The point of confidential mode is for corporate users. When the CEO sends out that confidential mail to the company, it adds a speed bump to users who are about to copy out data that they have been told they should not, so they get a chance to realize they should not do this, and then removes all plausible deniability when they choose to bypass that speed bump.
Actually, in many corporate cases BOTH parties want to keep the info confidential - the CEO sends over salary details to CFO to load into payroll system. After it's all loaded and printed for the files (or saved in the HR system), they BOTH want it to auto-expire out of their emails, but both are too busy to scrape back through old emails after a month to delete things.
So this confidential mode let's this happen naturally. When the CFO's email is hacked (which it will be eventually at some company) then all is not lost.
Some messages are MUCH more sensitive than others. You might have a default 3-5 year rule (many corps do). That’s way too long for some messages.
especially if sending across an ou boundary where you don’t know the retention treatment this will be great.
Sales teams can be very sloppy w email -> auto import into CRMs, sharing permissions, delegating permissions, running their own optimization apps etc. Because the want to claim credits for sales they don’t like tight retention limits etc
Everywhere I have ever worked has a 30 day email retention policy. This would never change message to message. It’s a regulatory issue and you have no reason to retain messages longer than the minimum so you’re better off enforcing it at the server level.
Agree to that, it’s a pretty strong signal stating possible appropriate uses. If I receive an encrypted MS Office document with Do Not Forward policy, I know that if I want to share it further I need to ask the permission from the sender.
Both Google and MS provide a disclaimer that explains Information Rights Management can't prevent "malicious programs" from by bypassing the restrictions.
> It can still be accessed by Google and potentially exposed to governments or hackers.
The article makes the classic mistake of assuming everyone has the full security apparatus of a country after them.
This feature is obviously not built as an alternative to Signal or for the Snowdens of this world. These probably know better than using unencrypted email already. For the average user it's an improvement of the current status.
So you reference Snowden then pretend dragnet surveillance doesn't exist?
If you are on the internet the NSA is spying on you and everyone else.
This is not an improvement because it makes guarantees that simply aren't true. These compromises are made to further Google's bottom line, not protect users. Don't pretend this is some kind of incremental improvement. It's a marketing gimmick.
Though since the Snowden leak Google really upped their game. Everything internally is encrypted in transit and at rest. Even when you use Google Cloud you automatically get encryption at rest.
It would take a very concerted effort. There are multiple levels of encryption and the best practice is that only verified builds can run in production and only non-humans are ACLd to access security keys. Any attempt to do so would be limited to a very small group of people, trivially logged, caught by AI for inappropriate behavior, and cause a firing.
Right but Google owns the encryption, which means I have to assume they are reading the messages. They changed their policy once, they can change it again.
Right, but the switch is flipped from passive collection to active targeting in secret court hearings* and if they already have been passively collecting, you could go from no concern to being actively targeted without ever knowing.
They couldn't do this if they weren't drag-netting.
*FISA courts have 11 denied requests and over 34,000 approved.
11 denied requests? Those prosecutors must have been sloppy. Usually you don’t see denials because prosecutors know well enough not to waste the court’s time.
+1
The comment underplays the surveillance by using the benign mask to protect its sinister causes. Surveillance has been used to gain economic advantages (as was widely reported), and more importantly geopolitical leverage.
For instance, India, a nation run by English-speaking elites has conducted all the affairs of the nation on Google''s servers - such bumbling idiots, normal as they are, are the targets of such a PR campaign. "Oh, you're don't have to worry about it. You're not a terrorist.."
> If you are on the internet the NSA is spying on you and everyone else.
Citation needed.
> This is not an improvement because it makes guarantees that simply aren't true.
No, ProtonMail pretended it made guarantees that it doesn't make. Just like the exact same Exchange/Outlook feature that people have used for years, this is to prevent accidental copying of emails and their contents.
> A variety of laws allow government agencies to investigate regulatory violations or criminal activity. Google receives requests for user data from government agencies investigating criminal activity, administrative agencies, courts and others.
...
A federal statute called the Electronic Communications Privacy Act, known as ECPA, regulates how a government agency can use these types of legal process to compel companies like Google to disclose information about users. This law was passed in 1986, before the web as we know it today even existed. It has failed to keep pace with how people use the Internet today. That's why we've been working with many advocacy groups, companies and others, through the Digital Due Process Coalition, to seek updates to this important law so it guarantees the level of privacy that you should reasonably expect when using our services
Is a citation really needed about the NSA collecting basically all the data on the Internet? This is "common knowledge" in information security circles. Go look up the battles the EFF has fought with the NSA about their data collection practices. The NSA is continually building giant data warehouses everywhere... they probably have more data centers than any other organization in existence. They collect all the data.
It's pretty common for people to throw out "citation needed" when they don't want to believe or admit something, but can't plausibly deny it. Sort of the same way people use the term "fallacy" these days.
IMO "Citation needed" is a quick way to say "do you have a source for me?", and "fallacy" (hardly used without also mentioning the specific fallacy) is a quicker way to say "I recognized logic flaw X in your argument".
You are free to see harm in these statements but telling me they are always meant as harmful as you mentioned is your own negative reflection. Not mine or ours, we are free to have our own interpretation as well.
I think citation needed carries a connotation of “I don’t believe this is true.” It is just a lazy way to converse if you are engaged in a genial conversation in good faith. “This is new to me, can you share some references?” I appreciate we can be technical and to the point, but given the context, I felt my response was appropriate.
I do understand you interpret it as "I don't believe this is true" but my explanation "do you have a source for me?" is also a likely explanation. If I then apply the HN rules where the reader must assume good faith and interpret posts in the most positive way, I'm leaning towards assuming "do you have a source for me?"
> Is a citation really needed about the NSA collecting basically all the data on the Internet?
Honestly, yes. According to some random infographic I came across, americans use ~2 million GB (2PB) of data per minute. We'll round down and call that one EB per day. So round down again and call it 300 EB per year (a high estimate would be 1K EB, or 1 YB). That's more than the entire global output of disk storage annually, and the NSA aren't the only ones who want hard drives.
Keep in mind that much (most?) of that data is encrypted in transit, so targeting exactly which data they want is not always possible.
...But they don't know it's the same youtube video. It's just an encrypted bytes from a connection to youtube.com. Now you might be able to infer from metadata what the video is sometimes, but given that youtube does things like dynamically change the resolution it sends over the wire based on network congestion during a single watch session, it's not clear that size and length metadata would be enough to dedupe.
It is endearing to me that people still think the NSA can't break most of the TLS traffic on the the Internet. I have my doubts about the security provided by traffic that transits US soil and is protected by US CAs. High skepticism would be a better way to put it. Citation needed, and I don't have one, but it is safest to assume they have this capability, and before anyone gets up in arms about this statement, I do understand how certificate authorities and TLS works and I don't think they have to break it cryptographically.
Keep in mind there are side channel attacks that let you guess passwords typed via SSH. I wouldn't be even a little surprised if the side channel leakage of most Internet traffic zooming around via TLS is good enough that the NSA can sort it pretty easily. This is all theorizing on my part, though.
What we do know is they can probably collect a huge amount of useful traffic and store it for a relatively short, but useful amount of time (weeks, probably). Kind of like a ring buffer. Systems are always sifting and flagging and saving some portion of what they are collecting, including raw traffic. Also consider that there are lots of ways of unmasking the basic metadata of the streams through any number of leaky things happening in the web browser.
This traffic is collected in an un-targeted fashion. They just promise (pinky swear) they don't look at it without a search warrant. Then a search program executes and they retrieve it from the data stores. Think about that legal theory, because that is exactly what Michael Hayden testified to. I don't know if it is just an age gap or something else, but I think people on HN are not aware of the extreme data collection the NSA performs and the ongoing threat this is, and continues to be, to privacy.
Anyhow, I think the generation after millennials should be called the surveillance generation, because it's all tracked. I just can't understand the skepticism at what the NSA is doing because of some lazy back of the envelope math. Anyway, this isn't really targeted at you as a reply, but this whole thread... there was a time when this sort of skepticism was basically the norm in technical circles with little doubt. Now I see it eroding in general tech circles.
Nothing that you conjectured is supported by any documents. Snowden grabbed pretty much everything he could get his hands on as a SharePoint admin, so if any of that were true, it would have made its way into bigger news than the ho-hum stuff that was reported.
“””The undisputed documents show that AT&T installed a fiberoptic splitter at its facility at 611 Folsom Street in San Francisco that makes copies of all emails web browsing and other Internet traffic to and from AT&T customers and provides those copies to the NSA. This copying includes both domestic and international Internet activities of AT&T customers. As one expert observed, “this isn’t a wiretap, it’s a country-tap.”
Secret government documents, published by the media in 2013, confirm the NSA obtains full copies of everything that is carried along major domestic fiber optic cable networks.”””
> Secret government documents, published by the media in 2013, confirm the NSA obtains full copies of everything that is carried along major domestic fiber optic cable networks.
This is utter nonsense posted by somebody who has the reading level of a Snowden or a Greenwald. There is no such document. Can you point me to one?
That you pointed to PRISM as an example, a system that processes communications from specifically targeted foreign individuals already obtained by the FBI, shows you haven't read any of the documents.
Utah. There is a very high chance this conversation is now sitting on a disk in Utah for a bit. Collectively the NSA has built or leases more data center space than almost any other entity on the planet. Maybe not even the big four (goog amzn fb) rival them. What are they doing with all that space and black budget?
> Is a citation really needed about the NSA collecting basically all the data on the Internet?
Yes because this claim is preposterous. You don't even need a napkin to show this is impossible.
> This is "common knowledge" in information security circles.
The "common knowledge" in Internet industry circles is that Snowden misinterpreted several documents and made wild claims about what they said.
> Go look up the battles the EFF has fought with the NSA about their data collection practices.
Snowden's documents showed that the EFF arguments against about what was happening at AT&T were unfounded. The documents showed that instead of copying everything, they filtered to traffic to or from certain foreign targets outside the US.
I think that is honestly not what those documents show at all. How they actually do it is ripe for abuse and egregiously broad and beyond the scope of simple foreign monitoring.
> I think that is honestly not what those documents show at all.
Then either you have the same reading errors as Snowden, or you haven't looked at the actual documents instead of Greenwald's incompetent reporting of them.
Part of the Snowden revelations was that the German intelligence agency was using one of the US-developed tools in return for feeding back keyword-based searches of that very same German traffic they were processing.
Keywords like djihad, Siemens, Krupp, Deutsche Bank, Airbus, Santander, Dassault, ...
The BND was in essence helping the NSA do industrial espionage on both their own and fellow EU companies, as they were too idiotic to actually check the keyword lists or for whatever reason felt they couldn't refuse.
So if the NSA is actively and purposefully doing industrial espionage there is little doubt that Gmail traffic is vulnerable to US spying and should simply not be used in sensitive settings.
It's an article posted by protonmail, an email service that would be used by the Snowdens of this world. I think it's just a nice way for them to further get their company name out.
> The article makes the classic mistake of assuming everyone has the full security apparatus of a country after them.
Why build something half ass when you can do it right? I'll tell you why... it's because of those secret letters from the NSA... (the NSA = the real leader in our Government)
"Options for recipients to forward, copy, print, or download this email's contents will be disabled."
I simply don't understand how they think they can get away with this foolishness. I can forward, copy, print, or download ANYTHING that passes over my ethernet cables. Your silly UI will ultimately never stop me from wiresharking my own cables in my own home and doing whatever the hell I want with any bits of information that enter my space.
All it does is fool a bunch of less-tech-savvy people into a false sense of security.
Consider for a moment: a company or school set up as an Enterprise Mobile Device Management provider, handing everyone out ChromeOS devices, setting up their GSuite domain so that nobody can connect to their GSuite GMail accounts except through the ChromeOS device (or an equivalent MDMed mobile device), and setting up an automatic, un-disable-able VPN on those devices for accessing Google domains.
I think that’s the scenario Google had in mind when designing this feature. For enterprise users, where the enterprise controls the hardware, the policy-level controls actually have teeth, because people don’t have root over the devices in their possession. For everyone else, it’s not “real security”, but rather just a gateway drug to get you used to the workflow that “real security” would provide in an enterprise context.
(Context: I used to work at IBM, and they had a very similar setup—company issued laptop, app that enforces MDM profile installation, VPN that checks with the app to ensure MDM is active before connecting, email servers only accessibly through said VPN, and, on top of all that, a policy-enforcing email app [IBM Notes] where you can delete already-sent things out of other enterprise-users’ inboxes, send expiring emails, etc.)
It's worth mentioning that all these measures can be fairly trivially defeated by the analog loophole[1]. I suppose it's harder to prove authenticity in that case, however.
Allow me to sell your organisation some VR goggles with iris-reading DRM protection. Your browser won't display on any other screen. And Google Services won't work in any other browser.
Sure it's harder, and it will not stand up in a court of law probably. But there probably have been and still are a ton of spies, national and industrial, who do exactly this, memorize things.
As an employee of a very large corporation, are you trying to claim a special inside knowledge about the strategic thinking of the corporation. Are you in or do you report to the C-suite?
If not, consider that you might be making your own broadly wrong assumptions.
There are undoubtedly a variety of ways to bypass things for a motivated attacker. Analog is likely only one of those.
The thing that a lot of these measures protect against is not so much a targeted attack, it's stupid user tricks. It's not protection against Jane the Spy extracting as much information as she can, it's a measure against Danny the drunk who leaves his laptop at a bar or sitting in the back seat of the car where it's visible and stolen.
There are also likely a lot of places where it would be illegal to use something like this with auto expiring messages, though hopefully most such places won't be using Gmail.
But as a worker in a corporation, the chances that you would want an email so badly that you start breaking more corporate rules trying to get a copy of an email is very unlikely at least for common everyday work.
This could be a useful feature when dealing with PHI, legal, HR, etc.
I know people who have taken photos of protected documents with their phones to send to their team, because IT couldn’t get their permissions working properly. It seems like it’s not worth the risk to break an obvious rule like that, but when you’re the manager the responsibility lands on you to get your team the info they need.
Yes, that's the risk exactly. If you start taking pictures of PHI on your phone over and over eventually your manager like the one above you is going to get fed up and drive you or fire you out of a job.
>as a worker in a corporation, the chances that you would want an email so badly that you start breaking more corporate rules trying to get a copy of an email is very unlikely
This seems like it should be true, but having worked with end users in the past I would not take this for granted
I disagree, there have been politicians that go through the trouble of setting up their own email server in their basement because the official way is too arcane or not comfortable.
They said corporation, not government. Do you have an example of a low level employee or C level executive using private email server for their official communication.
The analog loophole can’t prevent leakage but steganography can trace it back to its source. Iirc Windows 8 prerelease copies used to put an imperceptible watermark on the screen of the user account. When a leak was published to the news a simple filter would tell Microsoft who to fire.
