ProtonBlog(new window)

Gmail confidential mode is not secure or private

Share this page

Without end-to-end encryption, Gmail confidential mode is little more than a marketing strategy. Learn why privacy experts call Google’s privacy features “misleading.”

When we launched Proton Mail nearly five years ago, we pioneered a new kind of email service: one that gives you control of your own data. All emails are end-to-end encrypted(new window) and zero-access encrypted(new window), meaning not even we can read them. We also offer the ability to set expiring emails, which self-destruct after a period of time chosen by the sender.

Several years later, Google tried to integrate some of these same features into Gmail with “confidential mode.” Even though Google launched confidential mode over a year ago, people are still confused about what it does. Is it actually secure or private? Is it encrypted? When you turn it on, does it prevent Google from reading your messages? The answer to these questions is ‘no.’ In fact, the decision to call it “confidential” suggests a level of security and privacy that doesn’t exist in Gmail confidential mode.

Gmail’s confidential mode does not mean your messages are end-to-end encrypted. Google can still read them. Expiring messages aren’t erased for good, and the recipient can always take a screenshot of your message. Let’s take a closer look at how confidential mode works and why it isn’t so confidential after all.

What does Gmail’s confidential mode do?

Gmail unveiled confidential mode in April 2018 with its last major inbox redesign. The feature lets users optionally activate confidential mode from within the composer.

When you turn on confidential mode, a panel appears which gives you two options. The first lets you choose when you want the email to expire so that the recipient can no longer read it (you can also revoke access to sent mail at any time). A second option allows you to require the recipient to enter a passcode to access the message. Google generates the passcode and sends it to the recipient’s phone via SMS, so you need to know your recipient’s phone number. Additionally, emails sent in confidential mode cannot be forwarded, copied, downloaded, or printed.

The problems with confidential mode

Gmail’s confidential mode does not make emails private because Google can always read them. When you send an email with confidential mode turned on, Google keeps the email contents on its servers. If you send a confidential email to other Gmail users, they can read the email in their inbox, but emails to outside users contain only a notification that a sender “has sent you an email via Gmail confidential mode” along with a link to a page on google.com. (This is similar to Proton Mail’s Password-protected Emails(new window) feature.)

Once the email expires, it is no longer accessible to the recipient. But the message remains in the sender’s sent folder, which Google can also read. This is not an expiring email. It can still be accessed by Google and potentially exposed to governments or hackers. As the Electronic Frontier Foundation pointed out(new window), “Because messages sent with Confidential Mode are still retrievable—by the sender and by Google—after the ‘expiration date,’ we think that calling them expired is misleading.”

The passcode option is a further privacy invasion. If you choose to set a passcode for your recipient, you must turn over their private phone number to Google. If you are sending a message to a Gmail user, Google likely already knows their phone number from reading their emails or from other Google products. But if you send a passcode-protected email to a non-Google user, you have just allowed the company to link that individual’s phone number to their email address as well as whatever sensitive information is in your message. This is an effective way for Google to gather information about people, who likely have refused to use their service to avoid just such data collection. It also means Google knows quite a bit about your supposedly confidential email.

The other supposed security benefit of confidential mode is the inability of the recipient to forward, copy, download, or print the email. “This helps reduce the risk of confidential information being accidentally shared with the wrong people,” Google says. While it’s true this may reduce the risk of accidental data exposure, it is not real security. The recipient can simply take a screenshot of the email. “I was able to easily make a screenshot and paste it into a new email and send it to a friend,” wrote one reviewer(new window) for Inc. “It takes about 10 seconds. Anyone who uses MS Paint can figure it out.”

How Proton Mail is different from Gmail confidential mode

When you send an email from your Proton Mail email address to another Proton Mail user, the message is encrypted on your device using the public key of your recipient. This happens automatically, every time. When you hit send, the email travels to your recipient in encrypted form. The recipient then decrypts the message with their corresponding private key.


Because we do not have access to the recipient’s private key, we are never able to read the message. We do have access to metadata, like the email addresses, timestamp, and subject line. (It’s a bit like locking a vault with your friend’s key and then mailing it to them. You can read a full explanation of how end-to-end encryption works(new window).)

Proton Mail also lets you send end-to-end encrypted emails to non-Proton Mail accounts (such as your friends and family on Gmail, to prevent Google from reading your messages to them). Similar to Gmail confidential mode, this works by using a passcode as well. The difference is that with Proton Mail, you can choose the password yourself and communicate it to your recipient however you’d like. Moreover, the message is end-to-end encrypted, and we cannot read it.

Finally, Proton Mail also offers the ability to send expiring emails, except in our case, the emails really do disappear after the expiration time. This works both for emails sent to other Proton Mail users and to non-Proton Mail addresses (provided you set a password for the latter).

Of course, it is possible to forward, copy, download, and print Proton Mail emails. But again, this is also possible in Gmail confidential mode just by taking a screenshot. To advertise this benefit as a “security feature” misleads users into a false sense of security.

Without end-to-end encryption, Gmail’s confidential mode is little more than a marketing trick designed to pacify users concerned about privacy. Fortunately, you don’t need to settle for fake privacy. You can join the more than 10 million people using Proton Mail to secure their communications.

You can get a free secure email account from Proton Mail here(new window).

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.



Secure your emails, protect your privacy
Get Proton Mail free

Share this page

Ben Wolford(new window)

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail