Google is in hot water, and it will be interesting to see if they can start bailing out of the bathtub sooner rather than later.
A new feature in Gmail called "confidential mode" purports to lock down your messaging, but in reality it's a bit of a ruse. As reported by several outlets, the email feature is not secure or private, and could lead to a lot of confusion and outright privacy violations.
First, here's how it all works. A tiny icon is now available when you compose an email. It looks a bit like a lock with a stopwatch on top. When you send the message to another Gmail user, you can choose when it will self-destruct--say, in a week or two.
I tried the feature several times, and at first glance it does seem to work as expected. I emailed myself using another Gmail account. You can choose to use an SMS code for security, which means you have to enter the phone number of the recipient, and then the only way to open the email is for the recipient to open the text and enter the SMS number.
That part seems secure; the self-destructing feature, not so much.
In my tests, it was not possible to forward the email or even to add a new reply email and send. If you do, the new recipient sees a message that the email is not available to view. However, I was able to easily make a screenshot and paste it into a new email and send it to a friend. It takes about 10 seconds. Anyone who uses MS Paint can figure it out.
Even worse, I know that my Gmail account itself is only marginally secure. I use two-factor authentication, so for any new computer and browser, I have to type in an SMS code to access my account. However, once I've logged in, that computer is not exactly secure anymore. I could log-out and clear the cache on that computer for added security, but that's annoying and time-consuming.
This all reminds me of the incognito mode in the Google Chrome browser. There's a perception of security. If you don't already know (and Google does warn you about this), incognito mode is a bit laughable. Your browser history is not saved, but the truth is that the sites you visit could still be easily tracked by an employer or your service provider.
What's the real issue here with confidential mode? My opinion: It's a sham. Confidential mode is not that confidential. If you've ever received a secure bank email, you know there is a dramatically different way to make email secure. These messages never exist outside of the bank portal. To see the message, you have to use your bank account. You can't forward them (at least at my bank), although you can make screenshots. The difference is that banks don't ever tell you that messages will exist outside of that portal. I recently moved, and the emails sent regarding my loan never even had a forward or reply button. So the only person who can make a screenshot of an email in that portal is me and no one else.
Confidential messages in Gmail do let you forward them--you can require a code, and it is odd when you try to select the text in one of those messages. Nothing happens. But once the email exists in another Gmail inbox, anyone can make a screenshot and print it out. The main problem is the illusion of security, and the lack of a single access email portal.
My other question for Google, and when I sent a message to their PR I did not receive an immediate response, is how they will address it. My advice is to disable the feature as soon as possible. Gmail users might not quite understand how it all works--and doesn't work.