stuckinsofa 1835 days ago
            But anyone can screenshot the message or take a photo of it. The point is that it's not actually enforced.
            • beatgammit 1835 days ago
              Anyone can screenshot or take a photo of any decrypted message. The question is when the email leaves Google's servers and whether you can trust Google with that same document.

              Personally, if I had a message where I would consider a tool like this, I would just encrypt it on the client with PGP or something.

              • lodi 1835 days ago
                > Anyone can screenshot or take a photo of any decrypted message.

                Yes, but ordinary decrypted messages don't claim to have superpowers like self-destructing.

              • Stuckinsofa 1835 days ago
                The person I replied to wrote that this was "algorithmically enforced". I'm just pointing out that this is incorrect.
          • TrueDuality 1835 days ago
            As long as it doesn't leave Gmail.
      • hammock 1835 days ago
        I believe Gmail already has that feature for corporate gsuite- greying out the forward button or something like that. Could be wrong. I know for sure Outlook has it.
    • shereadsthenews 1835 days ago
      IT admins just want what they want and you can't change their minds. Eventually gsuite will sprout every dumb feature all of its competitors and predecessors ever offered.
    • option_greek 1835 days ago
      > In my utopia world, i'd love to see basics of information privacy and personal security be taught in schools akin to Driver's Ed or Sex Ed classes.

      Except that the last two don't change much while keeping pace with first is like riding a tiger. You can never get off.

    • freshm087 1835 days ago
      It's not "pseudo", it is a tool to reduce risks of accidental leaks, and to enforce discipline. Used in a right context it increases security. However, I agree that it's proprietary, and it would be better to have such things in RFC.
    • Jemm 1835 days ago
      Sex ed is not the best example as it is a political hot potato in many places where the right want to limit sex ed and the left want to expand it.
    • jancsika 1835 days ago
      If the upshot of the class is anything other than we don't yet know how to make software secure or private, it's a drama class.
    • hammock 1835 days ago
      "A lock only keeps honest people out" is ancient wisdom and this is not a new debate.
  • jimbobimbo 1835 days ago
    There's a phrase that large companies often use to explain "puzzling" features like this to detractors: you are not the target audience. Often this phrase is mis-used to cover up straight up bad ideas, but in this case it's right on the money.

    The target audience for this feature are CIOs of organizations Google sells G-Suite to. Companies do need IRM on emails, to prevent leaks that could happen by accident or intentionally; to limit email audience; to avoid endless replies-to-all on announcements; to put an expiration date on the "perishable" bits of information; etc. I'm pretty positive that they have to have this to compete with Office 365, which had IRM [1] for a very long time.

    Yes, it's not perfect, however, if it's there, it mitigates a lot of the issues I mentioned above. Note the wording: "mitigates", not "fixes".

    It's interesting that they still list screenshots as a possibility: email clients (e.g. Outlook) are able to utilize OS mechanisms to prevent those as well. I thought that browser protected media APIs would allow Gmail opt-in to this kind of protection too.

    [1]: https://docs.microsoft.com/en-us/office365/SecurityComplianc...

    • judge2020 1835 days ago
      Would like to note more IRM for DLP (data loss prevention) is an upcoming feature:

      https://support.google.com/a/table/7539891

      > Information Rights Management (IRM) for DLP

      > Enable IRM enforcement as a DLP remediation action.

      > In development

    • dontbenebby 1835 days ago
      >The target audience for this feature are CIOs of organizations Google sells G-Suite to. Companies do need IRM on emails, to prevent leaks that could happen by accident or intentionally

      I encourage anyone with a Gmail to take a lot back 1, 5, 10 years. There's a lot of data there. Setting up an automated deletion policy can be a great risk mitigation feature.

      It won't stop malicious insiders, but it will help make sure run of the mill compromises won't be total disasters.

    • NullPrefix 1835 days ago
      > It's interesting that they still list screenshots as a possibility: email clients (e.g. Outlook) are able to utilize OS mechanisms to prevent those as well. I thought that browser protected media APIs would allow Gmail opt-in to this kind of protection too.

      Next thing you know, youtube ends up on the same list too.

  • saagarjha 1836 days ago
    > Recipients who have malicious programs on their computer may still be able to copy or download your messages or attachments.

