[drglitch]

I feel that many of these pseudo-secure, proprietary enhancements to email create a false sense of security for non-tech-savvy users. Given the smoke-and-mirrors presentation of this as a way to "secure your email^tm" and the plethora of recent info leaks, i am sure some poor c-level exec will get caught inadvertently sharing something with an external recipient thinking that it will disappear in a few days, but then find themselves in a middle of a publicity nightmare.

In my utopia world, i'd love to see basics of information privacy and personal security be taught in schools akin to Driver's Ed or Sex Ed classes.

[gibba999]

There are two schools of thought:

1) Security has to be enforced by code

2) Your employees are reasonable, and won't try to maliciously bypass security controls

I'm firmly in camp #2. In a normal corporate setting, a locked door or a locked cabinet is security, even with a cheap, easily pickable lock.

That's all this is. And for 95% of corporate applications, that's good enough. If you have high-level executive crime, or a scandal where you killed a few people, this won't help, of course. But if you'd like to keep an upcoming merger confidential, or maintain a trade secret, or anything vaguely normal, this is more than good enough.

This also helps with email retention policies. Sometimes you want ephemeral communications you don't want a record of. This isn't necessarily malicious either; in more litigious industries, emails can be obtained through discovery and quoted out-of-context. Things like typos can get you (goodness knows I've made enough of those). Sending an email which communicates something and disappears in a week is helpful.

[naravara]

2) Your employees are reasonable, and won't try to maliciously bypass security controls

Corollary: unless those controls impede their ability to do their jobs. This goes into a bit of UX design thinking, where you have structure your security controls to be minimally invasive or invisible, if not complementary to the business' operations.

>That's all this is. And for 95% of corporate applications, that's good enough. If you have high-level executive crime, or a scandal where you killed a few people, this won't help, of course. But if you'd like to keep an upcoming merger confidential, or maintain a trade secret, or anything vaguely normal, this is more than good enough.

Kind of. Partly you only get there by having a company culture where people value this sort of thing. Company cultures where everyone is out for themselves are likely to see worse compliance. But a company like Apple, which is famously secretive, are likely to do better. On the other hand, even Apple employees screw up in some pretty boneheaded ways, like that time a dude left a prototype iPhone in a bar that would up getting sold to Gizmodo.

[ABCLAW]

No, these records will remain discoverable through Vault, unless I'm reading things wrong.

In fact, these records will be even more discoverable than the standard inbox dumps because they're pre-curated with messages that the senders thought were sensitive.

It appears the only point where there's an extra hoop to jump through is with an external sender. In cases where that sender is in another jurisdiction or the investigation is purely internal, the added cost will likely stop further inquiry.

I can see legal departments requesting filters to block acceptance of external messages as a result. Just takes the metadata from one confidential email a competitor sends you to make it look like you're a bad colluding boy.

[smolder]

Agreed, this almost seems geared towards enhancing spying in that sense.

[ptero]

I agree with your stance -- in a vast majority of corporate setting trying to enforce security with code tends to cause more problems than it solves. It alienates users and makes them skip sanity checks and use loopholes (whatever is allowed by the security must be OK to use). Informing users of the policy and providing tools for them to voluntarily check compliance when needed works much better.

> This also helps with email retention policies. Sometimes you want ephemeral communications you don't want a record of.

This IMO is a lost battle. Once "Sent" gets pressed you should assume the message is out in the wild (any retention policies only complicate experience and can be ignored/countered by clients). If you want ephemeral communication, pick up the phone or talk face to face. My 2c.

[beatgammit]

That only works for internal communications. Once it leaves Google's servers, you lose all control. I don't know the specifics here, but the only ways to guarantee that an email server somewhere isn't caching your emails (and I don't trust Google to not cache them either) is to either encrypt them (GPG) or require hitting your server to read the email (potentially what Google is doing), and that doesn't prevent the user from copying it (but at least you can know _who _ copied it or let it be copied).

I don't know how external access works, so maybe they're doing more than they say they are, but I don't trust my coworkers, I shouldn't trust Google either. Client-side encryption is the only acceptable solution IMO.

[ghaff]

Pretty much anything that can be consumed (read, viewed, listened to) by a person can be recorded and retransmitted in some form. This has always been true to a certain degree of course. With everyone carrying around a recording device almost everywhere, it's even truer today.

Sneaking a photo of a screen used to at least require a certain premeditation that was spy movie stuff. Today, it's casually pulling a smartphone out of a pocket.

If anyone can see or hear somewhere, barring the seeing or hearing being confined to a secure environment it can be easily and casually recorded.

[derefr]

I think this is only for internal communications. They were talking about this feature being “enabled by your GSuite domain administrator.” Presumably it only works for email sent between members of the affected domain (though I’m not sure why they’d fail to mention that.)

[eitally]

No. It does, definitely, work with external recipients.

Source: am googler, have used.

[myrandomcomment]

How? If you send an email with this on to me@protonmail.com and I download the message to my IMAP client how does google magically reach out and delete it from my hard drive? Is the email HTML only that only displays the text when the user is online and that text is fetched from the Google server? Let us say it is and I view the email, how does Google stop me from cutting and pasting that email using my thunderbird, et.al. IMAP client?

[Spoom]

You view the message on a Google server through a browser. The message body is never actually sent to the recipient's address.

"When someone sends a confidential mode message, Gmail removes the message body and any attachments from the recipient's copy of the message. These are replaced with a link to the content. Gmail clients make the linked content appear as if it's part of the message. Third-party mail clients display a link in place of the content."

From https://support.google.com/a/answer/7684332

[voxic11]

What happens if domains have conflicting policies set?

[atonse]

Does that mean I then can't use a native mail client?

[lrvick]

Camp #2 is naive and dangerous thinking if your company protects anything of value. Even if every employee is honest today, one of them can be extorted tomorrow. If you allow your employees easy access to substantial value without hard technical controls to enforce accountability then you are creating a situation where someone has reason to threaten or harm your employees.

Gas stations have "Never more than $200 in the drawer" for a reason. Criminals knowing that is the case deters most of them and if it doesn't you are out $200 at most.

[seventhtiger]

As an information security analyst for an organization that deals with highly valuable info assets, I agree. The comment you replied to sounded like how employees argue for less security. They don't understand the scope or environment of information security.

95% isn't nearly secure enough. You're actually looking for the one malicious agent among thousands. If you conduct contracting bids, you have to realize that at any moment your employees can be offered incentive to leak, and their leaks will cost millions of dollars.

So when we apply our strict need to know policies and data transfer tracking, it's not about trusting individual employees. It's about finding a needle in a haystack.

[gruez]

>Sending an email which communicates something and disappears in a week is helpful.

There's nothing on the page that says google will purge all copies after the deletion date. I'd imagine that because google keeps backups, it'd still be available by subpoenaing google.

[azurezyq]

It explicitly said yes:

> Additionally, if your users send or receive messages in Gmail confidential mode, Vault will retain, preserve, search and export confidential mode messages. The message body of received messages will be accessible in Vault only if the sender of the message is from within your organization. Learn more about how Vault works for confidential mode messages here.

[cryptonector]

I would not read that to imply that the message is not available for discovery. Legal pressure is legal pressure, and data is very hard to delete.

[naniwaduni]

I would read that as explicitly available.

[jnty]

Yep - It's a good and useful feature. But it's very poorly pitched. Calling it 'retention management' or something would have made it sound like the boring administrative management tool it is, rather than a magic self-destruct button.

[ken]

Corporations and governments have shown remarkable fickleness when it comes to definitions of words like "reasonable" or "malicious". Everyone thinks they themselves are reasonable.

If the government comes knocking with a secret subpoena, what is "reasonable"? If someone malicious breaks in to your system, does it matter that this person isn't an employee?

For "95% of corporate applications", even plain email is good enough.

[throwawaymath]

> There are two schools of thought: 1) Security has to be enforced by code

2) Your employees are reasonable, and won't try to maliciously bypass security controls

Huh? These aren't competing ideas. They're orthogonal, and should be covered by separate, complementary forms of security assurance.

