Google Makes It Harder For Marketers To Collect User Data 195
cagraham writes "In a seemingly minor update, Google announced that all Gmail images will now be cached on their own servers, before being displayed to users. This means that users won't have to click to download images in every email now — they'll just automatically be shown. For marketers, however, the change has serious implications. Because each user won't download the images from a third-party server, marketers won't be able to see open-rates, log IP addresses, or gather information on user location and browser type. Google says the changes are intended to enhance user privacy and security."
And google will retain that info exclusively. (Score:5, Insightful)
Possible? (Score:4, Insightful)
Well, pulling all the images certainly solves the problem of having to display emails with images. The only reason we (I) don't click the display-images button is because the images allow us to be tracked, the images may have some sort of exploit (rare). Originally this used to be due to limited download speeds.
I suspect caching the images allow pre-processing of the images and therefore making the whole system more secure by default. Images could therefore be displayed in full by default with images, preferably with some large images being intelligently excluded by default.
Google could release a mass marketing email API/gateway and monetise that allowing marketeers access to data regardless of whether you open the images/email or not. This is slightly more valuable information.
Re:And google will retain that info exclusively. (Score:5, Insightful)
Yes and the point the summary misses, is that the images are used to verify that you have received and viewed the e-mail. This is far more important than browser types / locations etc.
It also prevents some evil things, such as first time you hit the page you get a drive by, the second time (with cookie set) you get the actual image and all seems fine.
Jason.
Harder for **Other** Marketers (Score:5, Insightful)
Awesome for spam/tracking (Score:5, Insightful)
Actually, this is rather awesome for spam/tracking of "real" addresses.
Before silly users could refuse to load external tracking pixels with unique IDs, assigned to each email.
And now? It's auto-downloaded for everyone. Yay!
While absence of IP address, Referral (if tracking image was loaded via https) and Browser info is sad, "everyone now auto-loads images" waaaay outweighs it :P You won't hide from confirming that email address that easily ;)
Re:What this is really (Score:1, Insightful)
There is no pretense by Google any longer. They are basically in full-out "as evil as possible" mode now. Pretty much everything they've done for a long time has zero benefit for the end user. Today it is removing the ability for end users to block third party images. Yesterday it was removing the ability of end users to control privacy settings for Android apps. Day after day, Google does something that is good for them and bad for end users. They are an evil that never sleeps, a cold machine intelligence that has but one law -- "Embrace, Extend, Extinguish".
Re:And google will retain that info exclusively. (Score:5, Insightful)
The article does not state of all images would be cached automatically even if you have not read your mail. It only says that images would be served through a Google proxy server, which caches the images.
So if Google proxies and caches the images when you open the mail, there is no protection added from marketers, except for the fact that Google can scan the images for exploits.
And if Google proxies and caches the images as soon as the service receives the mail, marketers can verify if the address is a valid gmail address or not by just sending mails and waiting for Google to cache the image. Expect more spam if this is the case.
There will be true protection from email tracking only if Google caches the images in all emails it receives, even if the email address is invalid - and that would increase the load on Google servers quite a bit.
Re:And google will retain that info exclusively. (Score:5, Insightful)
And if Google proxies and caches the images as soon as the service receives the mail, marketers can verify if the address is a valid gmail address or not by just sending mails and waiting for Google to cache the image. Expect more spam if this is the case.
Verifying that foobar@gmail.com is a valid address doesn't give spammers any real information: the namespace is so full even most pwgen outputs point to existing names, as long as you don't have embedded numbers (on gmail, addresses seem to have numbers at the end).
Thus, that check can be quite simplified to "does a Markov chain say this string of letters is pronounceable?". Not a big benefit to a spammer. On the other hand, they don't get told anything about the recipient anymore.
While for a small mail provider this change might leak some info, for Gmail it seems to be nearly entirely positive.
I for one don't use Gmail for privacy reasons, and don't fetch remote images, but good luck training aunt Lucy about that.
Ad broker + NSA (Score:2, Insightful)
From the OP: "Google says the changes are intended to enhance user privacy and security."
I find this lie from google/doubleclick insanely funny yet darkly cynical.
To enhance user privacy and security, don't use services from this huge ad broker which has a small army of lobbyists working Washington to prevent laws that would harness our privacy, and which works with the NSA to rape our liberty and privacy. If you use gmail, you should have no expectations of privacy or security whatsoever. That would be insane. It is everything their prime directive is not - i.e. make money of your privacy.
Re:And google will retain that info exclusively. (Score:4, Insightful)
Marketeers already know the address exists the moment they get a 200 on the RCPT TO: header. Spammers, using botnets, generally don't care about the maildelivery itself, for these the autodownload of images is extra information.
Spammers do everything in their power not to get bounce messages. They do everything they can to not personally contact your (google's) mail server.
The fact that uniquely encoded image URLs are embedded in virtually ALL spam and UCE should be proof enough for you that you haven't thought your argument through. Go look at your email raw view someday.
Re:They do see open rates (Score:4, Insightful)
Tracking unique users is still easy (using a unique URL)
Not if google simply opens all e-mail behind the scenes, regardless of whether the user exists or not.
Re:And google will retain that info exclusively. (Score:5, Insightful)
If you want to know if I've read an email:
request a return receipt
If I want to give you that information, I will.
Goodness, there's an existing, non-scummy way of working all this out which preserves user expectations of privacy and provides you with the information you actually want, not a poor proxy of it.
Re:And google will retain that info exclusively. (Score:5, Insightful)
How would you feel about your customers sending tracking images to you with orders/complaints/queries? Just to "fine-tune" whether they deal with you again? I imagine it could be statistically enlightening to see how quickly you open emails, how often, and how long the response takes. Not so keen?
I appreciate your efforts to ensure that your emails lists are on target and not spammy, many companies are not so diligent. (Particularly with confirmed opt-ins.) But you have no automatic right to collate any further information about your customers unless they intentionally provide it. Tracking images are sneaky and most certainly not used by your customers intentionally. There is a reasonable expectation of privacy when reading your own email on your own computer.
You're right about two things though. The days are long gone when spammers cared about whether an address was valid or not. They are not incurring any costs spamming to invalid addresses. All they care about is how many suckers they hook with a response. And yes, the cached image hits are yet more information being sucked up by google, that will inevitably be sold in some way in the future.
Re:Hah (Score:4, Insightful)
Yep and in fact despite what I said earlier, this could be worse. If google pre-fetch every image for instance, then this could have some horrid consequences. Such as confirming e-mail addresses.
Jason
You all seem to assume you are the first people to realise this, ten to one says some Google engineer also realised this and so is just going to get the software to do a hit on the sending or linked server for every image, even if the email address it was sent to does not exist. Then, they can use the content of that image as an additional way to help identify unsolicited email.