In my utopia world, i'd love to see basics of information privacy and personal security be taught in schools akin to Driver's Ed or Sex Ed classes.
1) Security has to be enforced by code
2) Your employees are reasonable, and won't try to maliciously bypass security controls
I'm firmly in camp #2. In a normal corporate setting, a locked door or a locked cabinet is security, even with a cheap, easily pickable lock.
That's all this is. And for 95% of corporate applications, that's good enough. If you have high-level executive crime, or a scandal where you killed a few people, this won't help, of course. But if you'd like to keep an upcoming merger confidential, or maintain a trade secret, or anything vaguely normal, this is more than good enough.
This also helps with email retention policies. Sometimes you want ephemeral communications you don't want a record of. This isn't necessarily malicious either; in more litigious industries, emails can be obtained through discovery and quoted out-of-context. Things like typos can get you (goodness knows I've made enough of those). Sending an email which communicates something and disappears in a week is helpful.
Corollary: unless those controls impede their ability to do their jobs. This goes into a bit of UX design thinking, where you have structure your security controls to be minimally invasive or invisible, if not complementary to the business' operations.
>That's all this is. And for 95% of corporate applications, that's good enough. If you have high-level executive crime, or a scandal where you killed a few people, this won't help, of course. But if you'd like to keep an upcoming merger confidential, or maintain a trade secret, or anything vaguely normal, this is more than good enough.
Kind of. Partly you only get there by having a company culture where people value this sort of thing. Company cultures where everyone is out for themselves are likely to see worse compliance. But a company like Apple, which is famously secretive, are likely to do better. On the other hand, even Apple employees screw up in some pretty boneheaded ways, like that time a dude left a prototype iPhone in a bar that would up getting sold to Gizmodo.
In fact, these records will be even more discoverable than the standard inbox dumps because they're pre-curated with messages that the senders thought were sensitive.
It appears the only point where there's an extra hoop to jump through is with an external sender. In cases where that sender is in another jurisdiction or the investigation is purely internal, the added cost will likely stop further inquiry.
I can see legal departments requesting filters to block acceptance of external messages as a result. Just takes the metadata from one confidential email a competitor sends you to make it look like you're a bad colluding boy.
> This also helps with email retention policies. Sometimes you want ephemeral communications you don't want a record of.
This IMO is a lost battle. Once "Sent" gets pressed you should assume the message is out in the wild (any retention policies only complicate experience and can be ignored/countered by clients). If you want ephemeral communication, pick up the phone or talk face to face. My 2c.
I don't know how external access works, so maybe they're doing more than they say they are, but I don't trust my coworkers, I shouldn't trust Google either. Client-side encryption is the only acceptable solution IMO.
Gas stations have "Never more than $200 in the drawer" for a reason. Criminals knowing that is the case deters most of them and if it doesn't you are out $200 at most.
There's nothing on the page that says google will purge all copies after the deletion date. I'd imagine that because google keeps backups, it'd still be available by subpoenaing google.
If the government comes knocking with a secret subpoena, what is "reasonable"? If someone malicious breaks in to your system, does it matter that this person isn't an employee?
For "95% of corporate applications", even plain email is good enough.
2) Your employees are reasonable, and won't try to maliciously bypass security controls
Huh? These aren't competing ideas. They're orthogonal, and should be covered by separate, complementary forms of security assurance.
But if you're taking screenshots or photos of a secure e-mail because it doesn't allow you to copy the text, you know you're doing wrong.
Huh, message is going to expire? Better make a screenshot that syncs who knows where.
If they were serious, they'd create a mode that mirrors Protonmail, where they can't even read your stuff. And make it easy to use PGP.
As suggested below/above, the fact that our company Office365 Android env stops me from copy pasting text to other apps does one thing: It makes me forward certain mails to my home address.
Agreed on the forward thing. Though, fortunately I'm not currently as locked down as your android config, it would seem.
It's a relatively nifty feature for users emailing from/to gmail only and then likely just to match a couple of feature people have come to expect when using Outlook/Exchange(or office 365). But definitely oversold on security.
Completely agree with your last sentiment. We all assume that "kids these days" grow up well aware of these things, but my experience to date has been that new hires are disturbingly unaware of these things.
https://support.office.com/en-us/article/mark-your-email-as-...
It is in Google's interest to make GMail less and less the same as "plain mail", until you are forced (for practical reasons) to create a Gmail account to interact with other Gmail users.
Together with Amp and Chrome, eventually we will be at a point where the decentralized internet is replaced by Google's servers and software.