    “Malicious programs” such as any standards-complaint email software?

    • Zarel 1836 days ago
      If I were implementing something like this, it would just be a link to an auto-expiring viewer page, if you opened the email in a third-party email client.

      And according to Google, that's exactly how it's implemented:

      https://support.google.com/mail/answer/7674059

      "Malicious programs" here most likely refers to things like keyloggers.

      • Gaelan 1835 days ago
        Oh god, this is going to be great for phishing.
      • incompatible 1836 days ago
        You aren't really sending email any more, just a link to a website.
        • lotu 1835 days ago
          This is unfortunately how lots of people and companies think "secure" email needs to work. Any message from my bank or doctor works this way even it is something as simple as an appointment reminder. It is massive waste of user's time and programing effort, but I'm afraid that is where the world is moving.
          • racingmars 1835 days ago
            Unfortunately doctors have to do this because the common legal interpretation of HIPAA and HITECH Act is that they have to.

            Dates of service for a patient are protected health information. Most covered entities and business associates won't risk sending any PHI using methods that are not covered under the safe harbor provisions of the HITECH act. So... endless proliferation of "secure email" systems instead of using email. (And I don't see S/MIME taking off anytime soon as an alternative, even though that would be sufficient to qualify for safe harbor.)

          • exolymph 1835 days ago
            Harder to spoof or phish (depending on the implementation). I know that a message shown on my bank's main website, with the correct URL, is legit.
        • tgragnato 1835 days ago
          Does this mean that I only need a new reject rule in my spam filter?
        • josteink 1835 days ago
          Also requiring the recipient to log into Google to allow google to track them.
          • npongratz 1835 days ago
            And conditioning users to click on links they see in emails. Ugh.
            • crysin 1835 days ago
              I've already experienced this with employers and when buying a home using "HP SecureMail" and some Microsoft e-mail encryption. All they would have in the e-mail body is a link and I would need to validate my identity in some way to access the "protected" content through the website instead of it just being in my e-mail.
          • acdha 1835 days ago
            I agree that this is something to be concerned about but according to the instructions it doesn't require a Google login so you could do the entire session in a private browsing window if you wanted as long as you can get the verification code by SMS or the email address.
            • 908087 1835 days ago
              "Private"/"incognito" tabs and windows do little to nothing to protect you from the kind of tracking companies like Google engage in.
      • paride5745 1835 days ago
        "Malicious programs" can also be taking a screenshot or printing the email.
      • incompatible 1836 days ago
        Um, but what about attachments? A screenshot of an attachment wouldn't be much use.

        Edit: I suppose it would be online PDF viewers etc., that allowed viewing but not downloading.

    • alkonaut 1835 days ago
      I assume the mail body is simply an URL pointing to somewhere the email can be read. Once there it would need to be rendered in the browser as an image.
  • ktpsns 1836 days ago
    > removing options for recipients to forward, copy, print, and download

    Oh please... Everybody can do a screenshot nowadays, and even Google itself integrated OCR into its Screenshot tool at Android a few years ago. What a waste of time to make the life of people harder who must use this "security" feature!

    • halayli 1836 days ago
      > Note: Although confidential mode helps prevent the recipients from accidentally sharing your email, it doesn't prevent recipients from taking screenshots or photos of your messages or attachments. Recipients who have malicious programs on their computer may still be able to copy or download your messages or attachments.

      it's not a security feature. it's to help prevent users shooting themselves in the foot.

      • a012 1836 days ago
        Can you explain how "removing options for recipients to forward, copy, print, and download" could "help prevent users shooting themselves in the foot"?
        • lozaning 1836 days ago
          I get a bunch of information through emails at work that Im not allowed to share outside the company, and tons of others that I need to send to people outside the company. If the people sending me the internal company emails mark them as such, I can be sure I never inadvertently forward the wrong emails to the wrong group.

          I think the threat model is about catching your own mistakes, not preventing bad actors from acting.

          • buboard 1836 days ago
            it seems it would be more useful to implement things such as "delete message after X days" or "do not forward" instead of mock features like this. Adding an autodelete feature in gmail is overly complex, requires filters + google scripts.
            • Cthulhu_ 1835 days ago
              Did you read the actual article? They added that as well.
              • buboard 1835 days ago
                Right but from the sender's side only. I wish there was an easy way to automate deleting of old messages e.g. auto-deleting my unread messages or most of the newsletter/promotional stuff.
          • TrueDuality 1835 days ago
            This feature only works for users of Gmail and specifically web mail. All the users I would want to have an extra layer around 'shoot themselves in the foot' usually also insist on using Outlook to access their email.