[gtsteve]

Exactly. You might just forward an e-mail to someone with an action without thinking of the e-mail chain below.

But if you're taking screenshots or photos of a secure e-mail because it doesn't allow you to copy the text, you know you're doing wrong.

[mattkrause]

I’m not so sure.

I can easily imagine this system “training” users to take screenshots, especially if their correspondents are a little to eager to use this feature. It would only take a few rounds of “I sent you this”/“No you didn’t” with the boss, or the computer “eating” important documents.

Now you’ve normalized this deviance and emails are now spread all over creation (including personal devices) and in a much less searchable format....

[dragonwriter]

> But if you're taking screenshots or photos of a secure e-mail because it doesn't allow you to copy the text, you know you're doing wrong.

Plenty of office workers use screenshots to copy and paste text into emails, etc., just because, so unless you first break them of this habit, using screenshots to copy secure email isn't really much of a signal of awareness of wrongness.

[teekert]

Huh? Can't print this email? Let me forward to my non-secure other address.

Huh, message is going to expire? Better make a screenshot that syncs who knows where.

If they were serious, they'd create a mode that mirrors Protonmail, where they can't even read your stuff. And make it easy to use PGP.

As suggested below/above, the fact that our company Office365 Android env stops me from copy pasting text to other apps does one thing: It makes me forward certain mails to my home address.

[tracker1]

I'm curious how they prevent printing.. is it a custom chrome configuration, and they only allow viewing in chrome? Even then... Copy/Paste, F12, copy/paste, etc.

Agreed on the forward thing. Though, fortunately I'm not currently as locked down as your android config, it would seem.

It's a relatively nifty feature for users emailing from/to gmail only and then likely just to match a couple of feature people have come to expect when using Outlook/Exchange(or office 365). But definitely oversold on security.

[scintill76]

I think it would be easy with standard CSS: @media print * { display: none } Yes, it's circumventable, but they're going for accidental leaks, not intentional.

[freshm087]

In real life, most of the corporate leaks are accidental. Disappearing messages, and sharing/printing restrictions can perfectly augment employee training, reminding them that some things require more careful touch, and reduce the chance of making thoughtless mistake. Sure, making email e2e-encrypted is a good thing, but completely different one.

[numbsafari]

How long before someone makes a chrome browser plugin that will automatically screenshot and download any message flagged in this manner?

Completely agree with your last sentiment. We all assume that "kids these days" grow up well aware of these things, but my experience to date has been that new hires are disturbingly unaware of these things.

[beatgammit]

On that note, I wonder if Firefox's new screenshot utility has an API for extensions...

[908087]

The "kids are tech savvy these days" narrative seems pretty ridiculous once you consider the fact that most of them have never so much as manually installed a piece of software that didn't involve an "app store" on a touchscreen device.

[UI_at_80x24]

This 1000x

They don't know computers any more then they know toasters. They push a button and get a result. If not reboot it and push button again.

[jimbojones2]

this is nothing more than a "me-too" feature to stack up one more checkbox in the gmail vs exchange sales pitch

https://support.office.com/en-us/article/mark-your-email-as-...

[sam_goody]

I imagine they will show confidential emails to other gmail users inline, but make a link for non gmail users.

It is in Google's interest to make GMail less and less the same as "plain mail", until you are forced (for practical reasons) to create a Gmail account to interact with other Gmail users.

Together with Amp and Chrome, eventually we will be at a point where the decentralized internet is replaced by Google's servers and software.

[48309248302]

Embrace, Extend, Extinguish.

[jwr]

> In my utopia world, i'd love to see basics of information privacy and personal security be taught in schools

Yes! This should be required, beginning in primary school and extended into high school.

Concepts like authentication, encryption, man-in-the-middle attack, why authentication without encryption isn't very useful for communication, etc — this is not "technical" (I hate this word; it is used as an excuse not to think). It should be taught as part of basic education.

