Hacker News new | past | comments | ask | show | jobs | submit login
Gmail's confidential mode is not confidential (tutanota.com)
65 points by rahuldottech on Sept 13, 2019 | hide | past | favorite | 27 comments



This blog post could be shortened to:

> Gmail's confidential emails are just standard emails with some extra features like unprintable, unforwardable, uncopyable, and so on. However, this will not stop anyone from taking a screenshot from the unprintable email, just to print off the screenshot.

In fact, this is literally the second paragraph in their help article on the topic[0].

The rest of the blog post is FUD and an advertisement for their E2E email product (which also doesn't protect against someone taking a screenshot or taking pictures with their phone).

Yes, Gmail does have access to the email before and after it's encrypted, and "Google has access to its users emails" is obvious; you'll have to choose who to trust, and gmail users trust Gmail to not personally go snooping through their emails. Google says very few employees have production access to data[1].

0: https://support.google.com/mail/answer/7674059

1: https://gsuite.google.com/learn-more/security/security-white...


Shame on you for trying to deliberately mislead the readers here.

You are just trying very hard to trivialize and cast aspersions on the very legitimate concerns raised in the article by very selectively quoting from the article.

In fact, the actual point of the article is the very real and obvious issues of privacy concerns raised and described in the beginning of the article itself:

> Though pretending to offer privacy, Gmail's confidential mode comes with three major problems:

> 1. The emails are not end-to-end encrypted.

> 2. Google retains full access to the email even when you set a self-destruct timer.

> 3. If you password-protect an email, Google can link your recipient's phone number with their email address.

Privacy aware and concerned netizens like me avoid GYM (Google, Yahoo and Microsoft) email services precisely because we do NOT want to be profiled by these corporate so that our personal data is not used by them against us.

In fact, I have made it a policy to always send password protected emails (from services like Tutanota, Protonmail, Mailfence etc.) to users of GYM email services. I do this to ensure that these services have no access to my emails and hence cannot collect data on me through it.

When some users of these services complain to me I explain to them while I have no issues with them using the service or willingly sharing their personal data with them, I refuse to consent to be profiled when I actively AVOID these companies.

I highlight this in particular so that more can be aware that "shadow profiling" of users by GYM and Facebook, all for-profit mega multi-national monopolist corporates is a genuine privacy concern and should not be lightly dismissed, and we need to raise more awareness and demand better laws to be protected against it. Till then, unfortunately, we will have to depend on valuable services like these.

-----

More on the extent Google (and others) will go to "shadow profile" someone: https://www.forbes.com/sites/joetoscano1/2019/09/03/google-h...

-----

The actual context that the quote you highlighted was said to point out something different:

> Information classified as confidential relates by definition to something very personal or top secret. It must be kept from any and every third party by all means.

> This form of secrecy can only be achieved with end-to-end encryption. Encryption guarantees that only the people holding the key to decrypt the information can gain access to it.

> This is why end-to-end encryption is an absolute necessity when communicating confidentially.

> When sending an email with Tutanota, you have the option to send a 'confidential' email - which refers to an end-to-end encrypted email, or a 'not confidential' email - which refers to a standard email.

> With this definition in mind, Gmail's confidential emails are just standard emails with some extra features like unprintable, unforwardable, uncopyable, and so on. However, this will not stop anyone from taking a screenshot from the unprintable email, just to print off the screenshot.


> The actual context that the quote you highlighted was said to point out something different:

And I addressed the point the blog post made.

Privacy is a different concern compared to confidentiality. The HN title is "Gmail's confidential mode is not confidential", while the blog post only lightly focuses on actual confidentiality (something other email encryption services don't fix either since there are screenshots) and is largely about privacy. Sorry for mistaking what the blog post was going to primarily address based on the HN title.

But, there is a problem with the actual article in terms of what it's saying:

> Gmail as one of the major email services worldwide has realized that privacy concerns are rising constantly - and this is happening at a global scale. To meet this new demand for private and secure emails, Gmail has introduced a new feature: Confidential mode.

Um... no, it was neither created for the purpose of privacy nor security. Nowhere on the support article does it mention the words "private" or "secure", save the actual Privacy Policy footer. Privacy (in terms of Google knowing x and y about me or what's in this email) is not the same as confidentiality (preventing someone from quickly and easily forwarding the email to their friend).

Your privacy concerns are valid in every sense, but attacking confidential mode is effectively clickbait intended to get readers to buy into the encrypted email product and drop Gmail.


Is confidential mode actually trying to sell itself as an encrypted email service? Google's articles about confidential mode doesn't mention encryption [1], so I'm not sure why tutanota is focusing so much on the lack of encryption. It seems to me that confidential mode is more about providing proof of receipt via SMS, and making it slightly harder for employees to forward emails to people not meant to receive it.

If wanted to send an encrypted email, I'd do my encryption and decryption client side in my own terminal. Don't ever let the service's email client get access to the plaintext.

1. https://support.google.com/a/answer/7684332?hl=en


Google advertises this stuff as "confidential". You don't get "confidential" without encryption.

This is like a company advertising "our product will make your car use less fuel", and all they give you is a sticker that says "less fuel!" to attach to your car. But that's OK because they didn't say "our product uses 'technology'"?


I like the idea of someone tearing down Gmail's confidential email feature, but this article isn't terribly thoughtful. It mostly just repeats the same 2 or 3 points over and over (confidential mode isn't, end-to-end encryption is important, our product does end-to-end encryption). It feels like it was rushed out to get ahead of others who might write the same thing, rather than trying to educate people about what these terms mean to them and why they should be important.


It's not even rushing out to get ahead of others. Protonmail wrote basically the same blog post, point for point, three months ago[0].