            This is simply a superficial UI that gives a false sense of doing anything for most of the cases.

        • stingraycharles 1836 days ago
          Not sure why you’re being downvoted. To me it seems only to increase the chance for users to shoot themselves in the foot, as they now have a false sense of security.
          • ShinTakuya 1835 days ago
            I agree, I can definitely see people thinking "oh, this has the option to forward, it must be safe to share".
        • ymolodtsov 1836 days ago
          The most important security feature is just the fact that email won’t be saved in that account. I had cases when I had to send or receive a small piece of sensitive data (SSN, bank account details) and we used Virtru for that. Now we can just send in Gmail.
        • tdb7893 1835 days ago
          The first thing that springs to mind is attorney client privileged emails. My understanding from how legal explained it to me is that if I have a privileged email conversation with them but then forward it to my boss that communication wouldn't be privileged (and I just shot myself in the foot legally)
    • duchenne 1836 days ago
      Yes, this system does not seem to prevent the information from spreading.

      I guess that the logic is that most people who know how to make a screenshot also know how to make a fake screenshot.

      So, let's say that Mr A is not a very honest guy. Moreover, Mr A has a sensitive document that could be a liability in court. He wants to share it with Mr B. But, he does not completely trust Mr B. With this system, he can share it. If Mr B sends a screenshot to the police or a judge, it will be easier for Mr A to claim that the screenshot is fake.

      That's just a guess... I hope that it was not the intent of the dev, though.

      • chronogram 1836 days ago
        Even easier, right? Can’t B press F12 and change the content easily? One mail is not enough evidence.

        A would be better off using something like Snapchat for the confidentiality.

    • lern_too_spel 1835 days ago
      This is a feature Outlook has had for years. Users understand it. It's only pedantic geeks who don't seem to understand the use cases.
    • reustle 1836 days ago
      The Airbnb app prevents screenshots on certain pages on the OS level on Android, I'm sure the Gmail app will do the same.
      • enriquto 1836 days ago
        > The Airbnb app prevents screenshots on certain pages on the OS level on Android

        it is creepily dystopian that this sort of behavior is even possible

        • monksy 1835 days ago
          Ticketmaster also does that. It's incredibly shitty that they disable functionality on your phone.
          • enriquto 1835 days ago
            The problem is that the operating system gives this power to the app developers and not to you. The shit is on the side of the android developers, not on the app developers, which are simply using an API available to them.
        • Cthulhu_ 1835 days ago
          I think you're overreacting there and misappropriating that term to express your outrage, without thinking of realistic use cases. It's a security feature. Bank apps and 2FA apps probably have it as well when displaying sensitive information. In Airbnb it's probably a protective measure to avoid sharing information via screenshots instead of links to the app / website though. That's not dystopian either though.
          • realusername 1835 days ago
            It's not a "security" feature, anything which can be displayed can be captured, you can even take a picture of your phone with another phone if you want, it just makes users annoyed without adding any security.
            • Spivak 1835 days ago
              Just because you can get around a policy doesn't make it ineffective. I'm sure that slight barrier reduced the number of people taking screenshots of their bank app 99%. Perfect is the enemy of good.
              • realusername 1835 days ago
                It just gets user annoyed for no reason, why can't they take a screenshot of their bank account anyway? It just makes no sense. I understand banks like it because they are full of regulatory security which don't make sense in real life, that's probably one more to add to the list.
          • andreareina 1835 days ago
            How about app makers stop infantilizing us? I'm an adult, responsible for my actions and the consequences thereof. I keep records of actions I take on my bank's website, so I have to work around them disabling right-clicks.

            I give them the benefit of Hanlon's razor as far as their reasoning is concerned, but it's not something to excuse.

          • enriquto 1835 days ago
            > It's a security feature. Bank apps and 2FA apps probably have it as well

            And I would be creeped out as well by a bank website disabling the ability to take screenshots!

            The computer is mine to command. I simply do not find acceptable that a user program can disable basic functionality.

