Google has rolled out a "Confidential Mode" for Gmail and Google Docs attachments, promising users that they'll be able to send emails to their contacts that can't be shared, printed or copied.
This system, which Google calls "Information Rights Management" (a term coined by Microsoft to refer to a similar feature in Microsoft Office) is a kind of DRM for email. It is an extremely brittle security measure, which can be trivially defeated by taking screenshots or photos of your computer.
The problems with this system aren't limited to easy-to-defeat security that might lull users into a false sense of security, though: because the system uses DRM to restrict document usage, it gives Google the legal grounds to shut down rivals who make products that can read and write docs created with its office suite, creating a legally enforced lock-in. Had such a lock-in been in play when Google started Google Docs (which involved reverse-engineering all of Microsoft's doc formats and making products that could read and write them), Google Docs would never have existed.
My EFF colleague Gennie Gebhart and I have written up a critique of Confidential Mode, explaining why it won't help you with your privacy needs — but will limit your freedom.
Here’s how IRM works: companies make a locked-down version of a product that checks documents for flags like “don’t allow printing” or “don’t allow forwarding” and, if it finds these flags, the program disables the corresponding features. To prevent rivals from making their own interoperable products that might simply ignore these restrictions, the program encrypts the user’s documents, and hides the decryption keys where users aren’t supposed to be able to find them.
This is a very brittle sort of security: if you send someone an email or a document that they can open on their own computer, on their own premises, nothing prevents that person from taking a screenshot or a photo of their screen that can then be forwarded, printed, or otherwise copied.
But that’s only the beginning of the problems with Gmail’s new built-in IRM. Indeed, the security properties of the system depend not on the tech, but instead on a Clinton-era copyright statute. Under Section 1201 of the 1998 Digital Millennium Copyright Act (“DMCA 1201”), making a commercial product that bypasses IRM is a potential felony, carrying a five-year prison sentence and a $500,000 fine for a first offense. DMCA 1201 is so broad and sloppily drafted that just revealing defects in Google IRM could land you in court.
We think that “security” products shouldn’t have to rely on the courts to enforce their supposed guarantees, but rather on technologies such as end-to-end encryption which provide actual mathematical assurances of confidentiality. We believe that using the term “Confidential Mode” for a feature that doesn’t provide confidentiality as that term is understood in infosec is misleading.
Between You, Me, and Google: Problems With Gmail's “Confidential Mode”
[Gennie Gebhart and Cory Doctorow]