[0]https://news.ycombinator.com/item?id=20242637


Since Google has named it 'confidential mode' and not 'secured mode', it is evident (to me at least, the word `confidential` means `me, you and anyone else you tell`) that there is no encryption. I won't use Gmail anyway if I am paranoid about security. I like this feature, hopefully this mode will also give options to decide longevity of incoming emails.


I a major problem for most people (even in tech circles) is the lack of ownership over their email address. E-mail address portability is a real problem.

Edit: Is there a reason for the down votes? Lack of portability/ownership allows Google to change policies with less repercussions. It is because my account is new?


There is no such thing as confidentiality, as long as you let someone transfer your data, be it Google, your local network provider, or a mobile operator. The only solution is end-to-end encryption, which obviously Gmail won't allow, since they need our data for their AdWords to target ads better.


IMO this is more about audits and lawsuits than about security. Many companies have policies about email retention and this skirts those enabling electronic communications that automatically shred themselves.


Exchange/Outlook has had this feature for years.


"However, this feature is neither confidential nor private as Google still has unlimited access to its users' emails, even when they use confidential mode."

Yes, that's how databases work.

If we use this same logic, is Apple not being private with your data?


> Yes, that's how databases work.

A database is, at its core, just a bunch of bytes structured in some way. There's nothing stopping you from storing an encrypted value in someone else's DB, and as long as you keep your secret private your plaintext is as safe as your encryption scheme.


Apple uses end-to-end encryption for iMessage, which is the only Apple-related confidential communication I can think of (well I have no idea what the guarantees around FaceTime are).


Uhm, Apple also holds emails, calendars, contacts and notes on their servers via iCloud.


Beyond explicitly using secure notes (which are encrypted), I don't recall Apple promising "confidentiality" of those things. I mean, I don't expect Apple to give that data to others, but I also don't assume Apple has no way of accessing that given a court order.


Notes can be set as secure, which encrypts them with a password Apple doesn't have access to.


1. The emails are not end-to-end encrypted.

2. Google retains full access to the email even when you set a self-destruct timer.

3. If you password-protect an email, Google can link your recipient's phone number with their email address.

I think those are valid concerns. Don't you?


I've not bought into the Apple ecosystem so I'm not totally sure how it works, but when you back up your files to Apple's servers, isn't it encrypted on your device before transmission in such a manner that Apple is unable to decrypt it on their servers? That's been my impression.

(There is the matter of Apple's software being closed source and maybe they could push a compromising update that pushes your data to their servers without encrypting it, but that's probably a matter for another discussion.)


As all the celebrities who got "hacked" and had their nude pictures released on the internet can attest to, this is not the case.

The reason for this is convenience: In order to encrypt something you need a key. If you derive the key from e.g. the account password, then some people will promptly forget the password. If you derive it from the device key, then people will lose or break their device. Either way, they will get mad at you when you tell them that yes, you can reset their password/key and restore access to their account, but all their backed up data will stay inaccessible. So Apple allows you to reset a password (e.g. by answering "security questions") and then you have access to some of your data again, which means Apple has to have access somehow to that data.

Apple divides the data they store into two categories: encrypted (to which Apple still has access if they want or need to) and end-to-end encrypted (to which they do not have access, so it will be gone if you lose the key): https://support.apple.com/en-us/HT202303

So e.g. your photos and videos and files in general are recoverable by you, Apple, or somebody who got a hold of your password, or managed to reset your password. While e.g. your keychain is "End-To-End" and meant to unrecoverable in the case of a lost key (well, unless your lost key was easily guessable and thus bruteforcable).


How did those celebrities get hacked? It was my impression that they had poor passwords, or got betrayed by a friend to whom they had sent the images. If the Apple services themselves were being compromised, that's news to me.

It was also my impression that Apple claims that if you lose or damage your device, your shit is gone forever and they can't get it back (and that independent repair services can get around this by simply fixing the damaged device.)


My understanding is that Apple only stores your data in an encrypted form, and does not themselves possess the key used to encrypt that data. I remember it used to be if you forgot your password there was no way to retrieve your iCloud backups because there was no way to decrypt them. My knowledge of this is quite dated though, so I could be wrong.


That's not true for iCloud at all. It is true for iMessage (although they can push new keys to your devices to decrypt content remotely), but iCloud has no such guarantee.

They even give those keys to Chinese government for Chinese citizens: https://www.theverge.com/2018/7/18/17587304/apple-icloud-chi...


A "database" is a tool for storing data, which is a concept that completely orthogonal to the question of how a piece of data is encrypted or who is in possession of the decryption keys.


This comment doesnt seem to be in good faith.

> Yes, that's how databases work.

The article is arguing for end-to-end-encryption, which is perfectly do-able for google. It's not a matter of "how databases work" at all, like literally not even a bit. It's a matter of what features the company has chosen to implement.

> If we use this same logic, is Apple not being private with your data?

Has Apple launched a "confidential" email mode that does not protect the ostensibly-confidential emails? Google is making privacy claims and not backing them up by actually making them private. But... No, Apple is not being that private with your data! I'd love it if Apple worked to make E2E encryption easier in iCloud mail, and they should do so.


There's a gap in the way we talk about security in the industry it seems.

On one hand, we have the tools to build cryptographically secure information systems, and on the other hand there's features that simply make most users more secure.

For example, as mentioned in the article, Gmail will allow you to send an email where the recipient can't forward it. Practically this may help protect against careless adversaries, but a motivated user can obviously copy and paste somehow.

Cryptography tends to rely on computationally hard problems, meanwhile this kind of security seems to rely on problems that are seen as cumbersome or impractical from a UX perspective.

The problem I have is masquerading "UX security" (for lack of a better term) as cryptographic security.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: