user perceptions of gmail's confidential mode
Embed Size (px)
Proceedings on Privacy Enhancing Technologies ; 2022 (1):187–206
Elham Al Qahtani, Yousra Javed*, and Mohamed Shehab
User Perceptions of Gmail’s Confidential ModeAbstract: Gmail’s confidential mode enables a user tosend confidential emails and control access to their con-tent through setting an expiration time and passcode,pre-expiry access revocation, and prevention of emailforwarding, downloading, and printing. This paper aimsto understand user perceptions and motivations for us-ing Gmail’s confidential mode (GCM). Our structuredinterviews with 19 Gmail users at UNC Charlotte showthat users utilize this mode to share their private doc-uments with recipients and perceive that this mode en-crypts their emails and attachments. The most com-monly used feature of this mode is the default time ex-piration of one week, and the least used feature is thepre-expiry access revocation. Our analysis suggests sev-eral design improvements.
Keywords: Gmail Confidential Mode, Email, En-cryption, Confidentiality, Privacy, User Perceptions,Ephemeral Communication
DOI 10.2478/popets-2022-0010Received 2021-05-31; revised 2021-09-15; accepted 2021-09-16.
1 IntroductionEmail content is not end-to-end encrypted by default,and therefore is vulnerable to unintended disclosure dur-ing transmission. Various tools exist for achieving emailprivacy through end-to-end encryption between emailsender and receiver. Among these, GNU Privacy Guardis notable. Similarly, many email service providers pro-vide support for Secure/Multipurpose Internet Mail Ex-tensions (S/MIME) and Pretty Good Privacy (PGP) intheir clients. However, studies on these tools have shownthat end-users struggle with configuring end-to-end en-cryption on their emails [43, 46, 58].
Gmail—the most popular email service provider forpersonal and business use —introduced the “confi-
Elham Al Qahtani: University of North Carolina at Char-lotte, E-mail: [email protected]*Corresponding Author: Yousra Javed: Illinois StateUniversity, E-mail: [email protected] Shehab: University of North Carolina at Char-lotte, E-mail: [email protected]
dential mode” in 2018 for ephemeral email communi-cation and access control. This helps protect sensitiveinformation from unauthorized access. Users can set amessage expiration date, revoke message access at anytime, and require an SMS verification code to accessmessages [21, 24]. The feature is available for use withvarious devices e.g., laptops, mobile phones, and tablets.
Gmail’s confidential mode does not encrypt emailcontent and uses its own mechanism for ensuring confi-dentiality. When this mode is used in an email, Gmailremoves the email body and any attachments from therecipient’s copy of the email. These are replaced with alink to the email’s content. Gmail clients then make thelinked content appear as if it is part of the email. Third-party mail clients display a link in place of the content[24, 35]. The confidential mode also prevents recipientsfrom forwarding, copying, printing, or downloading mes-sages, including attachments. However, it does not pre-vent recipients from taking screenshots or photos of themessages or attachments (similar to Snapchat). Recip-ients may still be able to copy or download these mes-sages or attachments through other means such as sav-ing the HTML page.
A wide amount of literature exists on the usabilityand effectiveness of end-to-end email encryption tools.However, to the best of our knowledge, user perceptionsand motivations for sending private emails using otherconfidentiality tools, such as Gmail’s confidential mode,have not been explored. This paper seeks to answer thefollowing research questions:1. What motivates users to use the confidential mode?2. What are users’ perceptions of confidential mode?3. Do users understand the features of this mode i.e.,
expiration time, permission restriction, and pre-expiry access revocation?
We conducted a structured interview-based study with19 Gmail users at a university who have experience withusing its confidential mode feature. Our results showthat users use this mode to share their confidential pri-vate documents with recipients and perceive that thismode encrypts their emails and attachments. The mostcommonly used feature of this mode is the default timeexpiration of one week, and the least used feature is thepre-expiry access revocation. Our analysis has several
User Perceptions of Gmail’s Confidential Mode 188
design implications. Firstly, the users should be madeaware of GCM and its features while attaching files inemails. Similarly, mechanisms other than documenta-tion should be developed to inform users regarding as-sociated risks/limitations(e.g., screenshots and lack ofencryption). Moreover, usability of some of the featurescan be improved. For instance, using a read receipt for"pre-expiry access revocation".
The remainder of this paper is organized as fol-lows. Section 2 provides background on GCM. Section 3presents the most relevant literature to this work. Sec-tion 4 describes the methodology of our study, and theresults are presented in Section 5. Section 6 provides adiscussion of our findings. Section 7 concludes our paperwith the main takeaways.
2 Gmail’s Confidential ModeGoogle introduced a service in early 2018, namely GmailConfidential Mode (GCM), which provides Gmail userswith built-in access controls for their emails. The GCMicon is represented by a lock with a timer symbol, asshown in Figure 1 (a). Users can turn on the confidentialmode by clicking on this icon. GCM’s features allowGmail users to do the following:– Set an expiration date by specifying the amount of
time the email will be accessible to the recipient.– Set an SMS passcode (one-time passcode) to verify
the recipients who can access the messages.– Revoke access to messages before their scheduled
expiration date.– Prevent recipients from forwarding, copying, print-
ing, or downloading message contents or attach-ments.
When users compose an email with "confidential mode"turned on, they can adjust the confidential mode’s set-tings (as shown in Figure 1 (b)) by managing the expi-ration time and setting an SMS passcode. Once a userclicks the confidential mode button, it sets the defaultconfidentiality features such as a default expiration timeof one week. The subject line will remain, but the bodytext will disappear once the expiration date has elapsed.When Gmail users send a confidential email to recipientswho use a different email service, such as Outlook.com,the recipient will receive an email containing a link witha one-time code generated by Google before viewing themessage (see Figure 2). They can additionally be re-quested to confirm their identities by requiring a pass-
code sent to their phone number. However, the SMSpasscode feature is limited to certain regions (America,Europe, Australia, and some countries in Asia) .
GCM therefore prevents unauthorized access byprotecting emails that include sensitive information.However, there are limitations. A confidential email issent over TLS, a secured subnetwork, however it is notcompletely secure, so emails sent outside an improperlyconfigured server or containing individual attachmentswon’t be encrypted . Thus, confidential mode emailsare not end-to-end encrypted. In addition, the confiden-tial mode doesn’t prevent recipients from taking screen-shots or photos of the messages or attachments or sav-ing the HTML page. Another issue is that Google willhave access to recipient’s phone number (to send thepasscode) without their consent. Markert et al. ex-perimented with a phishing attack that mimicked theGCM’s look and showed how attackers could obtain theone-time passcode (2FA) sent via SMS, which was re-ceived by Google’s two-factor authentication. Motivatedby the above factors, we investigated how users perceiveemail security and privacy when using GCM.
3 Related WorkThe literature most relevant to our work falls underthree categories: 1) adoption of security/privacy tools,2) mental models of encryption and 3) ephemeral com-munication.
3.1 Adoption of Security Tools
Several factors and motivations behind the adoption ofsecurity tools in various contexts have been investigated.For instance, Alkaldi and Renaud  identified the fac-tors such as poor advertisement and lack of trustworthi-ness, that impact users’ decision to adopt smartphonepassword managers. Similarly, ease-of-use, required cog-nitive efforts, and trustworthiness have been identifiedas key factors that influence the adoption of two-factorauthentication [11, 23, 37]. Other studies have looked atusers’ perceptions and motivations for (not) followingcomputer security advice (updating software, using apassword manager, using two-factor authentication, andchanging passwords frequently)  and smartphone se-curity advice (using a screen lock, updating the device’ssoftware, deleting suspicious text messages, and usingsecure Wi-Fi) .
User Perceptions of Gmail’s Confidential Mode 189
(a) Gmail’s confidential mode button (b) Features (defaults) of Gmail’s confidential mode
Fig. 1. Email composition window showing Gmail confidential mode
Abu-Salma et al. identified significant obstacles thatinfluence users’ decisions about not adopting securecommunications and found that most participants didnot understand end-to-end encryption, utilized incom-patible tools, and had incorrect mental models abouthow encryption works . Also, poor usability hindersthe adoption of security and privacy tools. For instance,user interface design problems lead to users’ failure toutilize secure tools for creating PGP encrypted emails[18, 58]. However, some of the secure messaging applica-tions (e.g., WhatsApp and Signal) hide the encryptiondetails, and the users are unable to perform the authen-tication ceremony without adequate instructions .
Other studies [19, 38] have examined the adoptionand use of secure email tools by users, exploring whythese tools are not widely adopted. For instance, re-searchers  have identified barriers that hinder theadoption of encrypted email in the workplace. The par-ticipants did not consider using it frequently due to tech-nical factors, usability and social considerations. An-other study  demonstrated that when secure emailtools are integrated with webmail, such as Gmail, theyhave a greater chance of being adopted by average users.
We add to the existing literature by understandingusers’ motivations for using GCM features.
