Gmail confidential mode is not secure or private

Without end-to-end encryption, Gmail confidential mode is little more than a marketing strategy. Learn why privacy experts call Google’s privacy features “misleading.”

When we launched ProtonMail nearly five years ago, we pioneered a new kind of email service: one that gives you control of your own data. All emails are end-to-end encrypted and zero-access encrypted, meaning not even we can read them. We also offer the ability to set expiring emails, which self-destruct after a period of time chosen by the sender.

Several years later, Google tried to integrate some of these same features into Gmail with “confidential mode.” Even though Google launched confidential mode over a year ago, people are still confused about what it does. Is it actually secure or private? Is it encrypted? When you turn it on, does it prevent Google from reading your messages? The answer to these questions is ‘no.’ In fact, the decision to call it “confidential” suggests a level of security and privacy that doesn’t exist in Gmail confidential mode.

Gmail’s confidential mode does not mean your messages are end-to-end encrypted. Google can still read them. Expiring messages aren’t erased for good, and the recipient can always take a screenshot of your message. Let’s take a closer look at how confidential mode works and why it isn’t so confidential after all.

What does Gmail’s confidential mode do?

Gmail unveiled confidential mode in April 2018 with its last major inbox redesign. The feature lets users optionally activate confidential mode from within the composer.

When you turn on confidential mode, a panel appears which gives you two options. The first lets you choose when you want the email to expire so that the recipient can no longer read it (you can also revoke access to sent mail at any time). A second option allows you to require the recipient to enter a passcode to access the message. Google generates the passcode and sends it to the recipient’s phone via SMS, so you need to know your recipient’s phone number. Additionally, emails sent in confidential mode cannot be forwarded, copied, downloaded, or printed.

The problems with confidential mode

Gmail’s confidential mode does not make emails private because Google can always read them. When you send an email with confidential mode turned on, Google keeps the email contents on its servers. If you send a confidential email to other Gmail users, they can read the email in their inbox, but emails to outside users contain only a notification that a sender “has sent you an email via Gmail confidential mode” along with a link to a page on (This is similar to ProtonMail’s encrypt to outside feature.)

Once the email expires, it is no longer accessible to the recipient. But the message remains in the sender’s sent folder, which Google can also read. This is not an expiring email. It can still be accessed by Google and potentially exposed to governments or hackers. As the Electronic Frontier Foundation pointed out, “Because messages sent with Confidential Mode are still retrievable—by the sender and by Google—after the ‘expiration date,’ we think that calling them expired is misleading.”

The passcode option is a further privacy invasion. If you choose to set a passcode for your recipient, you must turn over their private phone number to Google. If you are sending a message to a Gmail user, Google likely already knows their phone number from reading their emails or from other Google products. But if you send a passcode-protected email to a non-Google user, you have just allowed the company to link that individual’s phone number to their email address as well as whatever sensitive information is in your message. This is an effective way for Google to gather information about people, who likely have refused to use their service to avoid just such data collection. It also means Google knows quite a bit about your supposedly confidential email.

The other supposed security benefit of confidential mode is the inability of the recipient to forward, copy, download, or print the email. “This helps reduce the risk of confidential information being accidentally shared with the wrong people,” Google says. While it’s true this may reduce the risk of accidental data exposure, it is not real security. The recipient can simply take a screenshot of the email. “I was able to easily make a screenshot and paste it into a new email and send it to a friend,” wrote one reviewer for Inc. “It takes about 10 seconds. Anyone who uses MS Paint can figure it out.”

How ProtonMail is different from Gmail confidential mode

When you send an email from your ProtonMail email address to another ProtonMail user, the message is encrypted on your device using the public key of your recipient. This happens automatically, every time. When you hit send, the email travels to your recipient in encrypted form. The recipient then decrypts the message with their corresponding private key.

Because we do not have access to the recipient’s private key, we are never able to read the message. We do have access to metadata, like the email addresses, timestamp, and subject line. (It’s a bit like locking a vault with your friend’s key and then mailing it to them. You can read a full explanation of how end-to-end encryption works.)

ProtonMail also lets you send end-to-end encrypted emails to non-ProtonMail accounts (such as your friends and family on Gmail, to prevent Google from reading your messages to them). Similar to Gmail confidential mode, this works by using a passcode as well. The difference is that with ProtonMail, you can choose the password yourself and communicate it to your recipient however you’d like. Moreover, the message is end-to-end encrypted, and we cannot read it.

Finally, ProtonMail also offers the ability to send expiring emails, except in our case, the emails really do disappear after the expiration time. This works both for emails sent to other ProtonMail users and to non-ProtonMail addresses (provided you set a password for the latter).

Of course, it is possible to forward, copy, download, and print ProtonMail emails. But again, this is also possible in Gmail confidential mode just by taking a screenshot. To advertise this benefit as a “security feature” misleads users into a false sense of security.

Without end-to-end encryption, Gmail’s confidential mode is little more than a marketing trick designed to pacify users concerned about privacy. Fortunately, you don’t need to settle for fake privacy. You can join the more than 10 million people using ProtonMail to secure their communications.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

About the Author

Ben Wolford

Ben Wolford is a writer at Proton. A journalist for many years, Ben joined Proton to help lead the fight for data privacy.


Comments are closed.

12 comments on “Gmail confidential mode is not secure or private

  • If protonmail is advertised as a way to avoid google’s privacy invasion, why does it require users to use recaptcha to create an account?
    recaptcha fingerprints users and is very bad for privacy.

    • In our setup, reCaptcha is served from a sandboxed iframe, which prevents it from being able to interfere with our javascript, so it does not pose a privacy or security risk.

  • It is important to realize that security & privacy ONLY works if BOTH the sender AND the receiver use secure mail.
    e.g. no need to shield your info if the receiving end will ditch into a compromised basket …

  • Typical brazen scamming. A Google “confidential mode” is like the reason to trust that wealthy Nigerian prince who just e-mailed me: He says he’s super-honest!

    In other news, politicians in my country have promised that if they are re-elected, they will never raise taxes, and also, they will provide free ponies for everyone.

  • Dear @confused_customer, Proton Mail HAS to use some form of user/human validation. Also, people create a bunch of free accounts just because they can that fill up these guys servers!

    Also, because this was posible with Gmail in the begining, good luck trying to find a decent name that is not taken (and most not even used). NOTHING is free, you want e-mail ? PAY!

    All email should be payed only, good by spam and crap.

  • ProtonMail does not permit send-as or reply-to aliases, unlike Gmail. The sender must use protonmail domain. This is a major drawback of the ProtonMail service which has still not been addressed, and is a reason to retain Gmail which does have this feature.

    • Hello, thanks for the feedback! Check out our article on creating aliases, multiple addresses, and custom domains. Maybe one of those features can give you the functionality you need?

  • Surely the point about someone taking a photo of a gmail message is the same for protonmail or any other email client?

    • Definitely. That’s why it’s important to understand what the technology can and cannot do.

  • Your position is very important at this time when cybercrime is at its peak. Which gives us a secure way to share our important documents. I also have written a useful post like you, which shows how safe it is to keep data on Google Driver.