Gmail's Problematic Confidential Mode


Some technical security measures may seem to promise more security than they actually deliver. It's good to understand their limitations, and to make employees aware of those same limitations in regular awareness training.

A current case in point may be a recent update to Google's Gmail service. In April Mountain View introduced several new design features in a new "Confidential Mode." The Electronic Frontier Foundation (EFF) is raising concerns about Confidential Mode's use of what the EFF calls "brittle" security.

Confidential Mode's promise that users' emails will be unforwardable, unprintable, and impossible to copy rests on its use of Information Rights Management. This can disable such functions as printing, at least in cooperating systems, but nothing prevents a recipient from, for example, taking and printing a screenshot, or forwarding that screenshot.

And indeed it's not difficult for a product to simply bypass Information Rights Management. That most products don't bypass isn't due to a technical feature of Information Rights Management, but because Section 1201 of the 1998 Digital Millennium Copyright Act makes doing so a potential felony.

Thus Confidential Mode's protections seem more legal than technical, and of course criminals and state threat actors are famously indifferent to the risk of prosecution under the Digital Millennium Copyright Act.

They're up to their ears in worse felonies anyway, so what's one more lesser included offense?

Some other problems lie with message expiration, advertised as a way of keeping messages confidential by assigning them an expiration time. Unfortunately they don't really fully expire. They persist in sent items folders, for example, and they can thus be retrieved not only by a sender, but by Google itself.

And there's a final issue with Confidential Mode's method of two-factor authentication. If you choose the SMS passcode authentication option, the recipients will need a code to read the email you send them. That code is generated and texted to the recipient by Google. So Google will have, with or without your recipients' permission, two significant pieces of identifying information: email address and phone number.

And texts can be spoofed. These may seem finicking quibbles, but the EFF's objections have some serious points. Naïve trust in a technical solution, even from an industry leader, may well be misplaced. And the security design choices an organization makes shouldn't place its users at risk.

Interactive, new-school security awareness training can help sensitize users, designers, and administrators to the implications of the online environment they use. The Electronic Frontier Foundation has the story:


Subscribe To Our Blog

Traditional Security Webinar Kevin Mitnick

Get the latest about social engineering

Subscribe to CyberheistNews