Sophos News

All G Suite users to get Gmail ‘confidential’ mode

  • Lisa Vaas

    • Google announced on Wednesday that on 25 June 2019, its Gmail confidential mode will be switched on by default as the feature becomes generally available.

    The feature gives G Suite users who use Gmail the option to send emails with expiration dates or to revoke previously sent messages. It also prevents recipients from forwarding, copying, printing, or downloading messages. Since confidential mode will be switched on by default, admins will have to switch it off if they so choose – for example, if they’re in industries that face regulatory requirements to retain emails.

    Google introduced confidential mode for personal Gmail accounts last year and made the beta available in March 2019.

    The screenshot/photo caveats still apply

    As with other ephemeral-messaging services, including Snapchat and ProtonMail, there’s nothing stopping recipients from doing a screen grab of a message or simply taking a photo of it.

    And as we noted in April 2018, when Google first gave admins a heads-up about confidential mode, there’s a reason why the company called it “confidential” rather than “private.”

    For one thing, an email sent in confidential mode isn’t encrypted end-to-end. That’s unlike ProtonMail, the end-to-end, encrypted, self-destructing email service.

    Into the Vault with you

    For another thing, confidential emails are going to live on Google’s servers.

    As Google explains on its help center, its confidential mode works with Vault, a web-based Google storage spot where organizations can retain, hold, search, and export data to support their archiving and eDiscovery needs.

    When somebody sends a message in confidential mode, Gmail strips out the message body and any attachments from the recipient’s copy of the message and replaces them with a link to the content. Gmail clients make the linked content appear as if it’s part of the message, while third-party mail clients display a link in place of the content.

    Vault can hold, retain, search, and export all confidential mode messages sent by users in your domain, Google says. Vault has no visibility into confidential messages’ content when it comes to messages sent to your organization from external parties, though.

    To support Vault’s requirement to access confidential mode messages, Gmail attaches a copy of the confidential mode content to the recipient’s message, Google says. There are a few things to be aware of when it comes to that copy, namely:

    How to use confidential mode

    Confidential mode can be used on a desktop or through the mobile Gmail app.

    Sending a confidential email

    To switch it on:

    1. On your computer, go to Gmail, or on a mobile go to the Gmail app.
    2. Click Compose.
    3. In the bottom right of the window, click Turn on confidential mode.
      Tip: If you’ve already turned on confidential mode for an email, go to the bottom of the email, then click Edit.
    4. Set an expiration date and passcode. These settings impact both the message text and any attachments.
      • If you choose No SMS passcode, recipients using the Gmail app will be able to open it directly. Recipients who don’t use Gmail will get emailed a passcode.
      • If you choose SMS passcode, recipients will get a passcode by text message. Make sure you enter the recipient’s phone number, not your own.
    5. Click Save.

    Revoke access to a sent email

    You can also remove access early to stop a recipient from viewing the email before the expiration date. Here’s how:

    1. On your computer, open Gmail.
    2. On the left, click Sent.
    3. Open the confidential email.
    4. Click Remove access.

    Receiving a confidential email

    If you’re the recipient of an email sent in confidential mode: