Why Gmail’s new “confidential mode” is not so great for privacy, and potentially awful for the open Web
Gmail is used by well over a billion people worldwide, making it one of the most important online services. Google has recently started rolling out a new design that includes novel features. One of the most interesting of these is the so-called “confidential mode”. At first sight, that sounds like good news for privacy:
“With confidential mode, it’s possible to protect sensitive content in your emails by creating expiration dates or revoking previously sent messages. Because you can require additional authentication via text message to view an email, it’s also possible to protect data even if a recipient’s email account has been hijacked while the message is active.
You can also deny recipients the ability to forward, copy, download or print messages. Those are attractive options for people sending and receiving sensitive information. Trying to provide them in Gmail is a worthwhile endeavor. But there are number of serious problems with Google’s implementation.
For example, although expired emails are no longer visible to the recipient, they remain in the Sent folder of the originator. This means traces still linger of correspondence, which may not be what people expect from an email that has expired. Similarly, copies of expired emails are retained by Google on its servers for some time, although the company won’t say for how long. As a result, the authorities could presumably demand copies provided they obtained suitable judicial authorization. Again, this may come as a nasty surprise to some people who believed their emails had disappeared completely, and their privacy was protected.
Arguably even more problematic is the fact that it is relatively easy to circumvent the special features of confidential mode, such as preventing recipients from forwarding, copying, downloading or printing messages. All of those can be carried out taking advantage of the “analog hole” – the fact that an email has to be visible in order to be available to its recipient. This means that taking a screen shot, or even using a smartphone camera, are enough to preserve all the details of the email, albeit in a slightly inconvenient form. There are also more sophisticated ways of avoiding the constraints of the confidential mode. The researcher Andrew J. Simmons discovered that by ticking a few boxes in the Style Editor tab of the Firefox Web Console he could turn off Gmail’s new limits.
Alongside weak technical protections, there are some serious legal issues. Confidential mode is not so much a secure messaging option as a DRM system for email. As such, it is covered by the anti-circumvention provisions of the Digital Millennium Copyright Act in the US, and the 2001 Copyright Directive in the EU. The punishments for circumventing DRM under these laws are harsh. Cory Doctorow explains on Boing Boing:
Google could invoke the Digital Millennium Copyright Act’s Section 1201, which prohibits “circumvention of access controls” and makes their trafficking a felony punishable by five years in prison and a $500,000 fine (for a first offense!), wielding it as a club to force Mozilla to remove features from Firefox to match [Google’s] Chrome — they could also use this weapon to shut down free/open source software patches that restored the functionality to Chromium (the free/open Chrome) and Firefox.
As Doctorow rightly points out, if it wished, Google could use the DMCA to threaten Mozilla with serious legal problems unless it removed the ability of Firefox to circumvent the controls of Gmail’s new confidential mode. It’s difficult to see how the US-based Mozilla could risk ignoring that threat, which means it could be forced to hobble Firefox in order to comply. However, Google might be loath to be seen bullying Mozilla. It has generally tried to present itself as a friend and supporter of free software. Undermining Firefox in this way would be a public relations disaster.
There is an alternative approach, which in many respects is even worse. For Google, it would have the virture of not putting pressure on Mozilla, or on any free software coders who might write patches to get around changes to Firefox introduced by Mozilla to comply with court orders.
It would involve Google building on an extremely unwise decision taken by Mozilla a few years ago to implement a W3C standard called Encrypted Media Extensions (EME ). EME is designed to allow DRM to be built into the Web in a standard way – hardly something that an organization like Mozilla should be supporting. Although it was introduced with video streaming in mind, there is nothing to stop it being applied to Web pages – and thus to Web-based email systems like Gmail. If Google adopted it to lock down email messages, then even Firefox would be unable to circumvent the protection, because it contains code obliging it to implement EME’s DRM (although the analogue hole would always be there).
This possibility shows why supporting EME was such a misguided move on Mozilla’s part. It would mean that users of what is nominally open source software would no longer have complete control over Firefox, since they would be unable to circumvent an EME-based confidential mode in Gmail. It would therefore undermine the fundamental premise of free software, which is freedom to do as you wish with your own system.
The ramifications could be even more serious. No one so far has used or even proposed using an EME approach to apply DRM to Web pages. Supporters of EME assured opponents that it was a step too far that would never happen. However, if Google decided to take this route to avoid threatening to use the DMCA against Mozilla, it would set a precedent. Other companies are currently reluctant to be the first to apply EME technology to ordinary Web pages. They doubtless wish to avoid the massive backlash that would greet such a move to turn the Web into a read-only medium. Using Google as cover, they could claim they were simply following in its footsteps, and not themselves adding DRM to the hitherto open Internet.
Although the above analysis is hypothetical, it shows how moves that apparently enhance privacy by protecting sensitive information in emails could have serious negative consequences for both open source and the open Internet. What makes things worse is that even if Google decided to take the EME route, it would still not prevent people from circumventing the confidential mode’s security features, thanks to the ever-present analog hole. In other words, there would be considerable collateral damage for very little real gain.
Featured image by Quan Ha.