3.2 Mental Models of Encryption
Human behavior depends on differences in perceptionsand perceived intelligence . Huang et al.  investi-gated the factors that influence people’s perceptions of
common security threats. They found that people’s per-ceptions of information security are based on six factors:knowledge about threats, threats’ impact on people, theability to perceive the severity of a threat, the abilityto control the threat, the possibility that the threat willoccur, and awareness of threats.
Understanding users’ mental models can help im-prove risk communication  and help them make theright security decisions . Routi et al. found that usershave a perception that using automatic encryption toolscauses security issues whereas systems with manual en-cryption are trustworthy . Wu et al.  identifiedusers’ (mis)conceptions about encryption in terms offunctional (e.g., access control) and structural mentalmodels. Another study showed that even after receivingeducational training about end-to-end encryption, userswere still confused about information integrity and au-thenticity . Additionally, Krombholz et al.  iden-tified the misconceptions about HTTPS by asking par-ticipants to think aloud while drawing their thoughtsrelated to different scenarios.
We examined users’ perceptions of GCM in termsof encryption, ephemerality, and access control.
3.3 Ephemeral Communication
Ephemeral content/self-destructing messages automati-cally disappear from the recipient side after the messagehas been viewed or after a certain amount of time haselapsed.
User Perceptions of Gmail’s Confidential Mode 190
(a) Message being composed
(b) Message sent (sender’s view with revoke access option)
(c) Message sent (receiver’s view)
Fig. 2. Email composed using Gmail confidential mode
Ephemeral messaging is being widely used in so-cial media applications such as Snapchat (direct mes-sages and stories), Facebook (stories), and Instagram(stories) for achieving access control and privacy . Taking a screenshot of the content triggers a no-tification to the other party. Thus, these social mediaapps implement confidentiality  through the featureof self-destructing messages . Similarly, some mes-saging applications such as WhatsApp have recently in-troduced a self-destruct feature, allowing a user to setan expiration time to a message .
Researchers have found that users adopt ephemeralcontent based on motivations such as fear of missing out,trust, immediacy, and social pressure to obtain gratifica-tion [5, 8]. The messages can also be captured by othermethods  without alerting the receiver’s application.Self-destructing messages are not permanently deletedafter their timeout [26, 31, 36, 39].
We extend this work by evaluating the email expi-ration feature of Gmail’ s Confidential Mode since theconcept of ephemerality is new to emails.
4 MethodologyIn order to understand the user perceptions and mo-tivations of GCM, we conducted structured interviewswith 19 participants from UNC Charlotte, who wereaged 18 and above, had personal Gmail accounts, andhad used GCM. The interview structure and format fol-lowed Watson et al.’s design for exploring user percep-tions about Google+ circles . Moreover, we used ausable security expert’s feedback to remove potentialbiases and misunderstandings in our questions.
4.1 Study Design
Eligible participants were invited to the usability labon campus for in-person interviews or online meetingsvia Zoom. The participants who completed the studyin-person, read and signed the consent form, whereasfor the participants who were interviewed online, weverbally read the consent form and asked them if theyagreed to participate.
We utilized our lab’s desktop computer for the in-person participants, while the online participants usedtheir own devices during the study. In both settings,the audio was recorded. For the lab participants, au-dio was recorded using interviewer’s smartphone, while
User Perceptions of Gmail’s Confidential Mode 191
during Zoom interviews, the audio was recorded usingZoom’s record feature which additionally recorded theentire session (with participant’s permission) includinginstances where participants shared their screen. How-ever, no personal/confidential information of the un-involved persons was captured during screen sharing.For instance, during email composition, the messagewindow was maximized to hide inbox emails from thebackground. Similarly, to show past GCM email, par-ticipants zoomed into a GCM email to show only thepart that contained GCM icon or related statementsuch as “Content is expired”. We only used the audio/text(captions) files from Zoom interviews in our analysisand any video/screen share files automatically capturedwere deleted after data collection.
The collected data comprised participants’ motiva-tion for using GCM and their understanding of how itworks. The participants were first asked a set of de-mographic questions (age, education, gender, job, andtechnical level) and questions regarding their motiva-tions for using confidential mode, i.e., whether they usedit for specific people or a particular content type, andwhy they used it. The interview questions are listed inthe Appendix A.1.
Next, the participants performed a set of tasks, in-cluding, composing a confidential mode email and think-ing aloud as they performed the task. We were inter-ested in knowing what confidential mode meant to theparticipants, whether they confused it with encryption,and whether they understood the mode’s features forachieving confidentiality.
In the last task, the participants were asked to re-view a few of their past confidential mode emails andanswer a set of questions related to these emails. The re-mote participants were requested to share their screen.However, they stopped screen-sharing when viewingtheir past GCM emails. In this part, we investigatedwhether the participants understood the features of thismode for achieving confidentiality, permission restric-tion, expiration time, and pre-expiry access revocation:– Expiration Time: We asked whether participants
were aware that they could set an expiration date onthe message and that the recipient would no longerbe able to view the message after it expired.
– Authentication: We asked whether participantswere aware that they could require an SMS pass-code for the recipient to access messages.
– Pre-Expiry Access Revocation: We askedwhether participants were aware that they couldremove message access at any point before the setexpiry time.
– Permission Restriction: We asked whether par-ticipants were aware that this mode ensures that therecipient does not forward, download, or print theemail, but that the recipient could still take screen-shots.
Therefore, we asked the participants whether they setan expiration date on the content, required an SMSpasscode, revoked message access, and prevented therecipient from forwarding, downloading, or printing thecontent of and attachments to their emails. If a partici-pant’s response was yes, they were asked what they usedthese features for, why they chose them, and what wastheir confidence rating in using these features. Thosewho did not use these features were asked to explainwhy they decided not to use them.
Each interview session lasted for an average of 25minutes. The participants were thanked for their time,and rewarded with a $5 Starbucks gift card. The studywas approved by the university’s Institutional ReviewBoard (Protocol #19-0556).
4.2 Analysis Method
We collected qualitative data and utilized an inductiveapproach for our analysis. The audio of each interviewwas recorded and transcribed. Two researchers codedthe transcribed audio data independently. The two setsof coded data were then compared and discussed toproduce final codes after resolving any disagreements.For this reason, we did not conduct Cohen’s Kappa test(inter-rater agreement). The entire codebook is addedin the Appendix A.2.
Participants were recruited through a mass email sentvia a research announcement to all faculty, staff, andstudents at our university. Interested individuals provedtheir eligibility in a privacy-preserving manner by onlyshowing us the portion of a previous GCM email thatincluded the GCM icon or statements such as “Thismessage was sent via confidential mode” or “Contentis expired”.
User Perceptions of Gmail’s Confidential Mode 192
We interviewed 19 participants from UNC Charlotte asshown in Table 1. Participants were asked a set of de-mographic questions, such as age, gender, highest levelof education completed, occupation and technical skilllevel.
The majority of our participants were female (N=12, 63.2%), whereas 7 participants were male (36.8%).17 of our participants were aged 18–39 years. Regardingthe highest level of education achieved, 7 of the partic-ipants had completed high school, 4 had completed abachelor’s degree, 4 had completed a master’s, 2 hadcompleted associate’s, and 1 had completed a doctor-ate. Our participants were mostly students, but few ofthem had full-time employment. Besides that, we didnot collect any specific information about each student’smajor. However, the majority of those who answeredthe occupation question provided their major. Othersalso provided their current level of education with thehighest level they have completed. 14 participants ratedtheir technical skills as high, whereas 5 participantsrated them as low (on a scale from 1 to 10) with 1 beinglow and 10 being high.
5 ResultsWe used an inductive approach to analyze the collectedqualitative data. The coding procedures were describedin Section 4.2. Below, we report the questions and themain codes derived from participants’ responses.
After the participants answered demographic ques-tions, they were asked about their email usage, i.e.,which email service providers they used and how of-ten they used them. All of our participants used Gmail.Other email services reported were Yahoo (5 partici-pants), Hotmail (4 participants), and Outlook (4 par-ticipants). The majority of our participants used Gmailevery day compared to the other email services.
We also asked the participants about their fre-quency of use of GCM. We wanted to know how longthey had used GCM and how frequently they had usedit. We found that most participants had used GCM sincelast year (2020), while four of them had been using itsince 2019. A majority of our participants used GCMone or more times per week.
# Age Education Gender Occupation Major1
P1 30 Master’s Female PhD stu-dent
P2 20 Highschool
P3 20 Highschool
Female Student -
P4 26 Bachelor’s Male Student Computer Sci-ence
P5 38 Master’s Female Instructor/Student
P6 19 Associate’s Male Student Mathematicsand ComputerScience
P7 22 Bachelor’s Female Student ComputerScience andBusiness Ad-ministration
P8 29 Bachelor’s Female Student Chemical Engi-neering
P9 19 Highschool
Male Student Computer Sci-ence
P10 47 Doctorate Male Professor CurriculumInstruction andEducationalPolicy
P11 34 Master’s Female Student Health Infor-matics
P12 22 Bachelor’s Male Student Criminal JusticeP13 19 High
P14 22 HighSchool
Female Student Communications
P15 19 HighSchool
Female Student Meteorology
P16 53 Bachelor’s Male IT consul-tant
P17 30 Master’s Male Student Electrical andComputerEngineering
P18 19 HighSchool
Female Tax Asso-ciate
P19 33 Associate’s Female Student Media Commu-nications
Table 1. Participant demographics
1 Major was not explicitly collected
5.1 Motivations for Using Gmail’sConfidential Mode
To answer our first research question “What motivatesusers to use the confidential mode?", we asked par-ticipants what made them start using GCM. We believethat users’ perceptions highlight how confidential emails
User Perceptions of Gmail’s Confidential Mode 193
have been approached, impacting their willingness toshare confidential content and attachments.
Participants reported a variety of reasons for us-ing GCM. The most pronounced reason was sharingconfidential documents (12/19). The majority of ourinterviewees began using GCM for sending sensitivedocuments, including personal identification documents(e.g., driver’s licenses, passports, financial statements,or medical records).
We also noticed that participants used GCM to pre-vent unauthorized access (4/19). They were concernedabout unauthorized people accessing their confidentialdocuments or accidental sharing with the wrong peo-ple. Participants used GCM’s default time expirationafter one week, to allow recipients to access informationtemporarily (4/19).
P8: “Initially, when I wanted to share my informa-tion with a third party where I didn’t want them to havethat for a long time, I used it when I wanted to add myname to the existing new lease. So they asked me forsome documents ... but I didn’t want them to have it fortoo long so I sent it through confidential mode so theycould just view it. ... After some time it just expires."
Another reason given by interviewees for usingGCM was curiosity (3/19), which led them to exploreGCM’s security features to make better security deci-sions. For instance,
P5: “Actually, I’m curious about my confidentiality.... So that’s what raised my attention. I felt like it willmeet my requirements specially when I send some reallycritical information and I don’t want the other personto reuse it in a different way than as I had wanted."
A few participants mentioned that they started us-ing GCM thinking that it was encrypted. For example,P15 stated that she was confident that she was send-ing an encrypted email with confidential mode whensharing patient information related to the Health Insur-ance Portability and Accountability Act (HIPAA). Also,two participants valued their data privacy when shar-ing confidential content. They clarified that it providedmore privacy to their email content and attachments,perceiving that no one would see the email except therecipients.
Furthermore, a number of participants expressedthat their motivation for utilizing GCM was remote con-fidential information sharing since they could not handover important documents physically once the pandemic
started. Another participant (P16) received a sugges-tion to use GCM from his work colleague. He then sug-gested this mode to other people.
Next, we asked the participants what type of emailcontent they used GCM for. We found that 19 partic-ipants used GCM to send private documents, whichwas similar to their motivation for using GCM. Thesedocuments included legal documents between two com-panies, work-related documents, financial records, per-sonal information (e.g., private pictures, as shown inthe quote below), governmental and tax documents,and medical information (e.g., patient records, pet files,immunization records). Also, participants used GCM toshare private non-work-related documents with familymembers, such as parents and spouses (3/19).
(P5): “I would say things that should be really veryprivate between me and the person that I send themto. Sometimes I may do that if I’m sending pictures ofmine. I would really like to keep their privacy, and Idon’t want them to be kept forever. So, mainly they arefor personal information."
Our study found that participants attached variousfiles or documents, such as PDFs, Excel files, scannedimages, Word files, and text messages in their GCMemails.
Next, the participants were asked to whom they sentGCM emails and why they chose to share with them.We observed that participants sent confidential emailsto several recipients. This included family members andclose relatives (11/19) (e.g., parents, spouses, partners,or friends), administrative team members (7/19) (e.g.,upper management, company manager, government of-ficials, school offices, or admissions officers), financialemployees (7/19) (e.g., financial managers or bank con-sultants), for teamwork (3/19) (e.g., clients, classmates,teammates), medical personnel (2/19) (e.g., doctors,veterinarians), and a leasing office (1/19).
Participants also stated their reasons for sharingconfidential emails with these recipients. A number ofparticipants mentioned that they couldn’t physicallyshare confidential documents once the pandemic hadstarted (4/19), so GCM served as a solution. Anotherreason (4/19) was that the administrative team (e.g.,company manager, admissions officers) requested thatthey share confidential documents that related to theirwork. Participants also reported that the recipients ofthese documents requested them to be sent privately(3/19). Moreover, a few participants either trusted thereceiver (2/19) or used GCM to prevent unauthorized
User Perceptions of Gmail’s Confidential Mode 194
access (2/19). One participant (P5) also mentioned thatshe could use GCM to achieve privacy while using theinternet without using a VPN:
(P5): “So once the pandemic started, it gave metime to be able to just try all these things out, differentservices and such. I had privacy concerns, because I justhadn’t been using internet, without a VPN. There was, Ithink, a few years ago there was like a wave of hacks ofpersonal emails and that’s what kind of like inspired meto look into kind of making sure that my information isprivate."
Table 2 summarizes the themes of participants’ mo-tivations, the type of content that is used in GCMemails, and the type of recipients who received GCMemails.
Motivation for Using GCM # ParticipantsSharing confidential documents (12/19)Prevent unauthorized access (4/19)Encryption (2/19)Curiosity (3/19)Replacement for physical (2/19)Information sharing during pandemic (2/19)Requirement of sharing work documents (1/19)Type of content in GCM # ParticipantsPrivate non-work-related documents (3/19)Work-related documents (5/19)Financial records (5/19)Governmental and tax documents (3/19)Legal documents (1/19)Medical documents (2/19)Type of recipients in GCM # ParticipantsFamily members and close relatives (11/19)Administrative team members (7/19)Financial employees (7/19)Teamwork at school office (3/19)Medical personnel (2/19)Leasing office staff (1/19)
Table 2. Summary of motivations for using GCM along with thetype of content and recipients in GCM emails
5.2 Perceptions of GCM
Our second research question was “What are users’perceptions of confidential mode?" We asked theparticipants to compose a confidential email relatedto this interview experience and think aloud as theycomplete this task. After the task was completed, par-ticipants were asked how the confidentiality was be-
ing achieved, and whether the composed email was en-crypted. We asked participants to perform this task as itwould enable them to articulate their best understand-ing of the topic and discuss their thoughts on how con-fidentiality could be achieved in this mode and whetherthe composed email was encrypted or not.
Participants showed us how they composed theemail in confidential mode. They started by clickingon the button of the confidential mode. After seeingthe GCM settings dialog box, they started explaininghow they use them. They demonstrated how they couldmodify these settings. For example, some participantschanged the default expiration date or chose not to useSMS passcode when they used this mode. We found thatparticipants experienced the GCM as intuitive to use.The features’ evaluation is discussed in depth in the fol-lowing sections and Table 3 summarizes participants’perceptions of GCM regarding achieving confidentialityand encryption.
When asked how confidentiality was achieved in thismode, many participants explained that it was accom-plished by using one of the confidential mode features.These included setting an expiration date (8/19); en-abling authentication (4/19); disabling options to for-ward, copy, print, and download the emails (9/19); andincluding confidential links (2/19). One participant alsomentioned that GCM is achieving confidentiality by en-abling a high level of encryption. Each theme is de-scribed in detail below.
Setting an Expiration Date. Participants ex-plained that confidentiality in this mode is achieved bychoosing an expiration date. This feature prevents a re-cipient from being able to view confidential messagesafter a certain time. For example, one of the partici-pants (P2) commented, “I usually set my confidentialmode to expire like within a week. So, I know that they’vegotten it, but then the email, like after a week expires."
Enabling Authentication. Four participantsclarified that the confidentiality of the message wasachieved through the use of second factor for authenti-cation (SMS passcode generated by Google). The recip-ients received an SMS passcode through a text messageto access their confidential messages. For instance, oneparticipant (P18) mentioned: “Because this informa-tion cannot be leaked or be handed to the wrong peopleso in case this email is being sent to the wrong recipient,
User Perceptions of Gmail’s Confidential Mode 195
or in case of anything, due to the passcode, they cannotaccess it."
Enabling a High Level of Encryption. One par-ticipant (P6) mentioned the availability of stronger en-cryption when a GCM email was sent: “When the emailis normally sent, there’s the basic encryption, that itgoes through, but [it] is saved permanently. But this onehas a high degree of encryption."
Including a Confidential Link. Two participantsmentioned that including a link to content in their emailmeant it was confidential and that the link expired af-ter a certain amount of time. For instance, one of them(P16) commented: “ Instead of whatever it is that I’msending to them... [and they are] receiving a copy of it,and having that copy reside physically on their com-puter, they’re just getting a link to whatever it is I’msending them and can be expired."
