Is Your Inbox an Open Book? Why Gmail and Outlook May Not Be 'Confidential' Enough for Privileged Communications
By Jonathan D. Steele | October 30, 2024
What should you know about is your inbox an open book? why gmail and outlook may not be 'confidential' enough for privileged communications?
Quick Answer: Are your email communications truly confidential? This article reveals the vulnerabilities of using mainstream services like Gmail and Outlook for privileged communications and highlights the importance of opting for platforms with true end-to-end encryption to safeguard sensitive information.
— Jonathan D. Steele, Esq. (Security+, ISC2 CC, CEH)
Is Your Inbox an Open Book? Why Gmail and Outlook May Not Be 'Confidential' Enough for Privileged Communications
For those of us bound by privilege—lawyers, doctors, financial advisors, and other professionals—the promise of confidentiality is paramount. Yet, if your practice relies on Gmail, Outlook, or similar platforms for communication, that promise may be more vulnerable than you think. Here’s the reality check: when using these mainstream email services, your communication isn’t just between you and your client or patient; it’s potentially available to the service provider, too. Why? Because Google and Microsoft have access to the decryption keys, which opens the door to risks you didn’t sign up for.
Let’s dig into why this isn’t just a technical issue, but one that cuts to the core of professional duty.
The “Good Enough” Fallacy of Confidentiality
Big names like Gmail and Outlook may check a few security boxes—they encrypt your email in transit and in your inbox. But here’s the catch: it’s not true end-to-end encryption (E2EE). This means that while your emails are encrypted on the way to your recipient, they aren’t encrypted from Google or Microsoft, who have their own decryption keys. With E2EE, only you and your intended recipient can decrypt the message—Proton and Tutanota (now known as Tuta) are examples of platforms that offer this level of privacy.
For professionals with privileged or confidential obligations, “good enough” isn’t quite enough. If a data breach were to occur at Google or Microsoft—or if a bad actor were to gain access to their decryption keys—the consequences could be catastrophic, not only for the individuals involved but for the professionals whose duty is to safeguard them.
Legal Protection Matters: Cybersecurity incidents often have significant legal implications. Our sister firm Steele Family Law helps Illinois families navigate complex legal situations with the same commitment to protection and discretion we bring to cybersecurity.
The Fiduciary and Ethical Implications of “Almost” Private Emails
Choosing a communication method that doesn’t offer E2EE has significant implications for anyone under a fiduciary or ethical obligation to protect confidentiality. After all, it’s not just clients or patients who are relying on your promise of privacy; it’s a duty that extends to the entire profession.
When using services like Gmail or Outlook, the chain of potential access points multiplies. Your message might be encrypted from Point A to Point B, but along that route, there are unencrypted stops—such as on Google or Microsoft’s servers. By contrast, with true E2EE, there is no third party, no central server with a decryption key that could be vulnerable to breach.
One could argue that standard encryption satisfies basic due diligence. But as professionals with a higher standard, does it satisfy the ethical duty to protect your client’s or patient’s sensitive information? This isn’t just a hypothetical issue; breaches of mainstream email providers have shown us what’s at stake.
Practical Alternatives: Choosing Platforms that Prioritize Confidentiality
For anyone whose inbox contents could involve privileged, sensitive, or potentially damaging information, E2EE email providers offer a way to minimize risks without sacrificing usability. With providers like Proton and Tuta, no one except you and your client has the key to decrypt those emails. The service provider is merely a courier, unable to read or access the contents.
Beyond the peace of mind that true E2EE provides, it could be argued that the decision to use a more secure platform is an ethical one. If client confidentiality is something you could be called to defend, choosing a provider that can’t access your emails should be seen as part of your duty of care.
Thinking Beyond “Secure Enough”
Mainstream providers have crafted systems that are secure in some ways but inherently limited by design when it comes to protecting privileged information. Relying on Gmail or Outlook for client communication is like leaving your office door cracked open—sure, most people won’t try to peek, but that doesn’t make it confidential.
By choosing email providers like Proton or Tuta that prioritize E2EE, professionals can close the gap between “good enough” and actually secure. In a world where our promises of confidentiality are as valuable as the trust they engender, switching to E2EE might be the real act of due diligence we owe our clients.
---
Related Articles
- Secure Chats with Your Advocate: Navigating Attorney-Client Privilege in the Digital Age
- Gmail: The Email Service That Knows You Better Than You Know Yourself
- Cybersecurity Analysis: End-to-end encryption: legal considerations for client communications
Your Security is Non-Negotiable
At SteeleFortress, we've protected hundreds of organizations from cyber threats.
- 24/7 Monitoring – We never sleep so you can
- Transparent Pricing – No hidden fees (billing by IntelliBill)
- Legal-Ready – Partner with Steele Family Law for incident response
Stop hoping you won't get breached.
Get the 15-point Security Audit Checklist that attackers don't want you to have. Plus weekly intel briefs - no fluff, no vendor pitches.
No spam. Unsubscribe anytime. We don't sell your data - we protect it.