Why Gmail Confidential Mode is not secure

Google’s Gmail confidential mode: its fatal security flaw & why document DRM is better

Gmail’s confidential mode is meant to protect sensitive information from sharing, but like Google Docs, its security is trivial to bypass.  Here we show why, privacy implications, and what secure alternatives there are for businesses.

  What is confidential mode in Gmail?

Confidential mode in Gmail is meant to prevent unauthorized sharing by removing certain functionality and adding additional restrictions to control use.

Gmail’s confidential mode was released in late 2019 and was immediately billed as a way to make emails more private and secure (beyond the basic TLS encryption).  That assumption still exists today, and it’s not surprising — after all, you would expect something labeled “confidential” to keep your documents safe.

In reality, the strange implementation of confidential mode in some ways makes it less private, rather than more.  First, let’s take a look at what Google says about confidential mode:

With Gmail confidential mode, your users can help protect sensitive information from unauthorized or accidental sharing. Confidential mode messages don’t have options to forward, copy, print, or download messages or attachments.

Confidential mode lets you:
– Set a message expiration date
– Revoke message access at any time (see also how to recall an email in Gmail)
– Require a verification code by text to open messages

Sounds promising, right?  Confidential mode can be a useful feature if used correctly.  However, Google itself admits that despite removing the copying, printing, or downloading options, it doesn’t stop a user from performing them.

   How to use Gmail confidential mode to send an email

If nothing else, sending an email in confidential mode is simple.  The feature is now available in all Google Workspace and free Gmail accounts.  This is how to send an email in confidential mode, step-by-step:

1. After typing your email and adding any attachments, press the padlock button at the bottom of the email window.
   
2. Choose when you want the email to expire in the “Set expiry” dropdown.
   
3. Decide whether you want an SMS passcode (more on that later) and press “Save”.
   
4. Your email border and accents will turn dark blue and a “Content expires on…” notice will appear at the bottom of your email.  Enter a recipient and press “Send”.
   

   How to set a Gmail confidential mode SMS passcode

A Gmail confidential mode SMS passcode allows you to enter a mobile number when you protect your email.  When the recipient tries to open the email they will have to enter a PIN sent to that phone number before they can open it.  Here’s how you use Gmail confidential mode with SMS:

1. Tick SMS passcode when you protect your email and press “Save”.
   
2. When you press “Send” you will be asked to enter the recipient’s phone number.  This is where Google will send the Gmail SMS passcode.
   
   Press “Send”.
3. The recipient’s email will look like this.  They must press “Send passcode”.
   
4. Google will send a message stating “Your Google verification code is….”.  The recipient enters the number in the “Enter passcode” field and presses “Submit”.
   
5. The email body text and attachments will become visible if the passcode is correct.
   

  How secure is confidential mode?

  Gmail confidential mode is NOT secure

1. Google admits that it doesn’t stop recipients from taking screenshots of a message or attachment or using a “malicious tool” to copy or download them.  To be clear, Google’s definition of a malicious tool here is a very broad one.  By malicious tool, the company means any application that can open its emails but aren’t under its control.  For example, you can trivially bypass the printing, downloading, expiry, and copying controls by:
   • using the “save page as” button in your browser to download the email’s contents.  You can freely share downloaded pages or copy and paste from them.
     
   • changing the dom.event.contextmenu.enabled flag in Firefox’s about:config menu to false and then adding the highlighted moz-user-select code to the style sheet to enable copy and pasting.
     
   • commenting out @print media sections in Firefox’s Style Editor (inline style sheet #1) to enable printing of the email to an unprotected PDF format.
     
     

   These methods automatically remove most or all controls, as the protection is dependent on you opening the email in Gmail (or a web page for third-party clients/email providers).

2. Users have many ways to make copies of attachments.  They can either screenshot them or, if it is a PDF, press the annotation button on the Google Drive PDF viewer on mobile and press “Create copy”.  This creates an editable, printable, and downloadable copy of the PDF on a Google Drive account of the user’s choosing.  On Windows and Mac desktop, a user can open the “Source” tab of their browser’s developer mode and download each page as an image, or disable the stylesheet in Firefox to allow printing to a PDF.
3. If you send an email to a non-Gmail recipient, they are sent a web link and have to enter a passcode sent to their email to access the content.  This link can just be shared with others along with the passcode.

In practice, this means that at best confidential mode only protects against non-technical users.  At worst, it actively reduces security by creating a false sense of it, since users may Google’s confidential mode as a replacement for what are more effective security measures.