            • ForHackernews 1835 days ago
              Sadly, I think the era of general-purpose computing may be drawing to a close. Too many people are happy to settle for terminal appliances rather than real computers.
      • Y_Y 1835 days ago
        Netflix does the same. If I owned my device I suppose I'd be the one to make decision about when I can screenshot and can't.
        • beatgammit 1835 days ago
          It's stuff like this that's hyping me for projects like the Librem 5[1]. Sure, I might lose out on some functionality, but at least I can use my device as I please, and I and the community can make alternatives without those restrictions. I don't think it'll "catch on", but I sure hope that it becomes relevant enough to make some of these app developers consider supporting it.

          [1] https://puri.sm/products/librem-5/

      • jjulius 1835 days ago
        Worthless from a security standpoint, because the screenshots can still be taken from a desktop or laptop device.
        • gtsteve 1835 days ago
          You can always steal something if it can be seen. I think it's more of to clearly express that they don't want you to screenshot whatever it is. You can subvert it but you know you're doing something you shouldn't.

          I don't use AirBnB so I can't actually think why you'd want to disable screenshots in certain places. I'm curious now though, can someone tell me?

          • snarf21 1835 days ago
            I would assume two reasons: 1) Don't let people easily scrape their content and list it on a competitor. 2) Make it hard to people to put up fake listings that look real with the intention of scamming users.
    • nova22033 1835 days ago
    • saberience 1835 days ago
      Or just take a photo of the screen with their iPhone!
    • nukeop 1835 days ago
      The day this comes out I hope there will be a browser extension that automatically strips the retarded DRM by copying the html from the "viewer" website and replies to the original sender with the contents, so that a "cracked" copy of the email is saved in both the sender's and recipient's history as it should have been in the first place.
      • heavenlyblue 1835 days ago
        Netflix moved their high-definition DRM to end devices by now. The only way to rip their shows is by getting the output from HDMI.
        • teilo 1835 days ago
          You also need to defeat HDCP for HD content, which is possible but not as easy as a simple HDMI capture.
          • garaetjjte 1835 days ago
            You just need HDMI splitter that doesn't use HDCP on output.
            • teilo 1835 days ago
              Right. And that means getting a cheap Chinese splitter that may or may not strip HDCP, buying one on the grey market, or making one yourself.
  • wooptoo 1836 days ago
    This has the potential to create a huge legal headache.

    We can no longer rely on email to be there in our archive and presented as evidence in court, but now have to worry about expiry.

    In many countries an exchange of emails which represents a series of terms, restrictions, an offer, and finally acceptance can be considered a legally binding contract between parties and can be presented in court.

    With expiry and email DRM we now have entered the alternative reality of such contracts written with disappearing ink.

    • mc32 1835 days ago
      If it’s from your org, vault keeps the records, if it’s from personal or outside gmail accounts those vaults should retain records. A court order could compel the other party to provide records.

      Of course this adds a complication but it’s not completely deleting the records everywhere.

      • ovi256 1835 days ago
        >this adds a complication

        This increases the cost of access to justice so it reduces access to justice.

    • krageon 1835 days ago
      Is this situation not the same as verbally binding legal contracts? What you need is to record your expiring messages otherwise it'll just devolve into a they said, they said in the courtroom.
      • wooptoo 1835 days ago
        It's not the same. In business Email is established as a written form of agreement.
        • krageon 1835 days ago
          This isn't email, so I don't see how that is applicable.
          • fouc 1835 days ago
            Applies to any written form of communication
      • sib 1835 days ago
        In the US, at least, there is a significantly differently model of validity of written and oral agreements.
    • gnode 1835 days ago
      I think the alternative reality we're entering is one where we cannot communicate without record. We coped in the past, where putting something in writing was the exception, not the default. As direct vocal communication becomes less common, it highlights the importance of being able to speak off-the-record.

      That said, these measures provide little guarantee of that.

    • gibba999 1835 days ago
      Don't use expiring emails for that purpose.

      Seems simple enough.

      • reaperducer 1835 days ago
        Seems simple to you and me. But there are plenty of non-technical bosses who will direct everyone in the company to only use expiring e-mails because they don't really understand the consequences.
  • parliament32 1835 days ago
    If anyone is curious how it works with external accounts, I just tested it:

    1) Mail arrives (subject intact) with text like "John Doe has sent you an email via Gmail confidential mode" and a "View Email" link

    2) The link takes you to a "To view this email, you must first confirm your identity. A one-time passcode will be sent to (your email)" page.

    3) Entering the separately-emailed passcode lets you see the email body in-browser. Selecting text is disabled in the body (so no copy-paste), trying to print the page blanks out the body area -- I'm sure you could bypass either with a bit of JS wizardry. Printscreen/screenshot work as expected.

    • X-Istence 1835 days ago
      Ugh... there are companies that did this sort of stuff for Outlook users, and it's a royal pain in the ass.

      It's not searchable, it can't be archived for legal purposes this way, this is a nightmare for anyone that does business with you.

    • tomjen3 1835 days ago
      That seems like a perfect way to spear-fish people for their google password.
  • newsbinator 1836 days ago
    I love the concept as a sender, I hate the concept as a receiver.

    It means a ton more mental overhead: "do I need to jot down the info from this email somewhere (manually?) now because at some point it's going to expire or my access is going to be revoked?".

    Frustrating. It's the opposite of all the benefits of gMail search.

    • prepend 1835 days ago
      This will result in one of two things from me: 1) auto forward everything to a non-gmail archive account 2) if blocked, finally leave gmail
      • X-Istence 1835 days ago
        Someone posted further up that when you send a "secure" email to an outside the company email address, they get a link to ope the email and have to enter a one-time code that is emailed to them.

        So even forwarding is broken, as is search for those of us that search our emails a lot.

      • glennpratt 1835 days ago
        This is a Gsuite admin feature, leaving personal Gmail does nothing and if you happen to control your Gsuite account... just don't turn it on.
    • stubish 1836 days ago
      Its kind of the point to frustrate the receiver. If I don't want you archiving or resending what I sent to you, I can use this feature to do that. Sure, you can jot down the information, make a screenshot or similar if you wish to override my wishes, in much the same way as you could record a phone call, but the onus is on you. Hopefully you stored my confidential data somewhere secure and GDPR compliant, and not left a copy in your mailbox as a lawsuit waiting to happen. And if I protect emails this way that I would be happy for you to archive, then I'm an idiot.
  • maltalex 1836 days ago
    Proprietary "extensions" to email make me nervous.
    • glitchc 1835 days ago
      This, thousand times this. Google is trying to remake the internet so that only Google's browser works with Google's version of the internet that operates entirely on Google servers.
    • dbbk 1835 days ago
      You won’t want to look into AMP for Email then...
  • bambax 1836 days ago
    This is very bad and makes me angry. If you send me an email I need to not worry about being able to save the information forever. Once somebody sends out something it is no longer theirs. But now the cancer of DRM leaks into our personal lives???!?

    At the very least receivers should be able to automatically reject any such email.

    • Kamshak 1836 days ago
      This isn't for your personal E-Mail, it's for professional E-Mail via GSuite
  • kernelPan1c 1835 days ago
    Confidential...as in only you, the recipients, Google, the NSA, and other intelligence agencies the NSA shares information with can read these emails.
  • sverige 1836 days ago
    The title made me think Google was announcing that they won't read my email any more. Alas.
    • Jabbles 1836 days ago
      Define "read" - you obviously don't mean "process" because that wouldn't make any sense. So you must be talking about something more specific?
      • Dylan16807 1835 days ago
        The email should be received, filtered, and put into a database with an index. If any information escapes this database, outside of going to the user's email client, then we have a privacy problem with google "reading" the mail.

        This definition isn't perfect but it should be enough for to you understand the intent.

        • kevin_thibedeau 1835 days ago
          You agreed to their use of all data when signing up for your free account with gigabytes of free storage.
          • Dylan16807 1835 days ago
            Yeah, but we should clearly distinguish it as a price.
      • sverige 1835 days ago
        • Jabbles 1835 days ago
          What did you mean? You seemed upset to learn that they were still doing something ("Alas") - what did you mean?
          • sverige 1835 days ago
            I'm far too jaded to be "upset" or even "disappointed" that, whenever they have a way to do so, Google reads everything that everyone sends to each other. But perhaps it seems perfectly normal and ok to you that a third party reads what should be private communications. Perhaps "private" isn't even a thing for some.
      • monochromatic 1835 days ago
        Parse and act based on its content.
    • chronogram 1836 days ago
      This is for gsuite, so I suppose at least they don’t read your mails there.
      • aw4y 1836 days ago
        why do you suppose that?
        • Klathmon 1835 days ago
          Because they very explicitly say they don't:

          https://gsuite.google.com/learn-more/security/security-white...