I would have thought that IBM and other corporates would be keen to have things Like Confirmed Delivery , Non-repudiation and all the other nice things that x.400 (88) and X.500 promised.
> I used to work at IBM, and they had a very similar setup—company issued laptop, app that enforces MDM profile installation, VPN that checks with the app to ensure MDM is active before connecting, email servers only accessibly through said VPN
Unless you were on a Fedora workstation.
That was a fun discovery. Never figured out who at IT I should inform before I quit.
Or screen capture, or inspect element, or taking a picture with your phone, or JS injection, or using an extension, or IMAP...
The only way for this to work is to restrict the user freedom so much it will:
- cost a huge amount of money
- lower the productivity
- kill the mood of everybody
My take on this is that if your industry really needs this kind of feature, either you suck as a human being and I don't want to work for you, or you are doing something amazing and secretive and in this case you don't use gmail.
Well, I tried it out. At least the IMAP is partially mitigated since you basically get a link to a separate web page -- the contents aren't embedded in the email itself.
On the other hand, that means there's no reason to resort to something as complicated as JS injection or dev tools. Screenshots will usually work fine, because messages aren't threaded, so you'll likely get the entire message showing up on one page. They do block Ctrl-S, they use a click handler that prevents it from reaching the browser. Very fiendish, very clever. Except that the save button still works in the menu.
On the plus side, I'm now wondering if that, "go to the top of your menu and hit the file->save button" exploit would make me eligible for a bug bounty, since according to their documentation I should need malicious software to download the message. I guess Chrome falls into that category though?
> Well, I tried it out. At least the IMAP is partially mitigated since you basically get a link to a separate web page -- the contents aren't embedded in the email itself.
Wow, so it kills your offline productivity as well, and of course make back ups and archiving harder. I know it's kinda of the point, but I haven't realized the implications of it until you said so.
>Note: Although confidential mode helps prevent the recipients from accidentally sharing your email, it doesn't prevent recipients from taking screenshots or photos of your messages or attachments. Recipients who have malicious programs on their computer may still be able to copy or download your messages or attachments.
If you click the "learn more" in gmail it says that ^. Gmail seems pretty upfront about what "confidentiality mode" does.
> Recipients who have malicious programs on their computer may still be able to copy or download your messages or attachments.
Even this is really poorly worded. You don't need a "malicious" program on your computer, you just need to go to your browser menu and hit the print button.
This still makes it sound like the average user won't be able to save your email unless they're doing some kind of tech mumbo-jumbo -- that your real risk is if an IT person gets a hold of it. But printing or saving a web page are basically the first thing I would teach anyone to do if I were mentoring them on how to use a computer.
Probably every secretary in your office already knows how to get around this restriction.
To address your concerns, every major browser supports css media queries. Gmail could simply hide the elements when the user tries to use the browser's print button. Again, this is designed to remove plausible deniability, not to provide an actually secure service. It's still email after all.
Very nice catch -- I checked and they do use media queries during print-to-pdf.
Saving the webpage itself works fine though -- which again, is a browser feature your secretary probably knows about and is comfortable using.
I guess my objection to the idea that this is just removing deniability is that it really doesn't feel to me like it's being marketed that way. I wouldn't call a service like this "confidential mode", I would call it something like "auto-delete mode". Maybe I'm just arguing over semantics though.
> Recipients of the confidential message will have options to forward, copy, print, and download disabled.
Doesn't seem to be that easy. You're probably not going to get a copy without taking a screenshot, opening up developer tools or digging into your browser's cache.
I checked, you can go to the menu at the top of your browser, and hit File->Save Page As. It took me about 15 seconds. You can also save the page as HTML only, which both prevents any weird clientside tricks that Google might like to try in the future and makes the file more portable.
Assuming you don't want to save the HTML page, you still might not even need to download a separate program to screenshot it. New installs of Firefox just have a button on the toolbar labeled, "Take a Screenshot". It'll grab the entire page without forcing you to do any scrolling, and doesn't require you to know anything about HTML. I tested, and it bypasses all of the security features on confidential emails.
People are arguing that this is designed to prevent accidental sharing, which is a really good point that I think I agree with overall. However, HN is a tech site and I'm seeing comments that say the only way you could beat this is to dig into your developer tools.
If a nontrivial portion of HN users think this service is more secure than it actually is, how much more uninformed are ordinary users? Saving a web page is not going to be a difficult problem for most people in your office to solve. So my objection here would be, Google isn't doing a good enough job of informing even tech-literate people of just how easy this is to circumvent.
A CEO is going to look at this and think, "well, I guess they're doing voodoo magic so most people in my office won't be able to share." The reality is, pretty much anyone in your office who wants to be able to beat this will be able to figure out how to do so.
But it’s (quite literally) _not_ upfront when the pertinent information is hidden behind “learn more.” I’d be curious what the click-rate is on that link.
Also, I can think of a lot of ways to bypass the “confidentiality” settings that require no malware whatsoever. Not only is their giant asterisk hidden, it’s wildly inaccurate and misleading.