   Do Gmail confidential mode SMS passcodes work?

It’s nice that Google provides an extra level of authentication for opening emails, but ultimately it doesn’t achieve that much. There are several problems with relying on it for security:

1. There is seemingly no limit on how many incorrect passcodes you can enter or how quickly you can enter them.  For context, the SMS passcode comprises 6 numerical digits.  An attacker could likely write a script to try every 6-digit number, utilizing multiple data center machines at once to speed up the process if necessary.
2. SMS is a poor two-factor authentication method that many platforms have phased out.  Hackers can use SIM swap techniques to redirect the phone number and receive the code.
3. If a user loses their phone or changes their number, they lose access to all of their SMS-protected emails, as there is no recovery process and the sender cannot remove the SMS requirement after the email has been delivered.
4. It doesn’t do anything to stop intentional sharing, as the user can still enter their PIN and then make a copy of an email, or share their pin with somebody else.

In other words, the SMS passcode doesn’t prevent intentional sharing, and it’s unlikely to stop a hacker who gains access to a Gmail account from reading emails.  An attacker could easily write a script to try PIN combinations.

   Gmail confidential mode attachments – are they secure?

The bulk of the confidential information in emails is usually in the attachments rather than the email body.  Gmail confidential modes’ attachment security is terrible.  There are several easy ways to download attachments, and one of them is delivered by Google’s own UI.  Ways to download attachments include:

1. Using the annotation feature of the Google Drive PDF viewer on mobile to save an unprotected copy (see a full guide below).
   
2. Opening the sources tab of your browser’s developer mode, where you can see and download images of each page.
   
3. Disabling the inline style sheets in Firefox’s style editor and then printing to PDF.
   

So, if you think that confidential mode will stop recipients from sharing your attachments – think again.

  How to download a Gmail confidential mode PDF attachment

Though Google claims that Gmail confidential mode removes the option to download PDF files, this is not the case.  You can easily make and download an unprotected PDF attachment using its own tools.  The easiest way to download a PDF is via its built-in PDF viewer on Android.  If you do not have an Android device, you can use Microsoft’s Windows Subsystem for Android on Windows 11.

1. Open the PDF from your confidential email and press the annotation pen icon.
   
2. Press “Save copy” in the top-right.
   
3. Choose the Google Drive account and location you want to save the unprotected PDF to and press “Save”.
   
4. Open the PDF in Google Drive and press “Download”.
   

As you can see, the process is not at all difficult and could easily be discovered by recipients accidentally.

  Confidential mode encryption

One last security issue to mention is confidential mode encryption.  Confidential mode emails use the same standard Gmail encryption, TLS, so they are not encrypted end-to-end – once emails reach the mail server they are decrypted and stored in plain text.  Only Google Workspace subscription accounts support end-to-end encryption, which can be enabled by configuring S/MIME.

This also raises the question of privacy.  Despite its “Confidential” branding, the lack of end-to-end encryption for most users means that the feature doesn’t hide anything from Google.  The company can potentially read and store your emails for as long as they want, no matter the expiry date you set.  Indeed, we know for a fact that emails hang around after expiry because they long live on in the “Sent” folder.

  A word on encrypted emails

So, if not confidential mode, what should you be using to secure business emails?  Recently, there has been a rise in users utilizing end-to-end encrypted email services.  By using pairs of private and public keys, such email services ensure that emails can only be opened by the account of their intended recipient.  It also means that the email provider will be unable to read or store your emails.

Unfortunately, the protection this encryption provides doesn’t apply to documents.  While yes, you’re making it harder for attackers to intercept an email in transit, that isn’t the primary way documents leak.  You need to be able to prevent misuse after the recipient downloads and opens your file.

If you don’t trust a recipient 100%, which is nearly always the case, you can’t be sure they won’t just download the unprotected attachment and share it.  If you’re sharing documents securely as a product, this is even more likely, with piracy rampant in the e-book market and beyond.

   Do Gmail attachments really expire?

As we covered earlier, you can set Gmail to expire emails after a certain period using confidential mode.  Expiry is important for a number of reasons:

• The less time somebody has access to information, the less opportunity they have to share or misuse it.
• Expiry reduces the amount of data a hacker can access if they compromise an email/user account or the mail server.
• You need to make sure that users don’t still have access to information after they leave the company.
• It is good practice (and in some places law) to ensure employees only have access to customer data for as long as is strictly necessary.

