Proton

Gmail confidential mode is not secure or private

Without end-to-end encryption, Gmail confidential mode is little more than a marketing strategy. Learn why privacy experts call Google’s privacy features “misleading.”

When we launched Proton Mail nearly five years ago, we pioneered a new kind of email service: one that gives you control of your own data. All emails are end-to-end encrypted(nieuw venster) and zero-access encrypted(nieuw venster), meaning not even we can read them. We also offer the ability to set expiring emails, which self-destruct after a period of time chosen by the sender.

Several years later, Google tried to integrate some of these same features into Gmail with “confidential mode.” Even though Google launched confidential mode over a year ago, people are still confused about what it does. Is it actually secure or private? Is it encrypted? When you turn it on, does it prevent Google from reading your messages? The answer to these questions is ‘no.’ In fact, the decision to call it “confidential” suggests a level of security and privacy that doesn’t exist in Gmail confidential mode.

Gmail’s confidential mode does not mean your messages are end-to-end encrypted. Google can still read them. Expiring messages aren’t erased for good, and the recipient can always take a screenshot of your message. Let’s take a closer look at how confidential mode works and why it isn’t so confidential after all.

What does Gmail’s confidential mode do?

Gmail unveiled confidential mode in April 2018 with its last major inbox redesign. The feature lets users optionally activate confidential mode from within the composer.

When you turn on confidential mode, a panel appears which gives you two options. The first lets you choose when you want the email to expire so that the recipient can no longer read it (you can also revoke access to sent mail at any time). A second option allows you to require the recipient to enter a passcode to access the message. Google generates the passcode and sends it to the recipient’s phone via SMS, so you need to know your recipient’s phone number. Additionally, emails sent in confidential mode cannot be forwarded, copied, downloaded, or printed.

The problems with confidential mode

Gmail’s confidential mode does not make emails private because Google can always read them. When you send an email with confidential mode turned on, Google keeps the email contents on its servers. If you send a confidential email to other Gmail users, they can read the email in their inbox, but emails to outside users contain only a notification that a sender “has sent you an email via Gmail confidential mode” along with a link to a page on google.com. (This is similar to Proton Mail’s Password-protected Emails(nieuw venster) feature.)

Once the email expires, it is no longer accessible to the recipient. But the message remains in the sender’s sent folder, which Google can also read. This is not an expiring email. It can still be accessed by Google and potentially exposed to governments or hackers. As the Electronic Frontier Foundation pointed out(nieuw venster), “Because messages sent with Confidential Mode are still retrievable—by the sender and by Google—after the ‘expiration date,’ we think that calling them expired is misleading.”

The passcode option is a further privacy invasion. If you choose to set a passcode for your recipient, you must turn over their private phone number to Google. If you are sending a message to a Gmail user, Google likely already knows their phone number from reading their emails or from other Google products. But if you send a passcode-protected email to a non-Google user, you have just allowed the company to link that individual’s phone number to their email address as well as whatever sensitive information is in your message. This is an effective way for Google to gather information about people, who likely have refused to use their service to avoid just such data collection. It also means Google knows quite a bit about your supposedly confidential email.

The other supposed security benefit of confidential mode is the inability of the recipient to forward, copy, download, or print the email. “This helps reduce the risk of confidential information being accidentally shared with the wrong people,” Google says. While it’s true this may reduce the risk of accidental data exposure, it is not real security. The recipient can simply take a screenshot of the email. “I was able to easily make a screenshot and paste it into a new email and send it to a friend,” wrote one reviewer(nieuw venster) for Inc. “It takes about 10 seconds. Anyone who uses MS Paint can figure it out.”

How Proton Mail is different from Gmail confidential mode

When you send an email from your Proton Mail email address to another Proton Mail user, the message is encrypted on your device using the public key of your recipient. This happens automatically, every time. When you hit send, the email travels to your recipient in encrypted form. The recipient then decrypts the message with their corresponding private key.


Because we do not have access to the recipient’s private key, we are never able to read the message. We do have access to metadata, like the email addresses, timestamp, and subject line. (It’s a bit like locking a vault with your friend’s key and then mailing it to them. You can read a full explanation of how end-to-end encryption works(nieuw venster).)

Proton Mail also lets you send end-to-end encrypted emails to non-Proton Mail accounts (such as your friends and family on Gmail, to prevent Google from reading your messages to them). Similar to Gmail confidential mode, this works by using a passcode as well. The difference is that with Proton Mail, you can choose the password yourself and communicate it to your recipient however you’d like. Moreover, the message is end-to-end encrypted, and we cannot read it.

Finally, Proton Mail also offers the ability to send expiring emails, except in our case, the emails really do disappear after the expiration time. This works both for emails sent to other Proton Mail users and to non-Proton Mail addresses (provided you set a password for the latter).

Of course, it is possible to forward, copy, download, and print Proton Mail emails. But again, this is also possible in Gmail confidential mode just by taking a screenshot. To advertise this benefit as a “security feature” misleads users into a false sense of security.

Without end-to-end encryption, Gmail’s confidential mode is little more than a marketing trick designed to pacify users concerned about privacy. As more people choose to deGoogle their lives, it’s clear that users are more and more catching on to these Big Tech tactics and pushing back.

Take action now: DeGoogle your life for $1

Fortunately, you don’t need to settle for fake privacy. You can join the more than 10 million people using Proton Mail to secure their communications.

You can get a free secure email account from Proton Mail here(nieuw venster).

We also provide a free VPN service(nieuw venster) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(nieuw venster). Thank you for your support.



Gerelateerde artikelen

how to write a professional email
en
Easy steps and examples for writing a professional email. See how Proton Mail can make your emails stand out.
Email etiquette: What it is and why it matters |
en
Find out what email etiquette is with key rules and examples, why it is important, and how Proton Mail can help.
A cover image for a blog about how to create an incident response plan that shows a desktop computer and a laptop with warning signs on their screens
en
Do you have an incident response plan to protect your business from financial and reputational damage? Find out how Proton Pass for Business can help you stay safe.
Shared with me in Proton Drive for desktop user interface
en
  • Voor bedrijven
  • Productupdates
  • Proton Drive
We've improved Proton Drive for Windows to make it easier to securely collaborate with others from your desktop.
Smart glasses that have been modified for facial surveillance and dox you in real time, finding your personal information after seeing your face.
en
Students modified smart glasses to find someone’s personal data after just looking at them. This is why we must minimize data collection.
The cover image for a blog explaining what password encryption is and how Proton Pass helps users with no tech experience benefit from it
en
Password encryption sounds complicated, but anyone can benefit from it. We explain what it is and how it’s built into Proton Pass for everyone to use.