[sokoloff]

In a world where basic civics, economics, and other life skills are not pervasively and effectively taught (at least in the US), I doubt our ability to teach this more complex and somewhat less obviously relevant content.

[dontbenebby]

>I feel that many of these pseudo-secure, proprietary enhancements to email create a false sense of security for non-tech-savvy users.

OTOH, circumventing a security measure means deliberately violating someone's boundaries.

For example, I communicate with my friends and partnets with Signal often. We usually keep the disappearing messages setting on so that over time, our ephermeral conversations drift away. (Especially useful since even if someone is not malicious, a stolen or compromised device could leak sensitive conversations).

I suppose someone could capture and save an embarasing conversation. But if they did that, I would turn around and shame them - for violating my boundaries, for breaking my trust, and using that trust to bully me.

I suspect that given how the conversation on privacy has shifted, it would be viewed worse to steal someone's nudees, gripes about friends/coworkers, or jokes made in poor taste than it was to do the original communication.

Total security is impossible, but I can ensure that it will be abundantly evident you are an untrustworthy, phony, and malicious person if you circumvent access controls to leak my communications.

[milankragujevic]

If it makes you feel better, I had an "security online" course in middle school and high school, but had no drivers ed or sex ed at all, from primary to high school to college :) Serbia is the country.

[jnty]

It's disappointing that the article doesn't lead with this limitation. We (and everybody who's used Snapchat) know that self-deleting messages aren't truly possible, but there's no reason everybody should.

This is definitely a useful feature to manage sensitive documents within organisations where good faith (but not necessarily diligent policy adherence) can be assumed, but it's pitched dangerously wrong as you say.

[mmis1000]

I though 'secure' here is misleading. The feature here actually sounds more like an accident prevent tool to prevent your coworkers from accidentally forward / share the contents to someone it should not to. And does not provide any sense of 'security' at all. Thinking it is 'secure' actually open up a big security loophole instead provide any extra security to you.

[Spivak]

This feature isn't about security. Email is already pretty secure with TLS and DKIM. This is basically the equivalent of the "DO NO FORWARD" header people use for internal-only information but with a little more UX polish.

[kzzzznot]

I think what the parent is saying is that they feel this DO NOT FORWARD header feature is being presented as a security feature. I probably agree

[anticensor]

This is an algorithmically enforced one, though.

[Stuckinsofa]

But anyone can screenshot the message or take a photo of it. The point is that it's not actually enforced.

[beatgammit]

Anyone can screenshot or take a photo of any decrypted message. The question is when the email leaves Google's servers and whether you can trust Google with that same document.

Personally, if I had a message where I would consider a tool like this, I would just encrypt it on the client with PGP or something.

[lodi]

> Anyone can screenshot or take a photo of any decrypted message.

Yes, but ordinary decrypted messages don't claim to have superpowers like self-destructing.

[Stuckinsofa]

The person I replied to wrote that this was "algorithmically enforced". I'm just pointing out that this is incorrect.

[TrueDuality]

As long as it doesn't leave Gmail.

[hammock]

I believe Gmail already has that feature for corporate gsuite- greying out the forward button or something like that. Could be wrong. I know for sure Outlook has it.

[shereadsthenews]

IT admins just want what they want and you can't change their minds. Eventually gsuite will sprout every dumb feature all of its competitors and predecessors ever offered.

[option_greek]

> In my utopia world, i'd love to see basics of information privacy and personal security be taught in schools akin to Driver's Ed or Sex Ed classes.

Except that the last two don't change much while keeping pace with first is like riding a tiger. You can never get off.

[freshm087]

It's not "pseudo", it is a tool to reduce risks of accidental leaks, and to enforce discipline. Used in a right context it increases security. However, I agree that it's proprietary, and it would be better to have such things in RFC.

[Jemm]

Sex ed is not the best example as it is a political hot potato in many places where the right want to limit sex ed and the left want to expand it.

[jancsika]

If the upshot of the class is anything other than we don't yet know how to make software secure or private, it's a drama class.

[hammock]

"A lock only keeps honest people out" is ancient wisdom and this is not a new debate.