EFF Slams Gmail’s New Confidential Mode For Providing False Sense Of Security

Back in April, Google announced a redesign of the Gmail web interface along with some new features meant to provide more secure ways of sending emails. Now that users and security experts have had plenty of time to test out the new features, the Electronic Frontier Foundation (EFF) is stating that Google is overselling its new Confidential Mode.

The EFF says that there's really nothing "confidential" about these features at all and that nearly every aspect of its design is overrated or downright misleading to users. The civil liberties group says that for starters, the email still isn't end-to-end encrypted, giving Google the ability to still read the contents.

gmail

In addition, while you can send an email that the recipient is unable forward to another person or print a hard copy, there's nothing stopping them from taking a screenshot of the information on the screen. And the "self-destructing" email messages feature is also somewhat misleading according to the EFF.

"Contrary to what the 'expiring' name might suggest, these messages actually continue to hang around long after their expiration date for instance, in your Sent folder," writes the EFF. But not only does the sender still have a copy of the message in their sent folder, it is also retrievable -- of course – by Google. So, while the feature gives the appearance that the email message will completely "disappear" after a set time frame, this isn't the case at all in practice.

Another feature that Google describes as a security enhancement actually works in the company’s favor to further mine user details. The ability to require two-factor authentication for a recipient to read an email requires that person's phone number for authentication. And herein lies the rub according to the EFF:

Google generates and texts this code to your recipient, which means you might need to tell Google your recipient’s phone number—potentially without your recipient’s consent.

If Google doesn’t already have that information, using the SMS passcode option effectively gives Google a new way to link two pieces of potentially identifying information: an email address and a phone number.

While Google bills Confidential Mode as a security toolset meant to make email communications more secure, perhaps users should take a "buyer beware" approach and really see if these features adhere to your personal or work requirements for confidentiality instead of falling for the hype.


Show comments blog comments powered by Disqus