Gmail expiring emails do not address these issues because it is trivial for users to create copies of attachments or emails outside of the browser that will not expire.  Another major concern is that Gmail expiring emails remain in the sender’s Sent folder after access is “removed” from the recipient.  If the sender’s account is compromised, the hacker gains access to all of their sent confidential emails and attachments.

Overall, there is little point in using Gmail to expire emails.  If you need effective expiry for email attachments then look elsewhere.

  What about Google Docs security?

Hold on, you might be thinking.  Google already has document protection in the form of Google Docs.  Why can’t I just embed a Google Doc in my email and call it a day?

Google Docs does include some rudimentary document protection (but no expiry) by only allowing access to certain Google accounts and disabling the option, to download, print, and copy.  However, there are several issues with its implementation.

The thing to understand about Google Docs is that it is a browser-based tool.  Though there has been a trend toward web apps in recent years, the problem with this approach is that a browser simply can’t exert the same level of control over a user’s system and activities as an application can.  In fact, browsers are designed to be manipulated for web development purposes, and you’d better believe that Google Docs can be manipulated, too.

At its core, Google Docs uses JavaScript to enforce its controls, which you can bypass by appending “/mobilebasic” to your URL and then disabling JavaScript in the developer console.  Users can then copy and paste the contents into a new Google Doc to use as they like.

Google also makes no attempt to stop users from using their browser’s print function (Ctrl + P) to print to a PDF, or from taking a high-quality screenshot.

Finally, assuming that all of these flaws are suddenly fixed (which is not really possible in the browser) a user can still leak a document by sharing their account details with someone else.

   Document DRM

So how do you protect your document in transit and at rest, while also preventing unauthorized sharing?  The answer is document DRM.

With a DRM solution like Locklizard Safeguard, the document is end-to-end encrypted before it’s sent to any users.  The recipient is sent a license file in advance.  This license key can only be activated on one machine and is required to obtain the decryption keys for the document.  Once the decryption keys are securely transmitted, they are stored in an encrypted keystore that the recipient cannot access or share.  Therefore, only authorized users can open the PDF.

Meanwhile, the viewer application can enforce printing, revocation, and expiry controls that actually work.  With a secure implementation and no ability to install plugins or open developer mode, users have no route to bypass them.  It additionally includes the following functionality:

• prevents copying and pasting into other applications
• stops editing and modification of content
• prevents printing
• blocks screenshots
• restricts access to devices to prevent sharing
• restricts access to locations to control BYOD use
• enables limited and degraded printing while preventing printing to PDF
• expire the document after a certain date or number of uses
• revoke user access remotely at any time
• logging of document views and prints
• add irremovable watermarks that are automatically populated with identifying user information at view/print time

  How to encrypt & send a secure PDF via gmail using Locklizard

Here’s how to create a secure PDF file with encryption and DRM controls, and send a secure PDF via gmail (as a secure PDF attachment) using Safeguard PDF DRM.

  Create your DRM encrypted PDF

1. Right-click on your PDF and select “Make secure PDF”.
   
2. Open the “Document Access” tab and choose “Selected customers”.
   
3. Choose the DRM controls you want to enforce.
   
   Move through the tabs of Safeguard PDF Writer and add any DRM controls you want to add to your document.  By default, Locklizard secure PDF files cannot be edited, copied and pasted, printed, or saved as unprotected PDF files.  If you enable printing, then users cannot print to file drivers such as PDF and other unprotected file formats (otherwise they could easily remove the security).
4. Press the “Publish” button at the bottom of the dialog to protect the PDF file.  The PDF will be encrypted using AES 256-bit encryption and the DRM controls applied.
5. To grant a user access to it, log in to the Safeguard Admin portal.
   
6. Open the “Customers” tab and press “Add” in the sidebar.
   
7. Enter the user information and click on the “Set Document Access” link in the “Manage Access” section.
   
8. Select your document and press “OK”.
   
9. Press the “Add” button on the customer account.

   Keep the “Email license” checkbox checked to have the license file emailed to the user’s email address that you have entered.  The user will be sent an email with their license key and instructions on how to download the secure PDF viewer software.  You can also choose to untick ‘Email license’ if you’d like to share this information with them via other means.

  Securely send your PDF using Gmail

Once users have installed the secure Viewer software and clicked on their license file to activate it, you can securely send PDF file attachments to them via gmail.

