Understanding Gmail’s confidential mode

Gmail confidential mode provides privacy features intended to provide users with control over the information sent by email. However, this feature is based on manual actions and requires additional steps when using clunky security features like SMS verification. 

Understanding Gmail’s confidential mode

Gmail’s confidential mode is a feature designed to give users greater control over the sensitive information they send through email. Gmail specifies in their administrators’ guidance, “With Gmail confidential mode, your users can help protect sensitive information from unauthorized or accidental sharing. Confidential mode messages don't have options to forward, copy, print, or download messages or attachments.”

The feature ensures that emails sent cannot be forwarded, copied, printed, or have attachments downloaded by recipients. The sender can also send an expiration date for the email, revoke access after that time, and even manually revoke access before the expiration date. Additional security features include the option to require recipients to enter a verification code sent via SMS before opening the email. 

How it works 

The senders perspective 

• Compose a new email: The sender begins by composing an email in Gmail as usual, entering the recipient's email address, subject, and message content. 
• Enable confidential mode: Before sending the email, the sender clicks on the confidential mode icon (a lock and clock symbol) at the bottom of the email composition window to enable confidential mode. 
• Set expiration and access controls: A popup window appears, prompting the sender to set an expiration date for the email. The sender can choose when the email will expire (eg., in 1 day, 1 week, or 1 month). They also have the option to revoke access manually at any time after sending the email. 
• Require SMS verification (optional): The sender can choose to add an extra layer of protection by requiring the recipients to enter a verification code. If enabled, the recipient will need to receive an SMS with a code and input it before accessing the message. 
• Send the email: After configuring these settings, the sender sends the email. The recipient will now receive the email with the restrictions in place (i.e., no forwarding, etc.).
• Track or revoke access (optional): After sending the email, the sender can monitor or revoke access at any point. They can do this by going into the “Send” folder, opening the confidential message, and clicking on the option to remove the recipients' access before the expiration date. 
  
  

The recipients perspective  

• Receive email notification: The recipient receives an email indicating that the message was sent using Gmail’s confidential mode. 
• Open email: If the sender has set up a verification process, the recipient is prompted to request a verification code. 
• Enter verification code: Once the recipient receives the verification code on their phone, they must enter it into Gmail to access the confidential email. 
• Access email content: After entering the code, the recipient can view the message and attachments. The option to forward, copy, print, or download attachments is not however available. 
• View expiration notice (if applicable): The recipient may see a notice that the email will expire after a certain date. Once it expires, all access to the message and its attachments ceases. 
  
  

The limitations of the confidential mode 

Workarounds exist

While Gmail prevents recipients from forwarding, copying, downloading, or printing the email it does not block them from taking screenshots or using a phone camera to capture the content. Information is therefore not truly protected from distribution and can still be shared as photo attachments. 

Recipients hassle with SMS verification

If the sender enables SMS verification, the recipient must receive and enter a code before accessing the email. The extra step is inconvenient when a recipient does not have access to their phone. It also poses an issue to elderly recipients who might not understand how to alternate between devices to access emails and could be prone to just ignoring the email. 

Access expiration

Once the email reaches its expiration date, the recipient loses access to the email entirely. While this is meant to increase security it can frustrate recipients if they still need to reference the message attachments after it expires. 

Human error

Human error can occur due to the manual steps required to set expiration dates, revoke access, or send passcodes through SMS for email security. Staff might forget to enable these features, use them inconsistently, or misunderstand how they work. Without additional training and regular monitoring, the feature loses its central purpose in the protection of sensitive information.

A comparison of Gmail’s confidential mode and Paubox 

Gmail’s free account, including its features like confidential mode, is not fully HIPAA compliant on its own. Gmail does offer free accounts accessible to most users but requires those seeking compliance to use the paid version of Google Workspace to access a business associates agreement (BAA) with Google. Even once users ensure that accounts are HIPAA compliant there are still challenges associated with the use of its confidential mode. 

As discussed in the limitations section of this article, Confidential Mode puts security in the hands of staff. When considering the multitude of factors influencing staff's ability to select the correct options when sending every email, the possibility of error grows exponentially. In a healthcare setting, where the room for error is narrow, there is a high possibility of an avoidable data breach occurring.

Paubox, on the other hand, is a HIPAA compliant email service that automatically encrypts every email sent by an organization without the need for additional steps or security settings. On their Email Suite product, Paubox states, “We'll encrypt every email you send so you don't have to worry about HIPAA compliance. Our patented solution ensures HIPAA compliant delivery even if your recipient's email has an outdated email platform.”

The simplified process eliminates the potential for user error present in Google Confidential Mode. The service also easily integrates with Google Workspace and Microsoft Outlook without requiring additional logins or services, meaning that organizations can use their existing familiar email accounts while being assured of the security of every email sent. 

Related: Healthcare’s Ultimate Guide to Gmail: Is Gmail HIPAA compliant?

Conclusion

While Gmail Confidential Mode offers basic security features, it relies heavily on manual input which is not realistic in organizations sending a high volume of emails daily. When adding the fact that multiple staff members may access the accounts, the potential for human error makes it far too risky to apply in healthcare settings. 

FAQs

What is HIPAA? 

HIPAA is a US law that protects the privacy and security of individuals' medical information. 

What is a business associate agreement? 

It is a contract between a healthcare organization and a third party that handles protected health information. 

Who needs to sign a business associate agreement? 

Any third party service that handles, transmits, or processes protected health information on behalf of a healthcare organization must sign a BAA. 

Can HIPAA compliant email be useful in other sectors?

Yes, HIPAA compliant email can be useful in any sector that requires secure communication.