Disabling Options to Forward, Copy, Print,and Download. Participants also perceived that confi-dentiality was maintained by preventing recipients fromaccidentally sharing their emails (e.g., forwarding, copy-ing, printing, and downloading). For example, one (P5)said: “Disabling the ability of the receiver to edit orshare this email with others.... So besides confidential-ity, which I consider keeping my private informationwith high privacy.... So, there will be high integrity andconfidentiality. So I would feel really secured with thatoption."
Participants were asked whether their email was en-crypted. If they thought so, they explained how it wasencrypted and why. We found that 11 participants per-ceived that their GCM email was encrypted, whereas 5participants were not sure if it was encrypted. Surpris-ingly, only 3 participants stated that sending an email inconfidential mode does not mean that it is encrypted.Table 3 summarizes user perceptions regarding confi-dentiality and encryption in GCM.
Encrypted: Participants were convinced thatemail in this mode was encrypted due to their trustin Google services. For instance, one participant (P12)said: “Yes, I believe so. I’d say, you know, I trust Google,and I have faith and confidence in the services that theyprovide." Other participants perceived it as encryptedsince it used security features such as an SMS passcodeor time expiration. For example, one (P7) noted that,“by pushing that button it is being encrypted and by do-
ing so in a certain amount of days, it will get deleteditself."
Not Sure: A number of participants were unsurewhether GCM emails were encrypted since they had noknowledge of the hidden process of how confidentialityworked. For example, one (P10) stated: “I don’t knowenough about the sort of inner working of the mode,whether it’s truly encrypted but my guess is that it is anextra layer of [secure link], I mean that’s where you keepthe confidentiality.... I don’t think I know quite enoughabout how confidentiality works and if it’s truly all en-crypted, or there’s a secure socket kind of secure SSLlayer."
Not Encrypted: Surprisingly, 3 participants as-sured that the GCM email was not encrypted becauseof their understanding of encryption and decryption asone stated below:
P16: “The email is not encrypted, because of a fewreasons. If it was encrypted, the recipient would have toknow how to decrypt it. And that’s unlikely. And just theway that Gmail confidential mode works, it doesn’t reallywork by encryption. It works by sending them a link towhatever it is I’m sending them, which will remain ona Google server."
Confidentiality in GCM # ParticipantsBy setting an expiration date (8/19)By enabling authentication (4/19)By disabling options to forward, copy, print (9/19)By including confidential links (2/19)By enabling a high level of encryption (1/19)Encryption in GCM # ParticipantsVia security features (11/19)Unsure (5/19)Does not exist (3/19)
Table 3. Summary of user perceptions of GCM regarding achiev-ing confidentiality and encryption
5.3 Security Features of GCM
To answer our third research question, “Do usersunderstand the individual features of GCM i.e.,permission restriction, expiration time, and pre-expiry access revocation?", we asked participants toevaluate their last few (1 to 3) emails that they sentin confidential mode and answer a set of questions re-lated to their use of each feature, as shown below. We
User Perceptions of Gmail’s Confidential Mode 196
wanted to know whether participants used these fea-tures in their emails and, if so, why they used them(if any), why they chose not to use them (if any), andwhat confidence they had in using these features on ascale from 1 to 5, where 5 indicated high confidence. Thequestions are included in the Appendix section A.1. Ta-ble 4 summarizes participants’ reasons for (not) usingGCM features.
5.3.1 Expiration Time
Gmail users can set an expiration time after which theemail will not be visible to the recipients. The expirydate options include one day, one week, one month,three months, or five years. We found that 15 of ourparticipants had set an expiration date on the contentin their last emails, whereas the other three did not.
Participants who responded yes, were asked whatthis feature meant and why they chose to use it. Theyreported that they used this feature to prevent unau-thorized access (4/15), to have temporal access (10/15),and to set content restrictions (1/15).
Participants set an expiration time to the confiden-tial email within a week, including attachments, such asidentification documents, to prevent unauthorized peo-ple from accessing it and misusing the content. Also,participants explained that setting an expiration time inthe emails containing confidential documents preventsunauthorized access even if the user’s email account isaccidentally left logged in at multiple devices/locations.
One participant (P8) explained that she used thisfeature to restrict the recipient from downloading, print-ing, or using the information later. Also, a number ofparticipants specified the expiry time in terms of hoursor days. They stated that sensitive information (suchas medical documents, tax documents, family gifts, andpersonal documents) would disappear and would nolonger be vulnerable to any data leaks or informationhacking. For instance,
P5: “Because I wanted this data to not be availablefor long term storage. And because it will be invalid af-ter sometime. So, I use that feature to make sure it willonly be available within the time I designated. I wouldlike to get this picture destroyed as soon as possible.This may encourage me to share some private picturesbut for very a short time to make sure it will not beabused by others."
Participants expressed their confidence in settingan expiration time as follows. Seven participants werestrongly confident (5) using this feature (see the quotefrom P5), whereas four and three participants expressedtheir confidence at 4 and 3, respectively. One participant(P1) rated her confidence at 2.5 stating that she wasunsure whether the confidential email was still in thecloud after the expiration date.
Few participants did not choose a short expirationtime because of the concern that emails might deletethemselves before they were read by recipients or be-cause of the type of email account this email was usedfor (work vs. personal accounts).
Gmail users can set an SMS passcode (a one-time pass-code) generated by Google to verify the recipients whocan access the confidential messages. We found that 8participants required an SMS passcode in their emails,whereas 11 participants did not select an SMS passcodein their GCM emails.
Participants set passcodes for recipients to preventunauthorized access to their emails (4/8),to use two-factor authentication for extra security (2/8), to ensureemail privacy (2/8), and to ensure message safety (1/8).
Participants who required an SMS passcodes for therecipients stated their confidence in setting them. Threeparticipants were extremely confident about using thisfeature, whereas four participants expressed strong con-fidence. One participant, (P1), expressed only moder-ate confidence in the technology.
Eleven participants explained why they did not usean SMS passcode in their GCM email. The themes thatemerged from their responses were as follows: using an-other security tool (1/11), using for specific accounts(1/11), avoiding any confusion (2/11), being convenient(4/11), trusting the recipient (1/11), considering it un-necessary (1/11), and not knowing the passcode (1/11).
For example, one participant (P7) utilized anothersecurity tool, stating that she used VPN to secure themessages when sending emails to recipients. Anotherreason an SMS passcode was not used in the confidentialemail was that it was only used on a work account,and not on a personal email account, as one participant(P11) commented, “So it was my company requirement,it was not my personal thing, so I just abide by what theytold me to follow."
In addition, a number of participants did not utilizean SMS passcode in their GCM emails to avoid confu-
User Perceptions of Gmail’s Confidential Mode 197
sion due to the recipients’ low technical expertise. Otherparticipants stated that choosing not to use an SMSpasscode made it more convenient and comfortable forrecipients to access their confidential email. Also, oneparticipant stated that this feature was not needed inthe confidential email.
Another theme that emerged from participants’ re-sponses was the trust between the receiver and sender.For example, one participant (P2) trusted his familymembers and said:
“So we all trust each other that, you know, we’re notgoing to need to have a text message sent to our phonein order to access the email.... We want a way that noone accidentally sends something by mistake. So that’swhy the SMS just seemed like an additional step thatwasn’t necessary for our purposes."
5.3.3 Pre-Expiry Access Revocation
Confidential mode allows Gmail users to remove accessto email content early before it expires. We found thatmost participants (14) did not revoke message access inany of their last emails. Further, five participants didnot know what revoking message access meant and itspurpose. Only one participant used this feature once,thinking that the receiver might not open their email.
Fourteen participants did not revoke email accessbefore the expiration date for the following reasons:trusted the recipients (5/14), there was already anaccess restriction (e.g., expiration date) (4/14), andthought it was unnecessary (4/14). One participant alsostated that content was not super sensitive (birth certifi-cates (1/14)) and thus did not require revoking access.
Therefore, some participants already trusted andknew the identity of recipients, such as friends, admin-istrators, or family members, which led them not tochoose message access revocation before it expired. Also,a number of participants expressed that setting an ex-piration time for their confidential email was adequatefor achieving the goal of using GCM. For example,
P16: “I just didn’t need to use it, I felt like the ex-piration date would be adequate. I didn’t know when theperson was going to look at the message. And I didn’twant to keep up with it, it was easier to just let it expireinstead of having to actively revoke it."
A few participants stated that they were not awareof pre-expiry access revocation and how it works. More-over, they did not understand the primary purpose ofusing this feature in general. Other participants found
no reason to revoke message access in their confidentialemail, and they did not need to utilize this feature. Forinstance,
P18: “I didn’t see it [as] 100% necessary. If its inconfidential mode, there shouldn’t be a reason to revokeit unless it was the wrong recipient or we have to doanything like that, then that’s another issue."
5.3.4 Permission Restriction
GCM allows users to prevent the recipient from forward-ing, copying, printing, or downloading message contents.We asked our participants about their experiences withpreventing recipients from forwarding, downloading, orprinting their last emails. As a result, 14 participantsstated that the confidential mode would prevent recipi-ents from doing that. However, 5 participants said thatthis mode would not prevent recipients from doing that.
We asked those who mentioned that recipientscouldn’t forward, download, or print emails about howthis was accomplished. The majority of participants(10/14) stated that GCM by default prevents recipientsfrom forwarding, copying, printing, or downloading mes-sage content or attachments. Also, some participants(3/14) were unsure whether recipients could forward,copy, print, or download message content or attach-ments in their last emails since they considered alter-native methods that the recipients might use. Anotherparticipant stated that the sharing of private informa-tion among employees is done by following workplacerules such as not printing or forwarding confidentialdocuments. For example, one participant (P7) men-tioned:
“So, most of the time it is a work culture and kindof expected that we do not print the private informationthat you know may end up in an unauthorized person’shands, so most of the time it is known but I’ve neverbeen in a situation where I’ve had to tell someone thatplease do not print this."
Participants were also asked whether there wereother ways in which the recipients could copy the con-tent in their email. The methods identified by the partic-ipants were as follows: screenshots taken from the com-puter or smartphone screen (12/14), third-party pro-grams to bypass security (1/14), and screen records us-ing recording tools (1/14).
User Perceptions of Gmail’s Confidential Mode 198
Even though participants mentioned other methodsthat recipients might use to capture the confidentialcontent, many of them were still moderately confident.Participants stated their confidence on a scale from 1 to5 (where 5 was strongly confident), about ensuring thatthe recipient could not forward, download, or print theemail. Four participants were strongly confident sincethey trusted the receiver, while seven were moderatelyconfident at a level of 3.
On the other hand, a few participants stated thatthey were unsure whether this mode would preventrecipients from forwarding, downloading, or printingthe content. They believed that it was not required toprevent recipients (family members) from sharing ordownloading the content. For example,
P9: “So I never really had to prevent them fromsharing or something like that, but for my personal doc-uments, it is my family that accesses the files, and Inever did that with my family and classmates."
6.1 User Understanding/Expectations ofGCM
According to the Electronic Frontier Foundation (EFF), “Google can see the contents of your messages andhas the technical capability to store them indefinitely, re-gardless of any ’expiration date’ you set. In other words,Confidential Mode provides zero confidentiality with re-gard to Google." Our participants stated that confiden-tially is being achieved when GCM is used by click-ing the "confidential mode" button and selecting one ofits features. They expected confidentiality with regardsto recipients and that the email will be fully deletedfrom recipient’s inbox after expiration time. They alsohad expectations with regards to Google, but assumedthat Google will have access to their email content. Ac-cording to most participants, their GCM is encryptedand secure, and only receivers can read their confiden-tial emails until they expire, after which the recipientswill no longer have access to these emails. Some partic-ipants, however, indicated that Google also reads theirencrypted emails in addition to the recipients before thetime limit has expired. Thus, participants had a low un-derstanding of encryption and confidentiality.
Table 5 summarizes the levels of participants’ un-derstanding of each GCM feature, interpreted from their
(Using) Expiration Time # ParticipantsPrevent unauthorized access (4/15)Grant temporal access (10/15)Set content restrictions (1/15)(Not using) Expiration Time # ParticipantsEmail deletion (2/4)Type of email account (2/4)(Using) Authentication # ParticipantsPrevent unauthorized access to emails (4/8)Use 2F authentication for extra security (2/8)Ensure email privacy (2/8)Ensure message safety (1/8)(Not using) Authentication # ParticipantsUsing another security tool (1/11)Using it for specific accounts (1/11)To Avoid any confusion (2/11)Being convenient (4/11)Trusting the recipient (1/11)Unnecessary (1/11)Not knowing the passcode (1/11)(Using) Pre-expiry Access Revocation # ParticipantsReceiver might never open email (1/1)(Not Using) Pre-expiry Access Revoca-tion
Trust the recipients (5/14)Other access restrictions exist (4/14)It is unnecessary (4/14)Content is not super sensitive (1/14)(Using) Permission Restriction # ParticipantsProvided by GCM by default (10/14)Following workplace rules (1/14)Recipients use alternative methods (3/14)(Not using) Permission Restriction # ParticipantsNot required to prevent recipients fromsharing or downloading content
Table 4. Summary of participants’ reasons for (not) using GCMfeatures
open-ended responses on what each feature is, why theychose it, how they use it, and their confidence in cor-rectly using it. High-understanding refers to correctlyanswering all four questions, medium-understandingrefers to answering half of these questions correctly,whereas low-understanding means answering less than2 questions correctly. "Usage" term represents the por-tion of participants who used this feature and not howfrequently they used it. These levels were finalized withmutual agreement between the two coders. Participantstrusted Google services, believing that GCM was en-crypted and that its features (SMS code and expirationtime) implemented the encryption process. Their trustin Google services confirms the findings of the Watsonet al. study , who stated that participants who used
User Perceptions of Gmail’s Confidential Mode 199
Expiration time Pre-expiry access revocation SMS passcode authentication Permission restriction EncryptionUnderstanding High Low High Medium LowUsage High Low Low High NA
Table 5. A summary of participant understanding and usage rating of GCM features
Google+ had a higher level of trust in Google with re-gard to their personal information.
The majority of the participants had a higher un-derstanding of the expiration time and SMS passcodefeatures for achieving confidentiality, as shown in Table5. In contrast, participants had a moderate understand-ing of GCM’s pre-expiry access revocation. Moreover,participants had a good comprehension of GCM’s au-thentication feature, and that it was enabled based ontheir preferences. Many participants set an SMS pass-code (one-time passcode) in their emails for adding a se-curity layer to prevent unauthorized access and ensuremessage safety and privacy. The expiration time featurewas also well understood by the participants. They didnot revoke access to messages after setting an expirationdate, believing that there was no need to do so or pre-venting such a scenario where the message was deletedbefore it had been viewed. Participants agreed that theconfidential mode prevented recipients from forward-ing, copying, printing, and downloading message con-tents through the permission restriction feature. How-ever, when they started to think about other methodsof capturing confidential documents (e.g., screenshots),they strongly relied on the trust relationship with therecipient. They believed that there was no need to re-voke access to messages for trusted recipients.
6.2 GCM Usage
Our participants were able to compose a confidentialemail using GCM with an expiration time and permis-sion restriction without any issues. However, it appearedthat participants did not set an SMS passcode whenthey used this mode since setting an SMS passcode wasinconvenient to use especially when the recipients areolder and less tech savvy. Moreover, some did not revokeaccess to a message after setting an expiration date inorder to prevent a scenario where it was deleted beforethe recipient had viewed the message.
Table 5 (the second row) shows that a majorityof the participants frequently used the expiration timeand permission restriction, whereas they used the otherfeatures (access revocation and authentication) less fre-quently due to usability issues.
The types of confidential private documents sharedincluded tax documents, passports, financial state-ments, medical records, and photos. Therefore, partici-pants used GCM for sharing sensitive documents bothin person-to-person and person-to-business context. Thedocuments included both non-work and work-relateddocuments. The non-work documents were shared withclose friends and relatives, such as parents, spouses, andpartners. On the other hand, many participants sharedwork related documents with formal relationships, suchas an office team. Users who shared work-related doc-uments were more concerned about the third-partythreats e.g., entities other than Gmail and the recipi-ent gaining access to email content.
Many participants began to use GCM after the on-set of the COVID-19 pandemic as they faced difficultiesin sharing their sensitive documents physically. Theyaimed to prevent access by the wrong person. Further-more, due to the deletion of these documents from re-cipients’ inboxes, recipients can only temporarily accessthe information.
6.3 Design Implications
There are certain risks when users send private infor-mation via the confidential mode (GCM), contrary tousers’ belief that it is end-to-end encrypted and com-pletely confidential. Moreover, certain GCM features areless used to avoid unforeseen circumstances. Therefore,our findings suggest several design improvements.– Improve risk communication
Effective risk communication involves delivering therisk information in a way that motivates users tomake secure decisions [10, 30, 40]. For instance,the walk-through technique provides instructions onwhat users can do through the interaction. It hasbeen used to support users learnability and improvethe code quality and user experience of using newsystems [6, 16]. In our study, we found that someof the participants believed that GCM uses a highlevel of encryption for their messages and attach-ments. Thus, we suggest that Gmail users shouldbe informed that GCM does not add end-to-end en-cryption via a walk-through of the GCM features
User Perceptions of Gmail’s Confidential Mode 200
(for new users) together with the misconceptionswe found in our study.Another approach to inform Gmail users that GCMdoes not add end-to-end encryption is by showingan icon of broken/non-existent email encryption.For example, in security warnings, engaging usersthrough meaningful cues (such as icons and words)allows them to comprehend the context of the mes-sages .
– Provide the GCM email sender with a readreceiptWe found that participants did not revoke accessto messages after setting an expiration date in or-der to prevent a scenario where the message wasdeleted before it had been viewed. Therefore, werecommend that the sender be informed once the re-cipient has read the confidential message and clickedon the link e.g., by providing a read-receipt to thesender (similar to WhatsApp’s blue-tick idea ).Secondly, a machine-learning based approach (simi-lar to Pielot et al. ) can be used to estimate theamount of time after which the recipient is likelyto read the email (based on recipient’s past phoneusage). This information can assist the sender inrevoking access after the email has been sent orin choosing the appropriate expiration time whilesending the GCM email.
Fig. 3. A notification message is shown if a user has not turnedon the confidential mode in the past
– Add watermarking feature in the email at-tachments
Watermark refers to a piece of hidden information(for example, text, image), which can be more or lesstransparent to the original document while provid-ing individualized tracking for sensitive documents,copyright protection, and data authentication (e.g.,ownership proof, copying prevention) . We foundthat GCM does not prevent recipients from takingscreenshots/photos of the received messages and at-tachments. The attachments (e.g., PDF, images)could be watermarked to prevent recipients fromleaking sensitive photos similar to the feature pro-vided by the email encryption tool Virtru , i.e.,when documents are shared externally, they canbe watermarked with authorized recipients’ names,helping prevent data leaks and giving senders an-other mechanism to keep the sensitive data pro-tected .
– Improve the notification message about us-ing GCM when including email attachments.Gmail users who have not turned on the confiden-tial mode in the past receive a notification messageespecially when they attach files to their emails, ask-ing them to try using GCM to keep their informa-tion safe. Figure 3 shows Gmail’s existing notifica-tion displayed (once) to Gmail users who have neverused GCM. We recommend modifying it by includ-ing short description of confidential mode features(e.g., expiration date, access revocation before theexpiration date) to its increase usage. The notifica-tion can be ignored if it provides no value to the user. On the other hand, relevant and timely notifi-cations have the power to reach users and capturetheir attention .
6.4 Limitations and Future Work
Our work is not without limitations. Firstly, there is ademographic bias in our sample. A majority of the par-ticipants were young (less than 30 years) due to recruit-ment from a university. The sample size is also small andnot gender-balanced since the pandemic caused difficul-ties in recruiting/determining eligibility of participantsover MTurk via GCM email screenshots. The high levelof technical skill reported could be a result of partici-pants being recruited from campus. An area of improve-ment would be to expand the study by including non-university participants in order to get a more diversesample.
Secondly, we did not use a standardized question-naire such as the Affinity for Technology Interaction
User Perceptions of Gmail’s Confidential Mode 201
(ATI) , the Security Behavior Intentions Scale (Se-BIS)  or the Internet Skills Scale  to measuretechnical expertise since our main goal was not tocompare the perceptions of technical experts and non-experts. However, this can be a future extension of thiswork.
Moreover, since UNC Charlotte has disabledGmail’s confidential mode, the faculty, staff, and stu-dents can’t send Gmail messages in confidential modeusing their university accounts. Therefore, our partici-pants used their personal Gmail accounts for the study.
The encryption question asked from the participantto get their perception of whether GCM uses encryptionmay be too simplistic and not account for real-world nu-ances. A more detailed approach could have been a lesstechnical or indirect way of asking the same question.
There are several future directions for this work. Itis possible to expand it via a quantitative online study.The questions for such study can be based on the find-ings from the interviews. Another interesting path couldinvolve a simple browser extension that directly insertsrisk communication notifications into Gmail’s web inter-face. The effectiveness of these notifications could alsobe measured.
7 ConclusionWe conducted a qualitative interview-based study with19 Gmail users, investigating their motivations for us-ing confidential mode as well as their understandingof each feature for achieving confidentiality (e.g., per-mission restriction, expiration time, authentication, andpre-expiry access revocation).
The participants used GCM to share their confiden-tial/private documents with recipients both in person-to-person and person-to-business context. Moreover,they perceived GCM to be end-to-end encrypted andconfidential. The most commonly used feature of con-fidential email was the default time expiration withina week, and the least used feature was the pre-expiryaccess revocation.
Our analysis has several design implications. Firstly,the users should be made aware of GCM and its fea-tures while attaching files in emails. Similarly, mecha-nisms other than documentation should be developed toinform users regarding associated risks. Moreover, us-ability of some of the features can be improved. Forinstance, using a read receipt for "pre-expiry access re-vocation".
8 AcknowledgementsThis research received no specific grant from any fund-ing agency in the public, commercial, or not-for-profitsectors.
References Ruba Abu-Salma, M Angela Sasse, Joseph Bonneau, Anas-
tasia Danilova, Alena Naiakshina, and Matthew Smith. Ob-stacles to the adoption of secure communication tools. In2017 IEEE Symposium on Security and Privacy (SP), pages137–153. IEEE, 2017.
 Elham Al Qahtani, Yousra Javed, Heather Lipford, and Mo-hamed Shehab. Do women in conservative societies (not)follow smartphone security advice? a case study of saudiarabia and pakistan. In 2020 IEEE European Symposiumon Security and Privacy Workshops (EuroS&PW), pages150–159. IEEE, 2020.
 Nora Alkaldi and Karen Renaud. Why do people adopt, orreject, smartphone password managers? 2016.
 Wei Bai, Michael Pearson, Patrick Gage Kelley, andMichelle L Mazurek. Improving non-experts’ understand-ing of end-to-end encryption: An exploratory study. In 2020IEEE European Symposium on Security and Privacy Work-shops (EuroS&PW), pages 210–219. IEEE, 2020.
 Joseph B Bayer, Nicole B Ellison, Sarita Y Schoenebeck,and Emily B Falk. Sharing the small moments: ephemeralsocial interaction on snapchat. Information, Communication& Society, 19(7):956–977, 2016.
 Maya Cakmak and Leila Takayama. Teaching people how toteach robots: The effect of instructional materials and dialogdesign. In Proceedings of the 2014 ACM/IEEE internationalconference on Human-robot interaction, pages 431–438,2014.
 L Jean Camp. Mental models of privacy and security. IEEETechnology and society magazine, 28(3):37–46, 2009.
 Kuan-Ju Chen and Hoi Ling Cheung. Unlocking the powerof ephemeral content: The roles of motivations, gratifica-tion, need for closure, and engagement. Computers in Hu-man Behavior, 97:67 – 74, 2019.
 Karen Church and Rodrigo De Oliveira. What’s up withwhatsapp? comparing mobile instant messaging behaviorswith traditional sms. In Proceedings of the 15th inter-national conference on Human-computer interaction withmobile devices and services, pages 352–361, 2013.
 National Research Council et al. Improving risk communica-tion. 1989.
 Emiliano De Cristofaro, Honglu Du, Julien Freudiger, andGreg Norcie. A comparative usability study of two-factorauthentication. arXiv preprint arXiv:1309.5344, 2013.
 Tech Desk. New whatsapp feature brings self-destructingmessages: How it works. https://indianexpress.com/article/technology/social/whatsapp-self-destructing-message-available-how-to-use-6316569/, 2020. Last accessed 8February 2021.
User Perceptions of Gmail’s Confidential Mode 202
 Serge Egelman and Eyal Peer. Scaling the security wall:Developing a security behavior intentions scale (sebis). InProceedings of the 33rd annual ACM conference on humanfactors in computing systems, pages 2873–2882, 2015.
 Rip Empson. Not-so-ephemeral messaging: New snapchat“hack” lets users save photos forever. https://techcrunch.com/2013/01/22/not-so-ephemeral-messaging-new-snapchat-hack-lets-users-save-photos-forever/, 2013. Lastaccessed 2 February 2021.
 Michael Fagan and Mohammad Maifi Hasan Khan. Why dothey do what they do?: A study of what motivates users to(not) follow computer security advice. In Twelfth Sympo-sium on Usable Privacy and Security (SOUPS 2016), pages59–75, 2016.
 Michael E Fagan. Design and code inspections to reduceerrors in program development. IBM Systems Journal,38(2.3):258–287, 1999.
 Thomas Franke, Christiane Attig, and Daniel Wessel. Apersonal resource for technology interaction: developmentand validation of the affinity for technology interaction (ati)scale. International Journal of Human–Computer Interaction,35(6):456–467, 2019.
 Simson L Garfinkel and Robert C Miller. Johnny 2: a usertest of key continuity management with s/mime and outlookexpress. In Proceedings of the 2005 symposium on Usableprivacy and security, pages 13–24, 2005.
 Shirley Gaw, Edward W Felten, and Patricia Fernandez-Kelly. Secrecy, flagging, and paranoia: adoption criteria inencrypted email. In Proceedings of the SIGCHI conferenceon human factors in computing systems, pages 591–600,2006.
 Gennie Gebhart and Cory Doctorow. Between you, me,and google: Problems with gmail’s “confidential mode”.https://www.eff.org/deeplinks/2018/07/between-you-me-and-google-problems-gmails-confidential-mode, 2018. Lastaccessed 5 February 2021.