To do this, select the protected PDF file (.PDC file) and attach it to your email message.

Emailing a secure PDF attachment using Gmail that has been protected with Safeguard PDF Security

Of course, you can also send the PDF attachment using a different email client, or share the protected PDF file via your favorite workplace chat app, cloud storage, or another document-sharing solution.  As only the recipient has authorized access, nobody else will be able to open the secure PDF document.

If you want to prevent users from opening the secure PDF file outside certain locations (such as the office) you can add country and IP restrictions in the Safeguard Admin portal.

   The best choice for confidential document distribution

While Safeguard DRM isn’t a replacement for end-to-end email encryption (you still have to protect the text in the body of your email after all) it can work excellently in tandem with it.  Together, they can provide an email experience that’s truly confidential – and not just meaningless buzzwords.

If your business needs the best solution for protecting documents from unauthorized disclosure, take a free 15-day trial of our PDF DRM software.

  FAQs

Is Gmail confidential mode encrypted?

Emails are not encrypted end-to-end for most users.  Gmail uses TLS to provide encryption of emails and attachments during transit.  So as long as the person you email is also using a mail service that uses TLS then no one should be able to intercept them en route.  However, once the email reaches the destination mail server, it is stored in clear text.

If you want to ensure only the intended recipient can view it, then you need to use end-to-end encryption such as S/MIME which is available for Google’s paid Enterprise accounts.  There are also many companies that provide secure email software and services.  Alternatively, you can encrypt attachments using a separate file encryption application such as PGP, or add encryption and DRM to PDF files using Safeguard PDF Security.

Can Google read my mail messages?

Yes, they are NOT stored encrypted on Google’s servers but held in plain text.  Only if S/MIME or a similar email security app that uses end-to-end encryption can prevent sensitive email from being viewed by non-authorized users.

Can you send a password protected PDF in Gmail?

In short, yes – but it is not very secure:

• Weak passwords can be easily cracked using password removal tools – so you need to use a strong password, which has to be remembered.
• You have to find a secure way to transmit the password to the user(s) that need to open it.
• Once recipients have the password they can remove it or share it with others.
• Any permissions or restrictions you apply, such as preventing editing or printing, can be instantly removed using free online tools.

Can you send a secure email in Gmail?

It depends on what you mean by secure.  See How to encrypt & send Gmail email securely.

• If you want only the intended recipient to view your email then you must use S/MIME or an email plugin or service that provides end-to-end encryption.
• If you want to control what users can do with content (copy, edit, print, etc.) then you need a DRM solution.

Can I send a confidential email in Gmail?

Yes, but for the reasons outlined above, it is not recommended, especially for business use.  Users can easily bypass confidential mode by using Firefox’s style editor or using the “save page as” button in the browser to download the email’s contents.

Can you lock a Google doc in Gmail to prevent sharing?

Yes, but the security is easy to circumvent.  You need to use a DRM solution to lock a Google doc and stop sharing, editing and copying.

Is Gmail confidential mode sufficient for PII requirements?

No if you use a free Gmail account (since TLS does not provide end-to-end encryption), but yes for paid Google Enterprise Workspace accounts if using S/MIME.  In summary, PII needs to be encrypted and certain security standards must be met to ensure that if an email is intercepted the PII won’t be readable – only S/MIME can provide this security functionality, which is not available for free Gmail accounts.

How do recipients open a confidential message?

For Gmail users, they open an email sent through Gmail’s confidential mode in the same way as any other email.  For non-Gmail users the email message content is replaced by a web link that must be clicked on to view the protected message.

Can you send a confidential mode email to non Gmail users?

Yes.  While the sender must be a gmail user, the recipient can be a non-gmail user so the email can be received in Outlook and similar email apps.  When they receive a confidential email or message from a Gmail account, it appears as a link that they must click on to view the email in a web browser.  This should come with a word of caution however since fake links are often used by hackers for phishing attacks and could be used to install malicious software on the recipients computer.

4 reasons why Google confidential mode is not secure

1. Restrictions are only enforced in the Gmail client so other email apps can simply ignore them.
2. Attachments can be downloaded (particularly easy if PDF files).
3. It does not provide end-to-end encryption of email messages unless you purchase Google Workspace Enterprise and enable S/MIME.
4. Non Gmail users receive a web link to a protected email.  This can be shared along with the passcode.  It could also be replaced by a malicious link that enables a hacker to attack a device.