Yes! This should be required, beginning in primary school and extended into high school.
Concepts like authentication, encryption, man-in-the-middle attack, why authentication without encryption isn't very useful for communication, etc — this is not "technical" (I hate this word; it is used as an excuse not to think). It should be taught as part of basic education.
OTOH, circumventing a security measure means deliberately violating someone's boundaries.
For example, I communicate with my friends and partnets with Signal often. We usually keep the disappearing messages setting on so that over time, our ephermeral conversations drift away. (Especially useful since even if someone is not malicious, a stolen or compromised device could leak sensitive conversations).
I suppose someone could capture and save an embarasing conversation. But if they did that, I would turn around and shame them - for violating my boundaries, for breaking my trust, and using that trust to bully me.
I suspect that given how the conversation on privacy has shifted, it would be viewed worse to steal someone's nudees, gripes about friends/coworkers, or jokes made in poor taste than it was to do the original communication.
Total security is impossible, but I can ensure that it will be abundantly evident you are an untrustworthy, phony, and malicious person if you circumvent access controls to leak my communications.
This is definitely a useful feature to manage sensitive documents within organisations where good faith (but not necessarily diligent policy adherence) can be assumed, but it's pitched dangerously wrong as you say.
Except that the last two don't change much while keeping pace with first is like riding a tiger. You can never get off.
The target audience for this feature are CIOs of organizations Google sells G-Suite to. Companies do need IRM on emails, to prevent leaks that could happen by accident or intentionally; to limit email audience; to avoid endless replies-to-all on announcements; to put an expiration date on the "perishable" bits of information; etc. I'm pretty positive that they have to have this to compete with Office 365, which had IRM [1] for a very long time.
Yes, it's not perfect, however, if it's there, it mitigates a lot of the issues I mentioned above. Note the wording: "mitigates", not "fixes".
It's interesting that they still list screenshots as a possibility: email clients (e.g. Outlook) are able to utilize OS mechanisms to prevent those as well. I thought that browser protected media APIs would allow Gmail opt-in to this kind of protection too.
[1]: https://docs.microsoft.com/en-us/office365/SecurityComplianc...
https://support.google.com/a/table/7539891
> Information Rights Management (IRM) for DLP
> Enable IRM enforcement as a DLP remediation action.
> In development
I encourage anyone with a Gmail to take a lot back 1, 5, 10 years. There's a lot of data there. Setting up an automated deletion policy can be a great risk mitigation feature.
It won't stop malicious insiders, but it will help make sure run of the mill compromises won't be total disasters.
Next thing you know, youtube ends up on the same list too.
“Malicious programs” such as any standards-complaint email software?
And according to Google, that's exactly how it's implemented:
https://support.google.com/mail/answer/7674059
"Malicious programs" here most likely refers to things like keyloggers.
Edit: I suppose it would be online PDF viewers etc., that allowed viewing but not downloading.
Oh please... Everybody can do a screenshot nowadays, and even Google itself integrated OCR into its Screenshot tool at Android a few years ago. What a waste of time to make the life of people harder who must use this "security" feature!
it's not a security feature. it's to help prevent users shooting themselves in the foot.
I guess that the logic is that most people who know how to make a screenshot also know how to make a fake screenshot.
So, let's say that Mr A is not a very honest guy. Moreover, Mr A has a sensitive document that could be a liability in court. He wants to share it with Mr B. But, he does not completely trust Mr B. With this system, he can share it. If Mr B sends a screenshot to the police or a judge, it will be easier for Mr A to claim that the screenshot is fake.
That's just a guess... I hope that it was not the intent of the dev, though.
A would be better off using something like Snapchat for the confidentiality.
it is creepily dystopian that this sort of behavior is even possible
We can no longer rely on email to be there in our archive and presented as evidence in court, but now have to worry about expiry.
In many countries an exchange of emails which represents a series of terms, restrictions, an offer, and finally acceptance can be considered a legally binding contract between parties and can be presented in court.
With expiry and email DRM we now have entered the alternative reality of such contracts written with disappearing ink.
Of course this adds a complication but it’s not completely deleting the records everywhere.
This increases the cost of access to justice so it reduces access to justice.
That said, these measures provide little guarantee of that.
Seems simple enough.
1) Mail arrives (subject intact) with text like "John Doe has sent you an email via Gmail confidential mode" and a "View Email" link
2) The link takes you to a "To view this email, you must first confirm your identity. A one-time passcode will be sent to (your email)" page.