          • somebehemoth 1835 days ago
            I'm probably misunderstanding "read your emails" but the link you provided suggests that GSuite users are very much subject to their "emails being read" but with greater restrictions on who can read it and why (https://gsuite.google.com/terms/dpa_terms.html). Lots of text about following EU or other legislation, but definitely this text does not say, "Google does not process your email." There is an entire page dedicated to "subprocessors" who consume your email to provide services (https://gsuite.google.com/intl/en/terms/subprocessors.html).

            I get that this agreement presents restrictions on how Google can process GSuite user data, but it does not prevent it from doing so.

            • Klathmon 1835 days ago
              I assumed it was in the context of advertising.

              You literally can't have an email service that doesn't process your emails somehow. Spam filtering and phishing protection has to work on the content of the email, the act of sending email needs to read parts of it to send it. At the absolute least they need to "read" your email to store it's contents and send/display them.

              If that is something you want to prevent, then i think using any hosted email provider is completely out of the question. Email in general might be unusable if that is the level of privacy you are looking for.

              I normally hate parroting back the "if you don't like it then don't use it" line of thinking, but in this case it's the only real option. Sure they could offer a special service with no scanning, spam protection, etc... But they'd still need to store and "read" your email to work, and they'd still need to be able to do some analytics to protect their system from you (you could be a bad actor that would act in bad faith, and they need to protect against that to keep the entire service running). For someone that doesn't trust that they aren't going to just "read" your email anyway even if they say they only use it for some very limited things like spam protection, an additional layer of "we promise we also won't do this" won't change anything.

              If you want absolute control over exactly what bytes are sent and where they go, host your own email service. Just like how if you want to be completely 100% absolutely sure that nobody is going to spit in your food, and you don't trust anyone else to not spit in your food, you need to cook it yourself.

              • somebehemoth 1835 days ago
                The OP mentioned Google reading their email and does not mention the context of advertising you assumed. Another poster pointed out that Google no longer scans Gmail for advertising purposes anyways: https://variety.com/2017/digital/news/google-gmail-ads-email....

                I understand what you are saying about all email getting "processed" however, Google is doing way more to process email than spam protection or else they would not need a massive agreement and a separate page listing subprocessors and further breaking those subprocessors down by region and noting whether they are internal or external to Google.

                I think my point is simply agreeing that I think it is too bad Google does all this "processing" of user data and that GSuite offers some protection, but not enough.

                • joshuamorton 1835 days ago
                  The subprocessesors page lists Google subsidiaries, datacenter subcontractors, and customer support contractors.

                  None of those things are "external people we automatically share your email with". They're "Google" and the people who you'd ask for help when you call a customer service line.

  • lrvick 1835 days ago
    This is so incredibly stupid and irresponsible on so many levels.

    Beyond obvious lock-in "Gmail Confidential Mode" tells users SMS is secure (it isn't), teaches users they can prevent message printing (they can't), and teaches users to open links in emails from strangers to then put in their Google credentials to view the message!

    Was anyone on the Google Security team given a chance to look at this before it got shoved out there? I know there are people at Google smarter than this.

    This is a massive setback in educating users about actually useful security measures.

  • samuelfekete 1836 days ago
    I would like to see Gmail offer end-to-end encryption for "confidential" emails.
    • cryptonector 1835 days ago
      End-to-end encrypted e-mail is an exceedingly difficult problem.

      First, none of the envelope can be encrypted, sorry -- that's routing information, and it must be visible to all involved MTAs. The communications between MTAs can be encrypted with TLS, but the MTAs get to see the envelope.

      Second, end-to-end key management is an O(N^2) problem unless you have introducers. Who shall be your introducers?

      If the introduction problem was trivial to solve, we'd all be using PGP/whatever now. But it's not trivial at all.

      Besides that, it's nice to have IMAP/whatever be able to search your e-mail. Which means your e-mail servers need to be able to see your e-mail. You can give up on this if you have your devices decrypt and index your e-mail. This is the only part of the problem that is "easy" -- and you can even encrypt e-mail as it comes in when it's not already encrypted.

    • ymolodtsov 1836 days ago
      How are they supposed to do that on the protocol level?
      • tcd 1835 days ago
        Protonmail allows you to add PGP key. Not sure if the user just sees 'garbage' data inside the email but it's entirely possible to send E2EE email already, just encrypt the contents of the message and send that across.

        If the person has the key, they can decrypt it.

        • codebook 1835 days ago
          Do you really want to hand over your private PGP key to 3rd-party company? I never ever won't do that. If I will use PGP key for web email service, it is only when the service provider gives a way to communicate with my local machine so that the email text is SIGNED IN MY MACHINE and send it back to the email provider, then send to the recipients. For encryption, it can be done with public key of the recipients.
    • swalsh 1835 days ago
      Eh, frankly while I Trust google a lot, I wouldn't trust any third party including Google for my end-to-end encryption needs.
  • nukeop 1835 days ago
    They're cocky enough now to think that they can take on the e-mail as a de facto standard and do the Embrace, Extend, Extinguish dance with it.

    This is akin to DRM and just like DRM it will be ineffective - if I can see it, I can forward it, copy it, and print it, and do whatever I want with it. Users are being led to believe that they can enforce these sorts of controls over email but they can't.

    • josteink 1835 days ago
      Google loves DRM though.

      They helped launch WebDRM. Now we have EmailDRM, with a Google-account being mandatory for all recipients.

      What’s the next standard Google plan on ruining?

      • nukeop 1835 days ago
        I think they've got their eyes on tcp and http now.
  • ukthrowaway123 1836 days ago
    A lot of people are posting that this is for gsuite. I've had this in my regular gmail for a couple of weeks now.
  • miki123211 1836 days ago
    Will this be a lock in feature that makes it harder for people using external mail clients?
    • brajesh 1836 days ago
      Won't it simply fallback to regular email view on external clients, like outlook's "recall email" function?
      • alkonaut 1835 days ago
        The reasonable implementation would be to not send anything more than a link to a site where the receiver can view the content.
        • X-Istence 1835 days ago
          Which is exactly what this does... and now I can't search my email for relevant information anymore.

          This is a step back.

  • NetBeck 1836 days ago
  • lalos 1835 days ago
    Great way to have your users label their own data to improve their ML models by tagging it as confidential or not.
  • kerng 1835 days ago
    Outlook has had this for very long time. Even consumer versions have some of the rights management features.

    At my new job I am using Gmail via GSuites for first time and I didnt know how antiquated Gmail is. Lots of missing features and rather confusing UI.

    But adding more security options and giving users control is good.

    • Spivak 1835 days ago
      Coming from O365 the thing I miss most is sweeping rules.
  • twotwotwo 1835 days ago
    Work is the one place this seems OK: if the company provides the email service, it can hide the forward button or whatever if it thinks that advances its interests.

    Still think disclaimers about the limits (in the UI, not just the blog post) have to be be stronger. It could help avoid accidental leakage and communicate your intent to keep the contents confidential, but it's absolutely no use against someone hostile. I feel like the name should be more like "mark as confidential" or something, to clearly get across it's a strong suggestion but has no hard enforcement behind it.

  • bo1024 1835 days ago
    Naming this technology "confidential mode for email" is extremely dishonest and misleading to users about what it actually does. Very frustrating decision.
  • AngeloAnolin 1835 days ago
    Interesting take from a friend overseas who is into a lot of Security and Data Surveillance.

    Me: So, what do you think about Google's Confidential Mode settings? Are you going to use it in your company?

    Friend: It is one of the topics heavily debated right now. Especially by our management.

    Me: Is that so? Why?

    Friend: Lots of legal implications that needs to be addressed.

    Me: How about you? What's your take?

    Friend: Well, for a start, given Google's history of surveillance, this type of enhancement only just gives them more power and capability to focus on information that are being deemed sensitive by an individual or an organization.

    Me: You think so?

    Friend: Absolutely. Imagine if this person sends out approximately 100 emails in a day, and marks 5 of them as sensitive or confidential or whatever terms you would like. Google can then sequence the emails to track based on the confidentiality that was set forth on it.

    Me: Never thought of things in that perspective.

    Friend: Yes. Further to that, they could then add more focus on confidential emails which would have a very specific expiry dates. This becomes more specific to their focus, where they can direct their resources specifically on this.

    Me: (Intently listening)....

    Friend: It's like this. Assume you have boxes in your house. Each box contains different stuff. Some box may contain your cash, or jewelry or any other important stuff. Now, you have a burglar going inside your house. With a 100 boxes, they would certainly only spend a couple of time to rummage through the boxes. If they can only open 5 boxes, with the possibility of those boxes containing nothing but garbage, then the burglars are not successful in getting your prized stuff. Now imagine having those boxes labeled with stuff like 'MONEY', 'JEWELRY', 'CONFIDENTIAL', 'IMPORTANT TO DISPOSE BY DATE YYYY-MM-DD', etc. Doesn't that give the burglar an easier way to run through the boxes? This eliminates for them wasting on boxes that may have no importance at all.

    Me: That is certainly a possibility if you would think of it.

    Even though such scenario may be far-fetched from a corporate (Google for Business) standpoint, it is still worthy of a discussion. IMHO.

  • targ2002 1836 days ago
    When I was using lotus notes there was a similar feature, but it didn't work very well. As the message was sent to you inbox, you could modify the properties on the message, I created a button to unprotect the message because there were several people in my group who always had their message confidential and the information needed to sent to others quite frequently.
  • nmstoker 1835 days ago
    Looks like they should clarify the bounds of this functionality. Obviously they know who they're talking about, but good communication wouldn't assume the reader does.

    Presumably it's only working within a G Suite organisation (equivalent to aspects of similar features in Exchange)

  • bachmeier 1835 days ago
    It's not clear what the use case is for something like this. Why wouldn't you use an alternative communications channel like Slack in this situation? I mean, if you don't want to use email, don't use email. Why go through all the complications this introduces.
  • thefounder 1835 days ago
    What a stupid thing. You may think that Google doesn't know how email works in the first place. Expiring emails?? DRM(rebranded as IRM) ?? Thank god we have so many email providers and these "features" are worthless outside of gmail.
  • xivzgrev 1835 days ago
    What happens if you send an email to a non gmail address? I assume this mode has no effect.
    • rocqua 1835 days ago
      I believe your message is put behind a link which, after the message expires, no longer directs you to the contents of your email.
  • visarga 1835 days ago
    What if I take a screenshot of the email? How can they prevent that? Or use a phone to take a shot of the screen displaying the email.
  • emgee_1 1835 days ago
    I never use Gmail in a browser. This means that this functionality is not available for me? ( using iSync msmtp mu mu4e emacs setup)
  • dontbenebby 1835 days ago
    Will this work with non-gsuite users? Gmail has a big marketshare, and setting a message to expire to them could be useful
  • howard941 1835 days ago
    Plausible deniability for those times when the sender would rather not have email evidence preserved.
  • sidcool 1835 days ago
    Question: Does this only work GMail to GMail or also across email platforms?
    • TrueDuality 1835 days ago
      This only works inside Gmail and specifically only within the web interface. It does not protect emails accessed / forwarded / stored from IMAP and POP clients (though if the messages are only stored server side the IMAP one will still get deleted).
  • rospaya 1835 days ago
    Will this work only for Gmail/Gsuite clients?
    • Spivak 1835 days ago
      No, they're just sending a link in the email with some UI fluff to make it a little more transparent in GMail.

      An enterprise feature that doesn't work with Outlook might as well not exist.

  • teddyh 1835 days ago
    Embrace, extend, …
    • Spivak 1835 days ago
      If you think sending an expiring link is EEE then a lot of companies have been extinguishing email for a while now.
  • Simon_says 1836 days ago
    They're about two weeks early for April Fools.
    • itronitron 1836 days ago
      'con' was auto-corrected to 'confidential'
  • dingo_bat 1835 days ago
    DRM for email.
  • aw4y 1836 days ago
    "gmail" and "confidential" in the same sentence. sure.
    • arsenico 1835 days ago
      I do not understand your sarcasm here - the feature is for GSuite, which is at some level of confidentiality, isn't it?