With confidential mode, the sender can prevent recipients from directly copying, forwarding, downloading or printing a message. If the sender sets an expiration time for the message, the email will no longer be accessible once that date passes. The feature, according to Google, is “useful for when you have to send sensitive information via email like a tax return or your social security number.”
Both of these new prongs of confidential mode are possible, according to the Verge, because Google does not send the confidential content directly to recipients. Instead:
[Y]ou’re only sending a link to the content, which lives in your mailbox and is accessed by the recipient either via their Gmail account or, if they use another email service, https. In both cases, you, the sender, are in charge of how long the other party can access the message. You’re basically handing out a time-limited access license.
At this time, it’s unclear what records of the message will survive on either the sender or recipient’s side, or how confidential messages might impact the accessibility of ESI in the future.
2. Gmail’s Two-Factor Authentication Adds Another Layer of Security
For the four million businesses that pay for G Suite, Gmail will include an even greater level of security: two-factor authentication for specific messages. Two-factor authentication, or 2FA, imposes an additional layer of protection that goes beyond the typical username and password combination, by requiring one additional mode of authentication (a second factor, if you will). It can be biometric data, like a thumbprint, a physical token, such as an ID badge, or a piece of information, like your mother’s maiden name. Thus, if someone purloins your username and password, they would still need a second authenticator to get access to your data. (For this reason, 2FA is also a great way to protect your sensitive eDiscovery information as well.)
For G Suite customers, confidential mode will now let senders to require 2FA for individual messages. To access the message, the recipient will need to use a passcode, sent via text message. That means just getting the email in your inbox won’t be enough; you’ll need to input an additional password in order to read it.
On one hand, this is great news for those dealing with sensitive data, including lawyers. At the same time, it remains to be seen what limitations this will place on third parties reviewing those emails later, in the context of litigation and investigations.
3. New Automated Security Warnings Could Save You From Yourself
While the changes relating to confidentiality mode might complicate legal professionals’ ability to collect and review emails, improvements to Gmail's security could protect them from falling victims to email scams.
And yes, attorneys and other legal professionals fall victim to scam emails with terrifying frequency. Phishing emails are reportedly how Cravath and Weil Gotshal’s M&A practices were hacked in 2015. An email scam also tricked attorneys into wiring $500,000 in settlement funds to the wrong party last summer. And when it comes to spotting suspicious emails, lawyers tend to underperform.
So, here’s one Gmail update that could make your life easier. Google has undergone a behind-the-scenes security redesign meant to stop phishing scams before they can get to you. Each incoming email will undergo a safety check to identify possible fraud, as determined by Google’s machine-learning algorithms. When one hits your inbox, you’ll get a giant red warning that the message “seems dangerous.”
Of course, this probably won’t protect you from more sophisticated “spear phishing” attacks, those tailored to a small group of recipients, but it should help warn against the more mass-market hacking attempts. And, at least for those, if these new warnings don’t keep you from clicking a link, downloading a file, or sending over sensitive information, then you’ve got no one to blame but yourself.
If you are interested in the full release, Google details all the changes here.
Keep in mind, as well, that Google’s Gmail updates are still fresh and have yet to be rolled out universally. What impact these will have on email behaviors, and on your discovery and investigations processes, remains to be seen—but they could be significant.