3) Entering the separately-emailed passcode lets you see the email body in-browser. Selecting text is disabled in the body (so no copy-paste), trying to print the page blanks out the body area -- I'm sure you could bypass either with a bit of JS wizardry. Printscreen/screenshot work as expected.
It's not searchable, it can't be archived for legal purposes this way, this is a nightmare for anyone that does business with you.
It means a ton more mental overhead: "do I need to jot down the info from this email somewhere (manually?) now because at some point it's going to expire or my access is going to be revoked?".
Frustrating. It's the opposite of all the benefits of gMail search.
So even forwarding is broken, as is search for those of us that search our emails a lot.
At the very least receivers should be able to automatically reject any such email.
This definition isn't perfect but it should be enough for to you understand the intent.
https://variety.com/2017/digital/news/google-gmail-ads-email...
Beyond obvious lock-in "Gmail Confidential Mode" tells users SMS is secure (it isn't), teaches users they can prevent message printing (they can't), and teaches users to open links in emails from strangers to then put in their Google credentials to view the message!
Was anyone on the Google Security team given a chance to look at this before it got shoved out there? I know there are people at Google smarter than this.
This is a massive setback in educating users about actually useful security measures.
First, none of the envelope can be encrypted, sorry -- that's routing information, and it must be visible to all involved MTAs. The communications between MTAs can be encrypted with TLS, but the MTAs get to see the envelope.
Second, end-to-end key management is an O(N^2) problem unless you have introducers. Who shall be your introducers?
If the introduction problem was trivial to solve, we'd all be using PGP/whatever now. But it's not trivial at all.
Besides that, it's nice to have IMAP/whatever be able to search your e-mail. Which means your e-mail servers need to be able to see your e-mail. You can give up on this if you have your devices decrypt and index your e-mail. This is the only part of the problem that is "easy" -- and you can even encrypt e-mail as it comes in when it's not already encrypted.
If the person has the key, they can decrypt it.
This is akin to DRM and just like DRM it will be ineffective - if I can see it, I can forward it, copy it, and print it, and do whatever I want with it. Users are being led to believe that they can enforce these sorts of controls over email but they can't.
[1] https://web.archive.org/web/20130115034301/http://americansh...
At my new job I am using Gmail via GSuites for first time and I didnt know how antiquated Gmail is. Lots of missing features and rather confusing UI.
But adding more security options and giving users control is good.
Still think disclaimers about the limits (in the UI, not just the blog post) have to be be stronger. It could help avoid accidental leakage and communicate your intent to keep the contents confidential, but it's absolutely no use against someone hostile. I feel like the name should be more like "mark as confidential" or something, to clearly get across it's a strong suggestion but has no hard enforcement behind it.
Me: So, what do you think about Google's Confidential Mode settings? Are you going to use it in your company?
Friend: It is one of the topics heavily debated right now. Especially by our management.
Me: Is that so? Why?
Friend: Lots of legal implications that needs to be addressed.
Me: How about you? What's your take?
Friend: Well, for a start, given Google's history of surveillance, this type of enhancement only just gives them more power and capability to focus on information that are being deemed sensitive by an individual or an organization.
Me: You think so?
Friend: Absolutely. Imagine if this person sends out approximately 100 emails in a day, and marks 5 of them as sensitive or confidential or whatever terms you would like. Google can then sequence the emails to track based on the confidentiality that was set forth on it.
Me: Never thought of things in that perspective.
Friend: Yes. Further to that, they could then add more focus on confidential emails which would have a very specific expiry dates. This becomes more specific to their focus, where they can direct their resources specifically on this.
Me: (Intently listening)....
Friend: It's like this. Assume you have boxes in your house. Each box contains different stuff. Some box may contain your cash, or jewelry or any other important stuff. Now, you have a burglar going inside your house. With a 100 boxes, they would certainly only spend a couple of time to rummage through the boxes. If they can only open 5 boxes, with the possibility of those boxes containing nothing but garbage, then the burglars are not successful in getting your prized stuff. Now imagine having those boxes labeled with stuff like 'MONEY', 'JEWELRY', 'CONFIDENTIAL', 'IMPORTANT TO DISPOSE BY DATE YYYY-MM-DD', etc. Doesn't that give the burglar an easier way to run through the boxes? This eliminates for them wasting on boxes that may have no importance at all.
Me: That is certainly a possibility if you would think of it.
Even though such scenario may be far-fetched from a corporate (Google for Business) standpoint, it is still worthy of a discussion. IMHO.
Presumably it's only working within a G Suite organisation (equivalent to aspects of similar features in Exchange)
An enterprise feature that doesn't work with Outlook might as well not exist.