It is using "malicious" to mean "intending to circumvent your intention to keep this email confidential." Is there a different word that could be substituted to maintain that meaning?
IME the "artificially and ineffectively trying to enforce e-mail confidentiality" part is malicious in itself. You don't get to tell me what I can do with a physical letter I get from you, so you shouldn't be able to do that with an e-mail either.
Actually, I was just pointing out the tautology B -> (A -> B). If you have B, then sure, A implies B, and not-A also implies B.
Although on further consideration, my previous comment may actually be wrong: "malicious programs" includes ones that attempt to violate the user's right to copy, and recipients who do not have the malicious program Gmail on their computer might not be able to copy or download your messages or attachments.
Why is it hard to understand? Because your average user will not "wireshark their own cables", and those who do will use different methods of secure communication. You'd be surprised how many users are unable to bypass various extremely simple restrictions - and this is the target market for these features.
On top of that self deleting email will make it also a bit harder to prove that the screenshot is real - unless you get a court order to get the senders outbox folder from google and the data still exists there.
How do you know this? Enterprises have archival/deletion policies automatically applied and emails you forward to outside parties are often tracked in legal hold platforms.
It's not unusual for whole sales organizations in particular industries have all emails archived under legal hold requirements (whether sent or received.) Another set of organizations will purge all of the same email older than than a certain date.
None of these measures are particularly hard to defeat for a bright user, but many of the risks at the company-level are mitigated. This is mostly to solve challenges with regulation or company certification, but it can make a real difference when someone is handling a privacy incident.
All DLP products are like this. They impose basic limitations that can easily be bypassed by anyone remotely technically inclined.
I've come to the conclusion that these products are just to cover the low-hanging fruit situations of someone accidentally doing something that they shouldn't have. In other words, it's a UI integrated "DO NOT FORWARD" message from an e-mail.
I think this is correct. This is to help management say that if if there is a policy and it’s violated that it can’t have been accidental because extra conscious steps have to be taken which violate policy. Making it easier to make people adhere to policy (and discipline as well).
Really, it keeps honest people honest, it's like a lock on a gate, anyone can get around it, but if they see that it's locked (or they can't forward a message) then they won't try to circumvent. I don't see why it's so hard for some to understand this
Who cares? This isn't supposed to stop anyone from intentionally doing bad things, this is supposed to make people stop and think "Huh, maybe I'm just not supposed to forward this email"
It's really bizarre that so many people on HN can't seem to understand this. Do you guys ever interact with other human beings?
That's an outlandish take, because it's entirely divorced from what Google is claiming.
If they were saying, "this feature makes it clear to your employees that they shouldn't forward this email" then this entire HN thread would not exist.
This article is put out by a competitor. Also a significant portion of people on HN really don't like big tech companies (which is fair but besides the point here) so I would've been more surprised if there was nuances conversation about it here.
I think of it less as stopping people from 'getting around' the 'security' and more an extra level of protection & awareness against accidental forwards or replies.
e2e encryption solves a totally different problem. If you don't trust the intended recipient of a message don't send it. e2e helps make sure nobody else receives the message.
Google is making an entirely different claim about controlling the actions of a third party. It's fundamentally impossible to do what Google is claiming.
That the recipient can't "forward, copy, download, or print" the message and that the message expiration will prevent the recipient from viewing the message.
Won't the light from the copier reflect off the screen and ruin the image?
When I was in college (early 2000s) a local company sold notes/study guides for different courses. But they were printed in black text on dark green paper to prevent photocopying and sharing.
Good idea on their part but I used my digital camera to take photos of the pages and cranked up the details to make them look like blackish text on whiteish paper. Ended up selling them to all my friends.
So open the e-mail on a Kindle, or put an antiglare screen in front of your phone, or just take a picture of one phone with another phone if the screenshot button doesn't work.
I do remember some app not "letting" me screenshot something with stock Android, which I felt to be a violation of my freedom. Obviously in my case just use a modified Android ROM without the silly anti-screenshotting logic, or screenshot it with adb over USB, but for the less-technically inclined, take a picture of the phone.
> I do remember some app not "letting" me screenshot something with stock Android, which I felt to be a violation of my freedom.
Bank apps tend to do that. When I first hit this issue, it also felt like a violation of my freedom, and it was also very annoying because I badly needed to make that screenshot.
I think bank apps do this less to stop you from making screenshots, and more to stop that new Candy Clash app you just installed from making that screenshot.
It's not the point. Most "information theft" is people not realizing that they shouldn't share the information. If someone is dedicated enough to exfiltrate information they'll just take a picture of the screen. But now it's really clear that that's what they're doing.
Source - same discussion years ago at Microsoft when Windows introduced this at an OS level to prevent screenshots of confidential mail.
No foolishness. Such features intended to enhance handling of sensitive data when users' laziness, or lack of understanding is the problem - and it works well in this way. Malicious recipient can do anything, of course, but usually you don't send your secrets to people you don't trust at all.
> Your silly UI will ultimately never stop me from wiresharking my own cables in my own home and doing whatever the hell I want with any bits of information that enter my space.
Their silly UI won't, but what about HTTPS? Won't wiresharking your own cables only get you the ciphertext from the HTTPS session which would be useless to you without the ephemeral key?
There is honestly no actual demand for something like that, I'd guess. Screenshots are easy, and your OS usually comes with a built-in tool. And how to use that tool (or find a tool) is a matter of typing "how do I screenshot on X" into google.
And if even this is still too "technical" for a user, I have seen people take literal shots of their screens, with their phone camera or whatever.
Exactly. Especially on a desktop operating system. On iOS at least you can have applications give notification over things like screenshotting i.e. Wickr, but if you are on desktop it's stupidly easy to retransmit or download the contents of an email. Maybe Gmail is just admitting that this is the reality (which it is).
Well you can't claim anything as "secure" either because someone somewhere has a 0-day. It just depends on where you draw the line, and for what application you're using it.
Dude, come on. You do understand. The feature is like a fence in a yard. It separates the honest from the dishonest, forcing the clueless/negligent/reckless to pick a side.
Nobody believes fences stop criminals, and nobody believes Gmail has ended the DRM arms race.
I agree with the thrust of your comment, but this isnt true. Measures like this do prevent some crime. When i didnt lock my car and someone stole the gift cards out of it, locking the doors would have prevented it. Just because the car is still stealable doesnt mean door locks are security theater. Putting an unlocked package cabinet for deliveries on your porch lowers incidences of theft without making it impossible.
All of this applies to making a new protonmail account too
Requires SMS verification or an impassable captcha loop if over TOR
And payment with a credit card
The cryptocurrency payment option with non-user identifiable info only being available to existing protonmail accounts where that info was already harvested
So it is ironic to see protonmail calling out those specific things about gmail confidential
Protonmail does those thongs to try and prevent bad actors or bots from making encrypted accounts to hide their shady tracks. Not for data collection that they'll sell for a profit. Don't be so glib as to state you can't see the difference.
> No personal information is required to create your secure email account.
requires personal information to create the secure email account
"Protonmail does those thongs to try and prevent bad actors or bots from making encrypted accounts to hide their shady tracks."
oh okay, pack it up everyone, don't listen to glib ole me coming to a rational conclusion
its IRONIC that I have to trust them as much as I have to trust Gmail confidential's claims about what they may actually do with the data collection. or what they may be coerced to do with the data collection. "Swiss law" doesn't prevent that.
We send confidential docs regularly to users, who need access to those docs for perhaps 1 week at most. No one wants / needs to keep these around, but no one goes through their email carefully to delete these items.
If that users email was hacked -> they have a big problem. If we can mark the items for a 3 week retention and then expire those items for them, that great - and this lets us do that.
The whole I can wireshark my network -> 99.9% of the confidential info we send goes to other folks who ALSO want to keep it confidential. Getting rid of stuff you no longer need to maintain is a key way of helping avoid big document dumps.
The proof is in the pudding. Either this will help google sell to business (it will in our case in a big way). Or folks will say it is a stupid feature and decide idiots like Protonmail who can't seem to understand the point of these features now deserve our business. My confidence in a place like protonmail goes down based on this, and I'd love to get a feel for their security history and overpromises (ie, webmail client has got to easily be able to log and hack encryption etc).
There's no need to call Protonmail idiots in order to put across your views on the subject, keep it civil. Plus, it makes your argument look weak if you have to resort to name-calling.
"Gmail confidential mode is little more than a marketing strategy."
FALSE - This type of approach has real and direct security benefits. The fact that proton can't see understand that makes them idiots.
"Gmail’s confidential mode is little more than a marketing trick designed to pacify users concerned about privacy."
FALSE - Many business users using google are less concerned about privacy than they are about SECURITY. In the business context, most privacy is already given up, your employer can go through your emails. They can vault them up, do e-discovery on them etc etc. These aren't folks fighting off nation states. These are folks who someone in the office WILL click the bogus link and have their account taken over - and the business wants to reduce the blast radius.
Saying this is a marketing "trick" is silly and the fact that proton can't see that makes them idiots.
These sort of features are really just security theater. If someone really wants to share your "confidential" docs they'll screenshot every page to do it.
BOTH parties want to avoid it sticking around in their email forever.
Do folks not work with partners who are sloppy with security? You send over you stuff. No one wants to leak it but someone's email is hacked. Do you want your stuff in their email still 5 years later?
Do folks not work in business? Bob sends sue draft of updated raises, sue edits and adds some notes and sends them back. A final decision is reached. After some time the big list of salary info by position -> folks want that out of their emails. This would keep it out.
This is a REAL security benefit. It goes to show that folks like protonmail and other security experts don't have a good real world understanding of risks to info people face. It's not all state level hacking, it's folks being lazy, not cleaning out their email, then getting hacked.
I agree there is some benefit. But it also may lull people into a false sense of security thinking that information cannot possibly be copied outside the organization.
Stop posting articles with over the top language from obvious competitors calling a competitors feature a “trick”.
