Today, we’re introducing a new approach to information protection: Gmail confidential mode. With confidential mode, it’s possible to protect sensitive content in your emails by creating expiration dates or revoking previously sent messages. Because you can require additional authentication via text message to view an email, it’s also possible to protect data even if a recipient’s email account has been hijacked while the message is active.
Built-in Information Rights Management (IRM) controls also allow you to remove the option to forward, copy, download or print messages. This helps reduce the risk of confidential information being accidentally shared with the wrong people. Confidential mode will begin to roll out to consumer Gmail users and a limited number of G Suite customers in the coming weeks (broader rollout following).
The way that this new feature would work is by storing the email on the Gmail server. It is then accessed by the recipient by also going to that same server, and if needed, accessing it by password. The stored email would then be deleted (or maybe just removed from the use of the parties) after a defined period of time.
Greater email security is always a promising development for lawyers who use Gmail or receive email from clients or partners who are using Gmail services. But there is also a risk of developing a false sense of security with these new features as well.
As Naked Security reports,
The concept of self-destructing email sounds like something out of Mission Impossible but it’s worth mentioning its limitations.
The most obvious is that the sender has to decide in advance that the email is to be confidential. This can’t be applied retrospectively to any email.
A second is that there is nothing to stop the recipient from taking a screengrab of the email’s contents before it expires.
Moreover, while recipients won’t see the contents of a destroyed email, they might still be able to see that one was received and later deleted by the sender…
This hints at what might be Confidential Mode’s biggest weakness for some people: just because the emails are deleted by Google from inboxes and outboxes doesn’t mean they don’t hypothetically exist somewhere.
Remember, from what we’ve seen so far, emails sent this way are not secured using end-to-end encryption in which keys are known only to the sender and receiver. That’s why Google calls it “confidential” rather than private.
Computerworld provides additional caution that this new feature may give rise to additional phishing attacks, with Gmail Confidential Mail impersonations used in order to obtain a recipient’s Google credentials. Given the novelty of these features, the earlier period of adoption is likely more susceptible to this abuse.
Another very significant limitation is that the Confidential Mode does not work with attachments, so only emails with in-text communications can use this option.
If a Gmail account is being used in G Suite, a company can use their Google Vault to view emails even after expiration. For lawyers looking to compel communications from parties who are using G Suite and claiming that documents or communications are no longer in their possession because it was deleted through Confidential Mode, this feature may provide the mechanism to obtain the relevant information.
Confidential Mode is unlikely to be used routinely by lawyers for regular communications, either with counsel, clients, or other third-parties, but it may provide an option where especially sensitive material is being discussed. Records of communications are often required for law society purposes, to prevent against malpractice claims, to substantiate billing or costs, passing on an account to a subsequent lawyer, and other administrative purposes.
Gmail’s new features also provide a number of practice management tools that can assist a busy practitioner, such as snoozing emails when attending to other tasks, an AI tickler system used to follow-up on important emails, and an even easier way to unsubscribe to those newsletters that we never open.
For greater security at low cost, lawyers may wish to consider ProtonMail, which recently made headlines around Cambridge Analytica’s use, or the Dmail extension to Chrome.