 Google. Protect gmail messages with confidential mode.https://support.google.com/a/answer/7684332?hl=en. Lastaccessed 10 January 2021.
 Google. Send & open confidential emails. https://support.google.com/mail/answer/7674059?hl=en&co=GENIE.Platform%3DAndroid&oco=1, 2018. Last accessed 10 Jan-uary 2021.
 Nancie Gunson, Diarmid Marshall, Hazel Morton, andMervyn Jack. User perceptions of security and usabilityof single-factor and two-factor authentication in automatedtelephone banking. Computers & Security, 30(4):208–220,2011.
 Todd Haselton. How to send self-destructing messages ingmail. https://www.lifewire.com/send-self-destructing-messages-gmail-4691876, 2018. Last accessed 5 February2021.
 Ding-Long Huang, Pei-Luen Patrick Rau, and Gavriel Sal-vendy. A survey of factors influencing people’s perception ofinformation security. In International Conference on Human-Computer Interaction, pages 906–915. Springer, 2007.
 Christopher Kotfila. This message will self-destruct: Thegrowing role of obscurity and self-destructing data in digitalcommunication. Bulletin of the Association for InformationScience and Technology, 40(2):12–16, 2014.
 Katharina Krombholz, Karoline Busse, Katharina Pfeffer,Matthew Smith, and Emanuel von Zezschwitz. " if httpswere secure, i wouldn’t need 2fa"-end user and administra-tor mental models of https. In 2019 IEEE Symposium onSecurity and Privacy (SP), pages 246–263. IEEE, 2019.
 Philipp Markert, Florian Farke, and Markus Dürmuth. Viewthe email to get hacked: Attacking sms-based two-factorauthentication. WAY, 2019.
 Agnieszka McPeak. Self-destruct apps: Spoliation by design.Akron L. Rev., 51:749, 2017.
 M Granger Morgan, Baruch Fischhoff, Ann Bostrom, Cyn-thia J Atman, et al. Risk communication: A mental modelsapproach. Cambridge University Press, 2002.
 Radia Perlman. The ephemerizer: Making data disappear,2005.
 Xuan-Lam Pham, Thi-Huyen Nguyen, Wu-Yuin Hwang, andGwo-Dong Chen. Effects of push notifications on learnerengagement in a mobile learning app. In 2016 IEEE 16thInternational Conference on Advanced Learning Technologies(ICALT), pages 90–94. IEEE, 2016.
 Andy Phan. 6 of the best email service providers in 2021.https://www.currentware.com/best-email-service-providers-2021/, 2021. Last accessed 19 February 2021.
 Martin Pielot, Rodrigo De Oliveira, Haewoon Kwak, andNuria Oliver. Didn’t you see my message? predicting atten-tiveness to mobile instant messages. In Proceedings of theSIGCHI conference on human factors in computing systems,pages 3319–3328, 2014.
 Justin Pot. How the new confidential mode works ingmail. https://www.howtogeek.com/352025/how-the-new-confidential-mode-works-in-gmail/, 2018. Last accessed10 January 2021.
 Joel Reardon, David Basin, and Srdjan Capkun. Sok: Securedata deletion. In 2013 IEEE symposium on security andprivacy, pages 301–315. IEEE, 2013.
 Ken Reese, Trevor Smith, Jonathan Dutson, JonathanArmknecht, Jacob Cameron, and Kent Seamons. A usabilitystudy of five two-factor authentication methods. In FifteenthSymposium on Usable Privacy and Security (SOUPS 2019),2019.
 Karen Renaud, Melanie Volkamer, and Arne Renkema-Padmos. Why doesn’t jane protect her privacy? In Inter-national Symposium on Privacy Enhancing TechnologiesSymposium, pages 244–262. Springer, 2014.
 Franziska Roesner, Brian T Gill, and Tadayoshi Kohno.Sex, lies, or kittens? investigating the use of snapchat’sself-destructing messages. In International Conference onFinancial Cryptography and Data Security, pages 64–76.Springer, 2014.
 Bernd Rohrmann. Risk perception, risk attitude, risk com-munication, risk management: A conceptual appraisal. In15th Internaional Emergency Management Society (TIEMS)Annual Conference, volume 2008, 2008.
 Ira S Rubinstein. Regulating privacy by design. BerkeleyTech. LJ, 26:1409, 2011.
 Scott Ruoti, Jeff Andersen, Scott Heidbrink, Mark O’Neill,Elham Vaziripour, Justin Wu, Daniel Zappala, and KentSeamons. " we’re on the same page" a usability study ofsecure email using pairs of novice users. In Proceedings ofthe 2016 CHI Conference on Human Factors in Computing
User Perceptions of Gmail’s Confidential Mode 203
Systems, pages 4298–4308, 2016. Scott Ruoti, Jeff Andersen, Daniel Zappala, and Kent
Seamons. Why johnny still, still can’t encrypt: Evaluat-ing the usability of a modern pgp client. arXiv preprintarXiv:1510.08555, 2015.
 Scott Ruoti, Nathan Kim, Ben Burgon, Timothy VanDer Horst, and Kent Seamons. Confused johnny: whenautomatic encryption leads to confusion and mistakes. InProceedings of the Ninth Symposium on Usable Privacy andSecurity, pages 1–12, 2013.
 Gavriel Salvendy. Human factors and Ergonomics. LawrenceErlbaum Associates, 1999.
 Steve Sheng, Levi Broderick, Colleen Alison Koranda, andJeremy J Hyland. Why johnny still can’t encrypt: evaluatingthe usability of email encryption software. In Symposium OnUsable Privacy and Security, pages 3–4. ACM, 2006.
 Prabhishek Singh and Ramneet Singh Chadha. A survey ofdigital watermarking techniques, applications and attacks.International Journal of Engineering and Innovative Technol-ogy (IJEIT), 2(9):165–175, 2013.
 Editorial Team. Enhanced control over files with docu-ment watermarking. https://www.virtru.com/blog/digital-watermarking/. Last accessed 28 August 2021.
 Sonja Utz, Nicole Muscanell, and Cameran Khalid. Snapchatelicits more jealousy than facebook: A comparison ofsnapchat and facebook use. Cyberpsychology, Behavior,and Social Networking, 18(3):141–146, 2015.
 Alexander JAM Van Deursen, Ellen J Helsper, and Re-becca Eynon. Development and validation of the internetskills scale (iss). Information, Communication & Society,19(6):804–823, 2016.
 Christof van Nimwegen and Kristi Bergman. Effects oncognition of the burn after reading principle in ephemeralmedia applications. Behaviour & Information Technology,38(10):1060–1067, 2019.
 Elham Vaziripour, Justin Wu, Mark O’Neill, Jordan White-head, Scott Heidbrink, Kent Seamons, and Daniel Zappala.Is that you, alice? a usability study of the authenticationceremony of secure messaging applications. In ThirteenthSymposium on Usable Privacy and Security (SOUPS 2017),pages 29–47, 2017.
 Virtru. The definitive guide to gmail encryption. https://www.virtru.com/blog/gmail-encryption/, 2019. Lastaccessed 26 May 2021.
 Virtru. Demystifying gmail confidential mode. https://www.virtru.com/resource/demystifying-confidential-mode/, 2019.Last accessed 26 May 2021.
 Ian Warren, Andrew Meads, Satish Srirama, ThiranjithWeerasinghe, and Carlos Paniagua. Push notification mecha-nisms for pervasive smartphone applications. IEEE PervasiveComputing, 13(2):61–71, 2014.
 Rick Wash and Emilee Rader. Influencing mental models ofsecurity: a research agenda. In Proceedings of the 2011 NewSecurity Paradigms Workshop, pages 57–66, 2011.
 Jason Watson, Andrew Besmer, and Heather Richter Lip-ford. + your circles: sharing behavior on google+. In Pro-ceedings of the eighth symposium on usable privacy andsecurity, pages 1–9, 2012.
 Alma Whitten and J Doug Tygar. Why johnny can’t en-crypt: A usability evaluation of pgp 5.0. In USENIX Security
Symposium, volume 348, pages 169–184, 1999. Justin Wu and Daniel Zappala. When is a tree really a
truck? exploring mental models of encryption. In FourteenthSymposium on Usable Privacy and Security (SOUPS 2018),pages 395–409, 2018.
 Zarul Fitri Zaaba and Teo Keng Boon. Examination onusability issues of security warning dialogs. Age, 18(25):26–35, 2015.
A.1 Script for In-Person Interview
Good morning/afternoon!Thank you for coming. My name is Elham Al Qah-
tani - I am a Ph.D. student working under Dr. MohamedShehab’s supervision. This study focuses on Gmail userswho have sent confidential mode emails. The purpose ofthe study is to gather information about user motiva-tions for using Gmail’s confidential mode in emails andtheir understanding of how it works. Please read theconsent form before we start. If you agree to participate,you will first sign/confirm your agreement and answera set of demographic and motivation of use questions,you will then perform a few tasks such as composingan email and reviewing a set of your past emails. Afterthat, you will be asked a second set of questions relatedto these emails. The session will last around 25 minutes.You will receive a $5 Starbucks card as a reward for yourparticipation.Demographic questions:1. How old are you?2. What is the highest level of education you have com-
pleted?3. What is your gender?4. What is your occupation?5. What is your technical expertise on a scale from
1-10 where 10 is very technical?
Email and GCM usage questions:1. Which email service providers do you use?2. How often do you use each?3. How long have you been using Gmail confidential
mode?4. How often do you use Gmail confidential mode?
Let’s now focus on your motivations for usingGmail’s confidential mode
User Perceptions of Gmail’s Confidential Mode 204
1. What made you start using Gmail confidentialmode?
2. How are you using Gmail confidential mode in youremails?
3. What type of email content do you use Gmail con-fidential mode for?
4. What type of documents or files do you attach inthese emails?
5. Who do you send these emails to?6. Why did you decide to share these emails with
Task: Could you show me how you would com-pose a confidential email for someone about thisinterview experience. Please think aloud as youperform this task1. When you use this mode, how is confidentiality be-
ing achieved?2. Is your email encrypted? How and Why?
Task: Now please review the last few emails (1 to3 emails) that you sent in confidential mode. Thenext set of questions are related to the emails thereviewed emails:1. Did you require an SMS passcode in any of these
emails?– If participant said “Yes”
– What is it for? Why did you choose it?– Do you require an SMS passcode for the re-
cipient to access messages?– Can you state your confidence in requiring
passcode feature on a scale from 1-5, where5 is strongly confident?
– If participant said “No”– Could you explain why you chose not to use
this feature?2. Did you set an expiration date on the content in any
of these emails?– If participant said “Yes”
– What is it for? Why did you choose it?– Can you state your confidence in setting an
expiration date on the content of your emailon a scale from 1-5, where 5 is strongly con-fident?
– If participant said “No”– Could you explain why you chose not to use
this feature?3. Did you revoke message access in any of these
emails?– If participant said “Yes”
– What is it for? Why did you do it?
– Can you state your confidence in revokingmessage access at any time on a scale from1-5, where 5 is strongly confident?
– If participant said “No”– Could you explain why you chose not to use
this feature?– If the participant said “Yes”
– Please explain how you achieved that?– Do you think there are other ways that the
recipient can use to copy the content in youremail? Can you tell me how?
– Can you state your confidence in ensuringthat the recipient doesn’t forward, down-load, or print the email on a scale from 1-5,where 5 is strongly confident?
– If participant said “No”– Could you explain why you were able to do
Thank you for your participation
A.2 Codebook With Code Frequencies
Code Description FrequencyMotivation: Sharingconfidential documents
Send sensitive doc-uments to recipients(e.g., driver’s licenses,financial statements)
Motivation: Preventunauthorized access
The unauthorized usergains access to confi-dential documents usingdifferent methods
Motivation: Encryption The perception thatusers are sending anencrypted email withconfidential mode
Motivation: Curiosity Explore the security fea-tures to make better se-curity decisions
Motivation: Replace-ment for physicalsharing
Share confidential infor-mation remotely sincethey are unable to de-liver important docu-ments physically
Motivation: Sharingduring pandemic
Share confidential infor-mation during the pan-demic
Motivation: Work re-quirement
Sharing confidential in-formation via GCM is awork requirement
User Perceptions of Gmail’s Confidential Mode 205
Code Description FrequencyContent: Non-work-related documents
Share non work-relateddocuments with closefriends and relatives
Share documents re-lated to work
Share financial docu-ments (e.g., bank state-ments)
Share governmentaldocuments (e.g., taxdocuments)
Content: Legal docu-ments
Share legal documents(e.g., contracts)
Content: Medical docu-ments
Share medical docu-ments (e.g., patientrecords)
Recipients: Family andrelatives
Send confidential emailsto family members andclose relatives (e.g., par-ents, friends)
Recipients: Administra-tive team
Send confidential emailsto administrative teammembers (e.g., com-pany manager)
Send confidential emailsto financial employees(e.g., bank consultants)
Recipients: Teamworkat school
Send confidential emailsfor teamwork (e.g.,classmates)
Recipients: Medical per-sonnel
Send confidential emailsto medical personnel(e.g., veterinarians)
Recipients: Leasing of-fice staff
Send confidential emailsto a leasing office
Sharing-with-recipients:Sharing during pan-demic
Sharing confidential in-formation once the pan-demic started
Sharing-with-recipients:Requested by adminis-trative team
Administrative team re-quest users to share con-fidential documents thatare related to their work
Sharing-with-recipients:Requested by recipients
Recipients request usersto privately share confi-dential documents
Sharing-with-recipients:Trust the receiver
Users trust recipientswhen they share confi-dential documents
Prevent unauthorizedusers from accessingconfidential documents
Users achieve privacywithout using a VPNwhen GCM is used
Confidentiality: Settingan expiration date
The expiration date en-sures confidentiality
Code Description FrequencyConfidentiality: En-abling authentication
Authentication ensuresconfidentiality by usingSMS passcode
Confidentiality: Dis-abling options toforward, copy, print
Enabling confidentialmode prevents forward,copy, print
Confidentiality: Includ-ing confidential links
Include a link to thecontent that expires af-ter a certain period oftime
Confidentiality: En-abling encryption
Using GCM with high-level encryption
Encryption: Via securityfeatures
The security features ofGCM ensure that emailis encrypted
Encryption: Unsure Unsure whether theemail is encrypted ornot
Encryption: Does notexist
GCM email is not en-crypted
Expiration-Time: Pre-vent unauthorizedaccess
Using the time limitfeature, users preventunauthorized peoplefrom viewing emails foras long as they need.
Expiration-Time: Havetemporal access
The time limit featureenables temporary ac-cess to the confidentialemail by recipients
Expiration-Time: Setcontent restrictions
The time limit fea-ture restricts the recip-ient from downloading,printing, or using theconfidential information
Due to the possibilitythat emails might getdeleted before the recip-ients read them, usersdon’t use the feature
No-Expiration-Time:Type of email account
Users do not use thisfeature due to the typeof account they have(e.g., personal or work)
SMS passcode: Preventunauthorized access
Users set an SMSpasscode for recipientsto prevent unauthorizedaccess to their emails
SMS passcode: For ex-tra security
Users set an SMS pass-code to use two-factorauthentication for extrasecurity
SMS passcode: Ensureemail privacy
Users set an SMS pass-code to ensure email pri-vacy
User Perceptions of Gmail’s Confidential Mode 206
Code Description FrequenciesSMS passcode: Ensuremessage safety
Users set an SMS pass-code to ensure contentsafety
No-SMS passcode: Us-ing another security tool
Users do not set anSMS passcode becauseother security tools arein place
No-SMS passcode: Us-ing for specific accounts
Users do not set anSMS passcode for spe-cific email account (e.g.,personal or work)
No-SMS passcode:Avoiding confusion
Users do not set an SMSpasscode to avoid anyconfusion due to the re-cipients’ low technicalexpertise
No-SMS passcode: Be-ing convenient
Users do not set an SMSpasscode because it ismore convenient for re-cipients to access theirconfidential email
No-SMS passcode:Trusting the recipient
Users do not set an SMSpasscode because of thetrust between the re-ceiver and sender
No-SMS passcode: Un-necessary
Users do not set anSMS passcode perceiv-ing that this feature isnot needed in the con-fidential email
No-SMS passcode: Notknowing an SMS pass-code
Users do not set an SMSpasscode because theyare not aware about it
No-Access Revocation:Trusting the recipient
Users do not revoke ac-cess to messages beforetheir scheduled expira-tion date due to thetrust between the re-ceiver and sender
No-Access Revocation:Using access restriction
Users do not revoke ac-cess to messages sinceother GCM features arebeing used (e.g., expira-tion time)
Users do not revoke ac-cess to messages per-ceiving there is no rea-son or need to revokemessage access in theirconfidential email
No-Access Revocation:Not super sensitive
Users do not revoke ac-cess to messages per-ceiving that the contentis not super sensitive(e.g., birth certificates)
Code Description FrequenciesNo knowledge-AccessRevocation: Not aware
Users do not know whatrevoking message accessmeant and its purpose
Users perceive thatGCM by default pre-vents recipients fromforwarding, copying,printing, or download-ing message content orattachments
In the workplace, em-ployees share private in-formation based on de-fined rules
Permission-Restriction:Recipient use alterna-tive methods
Users are unsurewhether recipientscould forward, copy,print, or downloadmessage content orattachments due to al-ternative methods thatthe recipients might use
Users perceive that re-cipients could copy thecontent in their emailusing screenshots
Copy-Content: Third-party programs
Users perceive that re-cipients could copy thecontent in their emailusing third-party pro-grams
Users perceive that re-cipients could copy thecontent in their emailusing recording tools