Talk about over the top language - “toxic fanaticism”? Really? The name calling of other posters you disagree with makes hn worse (my comments focused on a company not this community)
What's the problem with Google having a competitor, why are you so hyped about?(This is why I think you're a fanatic)
Also, why are you so eagerly defending the big guy/monopolist in the room. Is this the attitude of an entrepreneur or hacker? One that is part of the "hacker news" community?
Apaec - can I encourage you to focus on the post / article and make comments about that rather than attacking other posters?
If you think this feature (which you don’t need to use) is a “trick” that has no value that is fine - explain why no one should use it - give some examples etc
Stop with the whole focus on other posters motivations, calling them “toxic fanatics” etc.
Google has lots of competitors - the big one is exchange / outlook - which has a confidential email mode. For a list of competitors look here:
@dang - I'm sorry I'm unsure of how this @ mention banning process works. Please do review apaec approach before following their request for a ban.
For example
"I guess it can't be proved that this guy is a shill for AWS. But this kind of toxic fanatism(yet trying to sound logical) is just harmful for the HN community.
dang: Can this kind of behavior be punished?"
as an earlier comment around something to do with AWS. Why does someone "trying to sound logical" mean they are a "shill" or a "toxic fanatic"?
In this thread I'm called a "toxic fanatic" and there is a claim about my support for monopolies and my lack of desire for competition (all of which is totally untrue in actual fact) with no substance regarding the value (or not) of the privacy / confidentiality feature google introduced. I'm also threatened with a ban.
wow. you couldn’t be more wrong! protonmail knows very well that their point is false. it’s just free marketing for them. they are just hijacking the popularity of google to gain some benefit for their tiny company.
they aren’t idiots, they’re just failing and desperate.
This is a feature that Outlook already has and corporate users expect. It's for making forwarding sensitive emails or any of their content require intent instead of being accidental.
If "accidental" is the true worry, display a confirmation/warning box before forwarding.
There are valid reasons to need to forward even e-mails marked confidential, including lawsuits, harassment cases, or even just asking your own lawyer before signing an agreement, among others.
Deciding when a piece of information should not have been forwarded is the job of the workplace or law, not the e-mail client.
> There are valid reasons to need to forward even e-mails marked confidential, including lawsuits, harassment cases, or even just asking your own lawyer before signing an agreement, among others.
Those are reasons for employees to forward an email, not the companies who Google is selling to.
> If "accidental" is the true worry, display a confirmation/warning box before forwarding.
Gmail supports other MUAs using IMAP and POP, so that doesn't work.
The fact that there are valid reasons to forward sensitive emails is why there is an escape hatch. It's only the accidental forwards and copies that this is meant to stop.
We can invent a new e-mail header X-Confidential: true, and clients will start to adopt the warning behavior over time. If Gmail supports it off the bat it will already cover a huge fraction of the market.
When designing APIs I find that bools are often a smell or a missed opportunity. What if, for example, there was an X-Intended-Audience?
That could be integrated with Active Directory, Groups, IAM etc within an organization to make the warning only pop up when a potential violation is occurring which helps avoid seeing the warning so often that it gets ignored (or accidentally send to the wrong confidential party as in medicine or law). It could also inform IT after the fact.
Or we can build a system that just works and doesn't rely on adoption by other clients. Yes if we had a header that everybody used and respected it would work. But that's a lot harder.
> Deciding when a piece of information should not have been forwarded is the job of the workplace or law, not the e-mail client.
You seem to misunderstand who controls the workplace. Within limits, the employer has significant control which increases or decreases based on jurisdiction.
Yes, these measures could limit an individual, but there are generally options like just asking the sender to forward a copy of an agreement/contract so that an outside counsel can review it. Denying review of a contract is a good way to get it invalidated.
I guess harassers could use this feature of the system to try to protect themselves, but it won't stop someone taking a photo from their phone. Realistically most organizations don't want to be complicit in that - even if they tend to default to silence - and HR only exists to protect the company.
The workplace can make that decision in advance and enforce it through Mobile Device Management. Which shows up as... the email client not letting you do the thing.
All of this is clearly explained in the setting to enable the mode for a domain. It's for making forwarding sensitive emails or any of their content require intent instead of being accidental, and people who are used to Exchange/Outlook already understand this feature. Domain administrators still need to keep copies for legal compliance.
Modes like this are not intended to provide hard security. They are not designed to deal with malicious recipients. Rather, they're intended to provide a barrier to accidental or unthinking dissemination of confidential content. It is also designed to prevent permanent retention and the ongoing risk that represents. It solves or limits the fallout from the "silly friend" and "new enemy" problems.
There is no way to convey information to a malicious human s.t. that human cannot convey it onwards to unwanted recipients. The best you can do is provide strong disincentives. Some options for doing this: make sure that your recipients generally don't want to hurt you. Make them fear you (even that doesn't always work, see [1]).
I like posts being out there like this. I expect many non-technical users will get the wrong impression about confidential mode. Impression is different from the stated words and can be filled in by our subconscious thoughts about the space between what is said.
When words are explicitly said it can cause people to think things through.
heh... my subconscious was sure there was a "from this article" at the end of your second sentence and had to reread it a couple of times to figure out what you were saying...
Article makes good points. But clearly they are promoting their own product, over Gmail, and compete directly with them.
One thing I find troubling is that they seem to be making their own false claim.
>Because we do not have access to the recipient’s private key, we are never able to read the message. We do have access to metadata, like the email addresses, timestamp, and subject line.
I am not sure how proton could send messages to anyone if they didn't know the recipients address!
EDIT: I'm stupid, please disregard this. They clearly state that the DO have access to metadata (for some reason my head read it as DO NOT).
> This is not an expiring email. It can still be accessed by Google and potentially exposed to governments or hackers.
This "expiration" could protect the receiver from subpoena/discovery ("Sorry I don't have it anymore") but it sounds like the sender is still liable to produce the original message on demand.
I first had this argument (obviously I was on the sane side of the argument) in 1994. Amusing to see it persist for 25 years and to even permeate Google.
Google is very good at protecting data from unauthorized access. Many of the people who work there see themselves, with justification, as the guardians of privacy in that narrow sense.
This makes all the pointy hair bosses out there demanding faxes and hardcopies seem wise. Imagine, getting an email that tried to block forwarding... the nerve.
Protonmail is a fantastic service, I switched to an account with them in the last few years and have not logged into my gmail since. Can't say enough good things about their offerings. I'm glad to see them making arguments like these in public to out their competitors practices.
I'm always curious how the Project Managers working on these projects think about posts like these. It's a very public call-out, effectively saying "this product is not what they say it is and is dangerous." Especially when it's obviously true, I'd be curious if anyone here can speak to the mental state of someone on the receiving end.
For example I was publicly put on blast for something that was false about me. So in that case I just blew it off because it was wrong, and no reaction was really necessary. It was still very stressful though personally and for my family. I wonder how these product teams across Google and FB primarily feel in these cases.
They probably eye-roll the deliberate misinterpretation of the feature by a competitor. Particular ironic given that that company's marketing schtick is that the first listed security feature is "We are incorporated in Switzerland"
They don't handle it well. I worked on a service that had some severe technical constraints at a prior job. (Basically, we were hosting a vendor's network device to the cloud, and it really wasn't designed for it, and it also wasn't a really great device.) We had one customer that loved to blog about us. The customer wasn't being all that unreasonable (from their perspective) and the higher-ups knew about the constraints we were operating under, but they still panicked every time a blog came out about us.
More broadly, I think if you talk to any journo in the trade press, some companies can be incredibly thin-skinned about any percieved negative press, and threats and intimidation are very common for percieved slights. And the trade press typically rolls over because those companies are their advertisers. It's why you typically see so many puff pieces, how-tos and PR reprints rather than actual journalism.
You’re welcome. I found it fascinating at the time of the change, and still do, that email is sacred, but all other activity is open for manipation-based-advertising.
Nobody said the emails aren't scanned; they're just not used as context for ads. Obviously they're scanned, otherwise spam filtering wouldn't be possible.
I think there’s a difference between scanning all incoming mail for spam and keeping a details list of my purchase history by scanning my inbox for receipts somehow... If they aren’t using this data for context ads it must be being used for something else otherwise why would they do it?
The critical words in the statement are not "We will not scan or read your Gmail messages"; they are "to show you ads."
In other words, they reserve the right to scan or read your Gmail for any purpose other than showing you ads. So they can still read your email for things like creating that purchases list, as well as a myriad of other tasks. As long as that task doesn't involve showing you an ad, your Gmail is wide open to them.
Yes, Google isn't untrustworthy and doesn't care about the users privacy, we knew that, but the general public that isn't as aware (at this point it's hard to be completely unaware) also doesn't read this private company blog, so it doesn't really help much (except advertise the company).
We should be thinking of ways to improve the situation for everyone (not saying I have the solution), but personally (and unfortunately) I don't think this would have any impact.
I understand the perspective and opinion, but I like to think about incentives and consequences.
What's Google's incentive to protect your privacy, and what are the consequences if they fail to?
Compared to a firm that is marketing services on the proposition of privacy being at the core, the risks to Google's business, reputation and finances are likely minimal.
Whereas, if one of the firms that markets providing services focused on your privacy is found to be intentionally and wilfully violating that, it ceases to be a violation of trust and becomes a violation of contract, false advertising... essentially fraud, and the consequences of deliberately misleading and defrauding customers is more significant than an accidental (or wilful) privacy breach by a corporation that openly markets itself as not respecting its users privacy.
You'd trust a company thats primary business model is based on the mass collection, analysis, and monetization of user data to protect your private data? Not saying I trust proton mail, but as far as I'm concerned Google is a malicious actor when it comes to my data same as Facebook, and I believe it's in individuals's best interest to limit their exposure
I trust the company who is under global regulatory scrutiny 24/7, and watched like hawks by every major news organization in the world for them to slip up.
If Protonmail fucks up, there's not going to be a NYT article about it.
I can't say for sure, but I'd guess that Gmail has many more paying customers than protonmail. This feature exists specifically for those paying (enterprise/gsuite) customers.
