Google Makes It Harder For Marketers To Collect User Data

cagraham writes "In a seemingly minor update, Google announced that all Gmail images will now be cached on their own servers, before being displayed to users. This means that users won't have to click to download images in every email now — they'll just automatically be shown. For marketers, however, the change has serious implications. Because each user won't download the images from a third-party server, marketers won't be able to see open-rates, log IP addresses, or gather information on user location and browser type. Google says the changes are intended to enhance user privacy and security."

And google will retain that info exclusively.

[Spamalope]

While I applaud the move, it is about competitive advantage for Google.

Re:And google will retain that info exclusively.

[dotancohen]

While I applaud the move, it is about competitive advantage for Google.

Google already knew which emails you have or haven't read. So does every other email client, web-based or IMAP / POP3.

Re:And google will retain that info exclusively.

Yep. And the security angle is overrated for two reasons:

1. NSA
2.Most mailing software generates unique images to track opens, so you're still being tracked. It's actually decreases privacy for Google to auto-download the images.

Re:And google will retain that info exclusively.

[jaseuk]

Yes and the point the summary misses, is that the images are used to verify that you have received and viewed the e-mail. This is far more important than browser types / locations etc.

It also prevents some evil things, such as first time you hit the page you get a drive by, the second time (with cookie set) you get the actual image and all seems fine.

Jason.

Re:And google will retain that info exclusively.

[Lisias]

Most mailing software generates unique images to track opens, so you're still being tracked. It's actually decreases privacy for Google to auto-download the images

As a matter of fact, it does nothing about privacy. What it does is just make it useless.

As Google *always* cache the image, the sender does not knows anymore when or even if the image was viewed and, so, doesn't knows anymore if the email was opened.

Re:And google will retain that info exclusively.

[pradeepsekar]

The article does not state of all images would be cached automatically even if you have not read your mail. It only says that images would be served through a Google proxy server, which caches the images.

So if Google proxies and caches the images when you open the mail, there is no protection added from marketers, except for the fact that Google can scan the images for exploits.

And if Google proxies and caches the images as soon as the service receives the mail, marketers can verify if the address is a valid gmail address or not by just sending mails and waiting for Google to cache the image. Expect more spam if this is the case.

There will be true protection from email tracking only if Google caches the images in all emails it receives, even if the email address is invalid - and that would increase the load on Google servers quite a bit.

Re:And google will retain that info exclusively.

[EvanED]

As Google *always* cache the image, the sender does not knows anymore when or even if the image was viewed and, so, doesn't knows anymore if the email was opened.

If they have specific knowledge about Gmail. Unfortunately, mailers that don't would make the more dangerous assumption (that you read the mail) under that behavior.

But anyway, even that's not true because under Gmail's new setup, the first download will still come when the user opens the mail and loads the images. At least, that's the best information I can find on this. I also saw a comment somewhere a couple of days ago by someone who claimed to have tested that behavior, and checked that the load of the image came when the mail was opened.

Re:And google will retain that info exclusively.

[PureRain]

Now that marketing departments cannot track emails being viewed, the next move by Google will be to sell this tracking information back to the companies' marketing departments. They will probably set up a protocol to do it, or a nice dashboard/UI for it. In fact this might be good for smaller companies whose marketing/IT departments are small such that they don't have the ability to code in tracking images and cookies. Even good for larger companies - would cut down the infrastructure and development time; no more needing to host images on a server, with databases, etc...

Could be good for everyone involved.

Re:And google will retain that info exclusively.

[HiThere]

But if they're doing reasonable de-duping, then only the first person to click on the image will register. Everyone else will hit the cache. To avoid this every email would need a separate link to the picture.

Re:And google will retain that info exclusively.

[KiloByte]

And if Google proxies and caches the images as soon as the service receives the mail, marketers can verify if the address is a valid gmail address or not by just sending mails and waiting for Google to cache the image. Expect more spam if this is the case.

Verifying that foobar@gmail.com is a valid address doesn't give spammers any real information: the namespace is so full even most pwgen outputs point to existing names, as long as you don't have embedded numbers (on gmail, addresses seem to have numbers at the end).

Thus, that check can be quite simplified to "does a Markov chain say this string of letters is pronounceable?". Not a big benefit to a spammer. On the other hand, they don't get told anything about the recipient anymore.

While for a small mail provider this change might leak some info, for Gmail it seems to be nearly entirely positive.

I for one don't use Gmail for privacy reasons, and don't fetch remote images, but good luck training aunt Lucy about that.

Re:And google will retain that info exclusively.

[blippo]

Isn't this what everyone does today? I thought the whole point of tracker images was personal urls like 'img158294.png'.

It won't help the users privacy a bit, or actually make it worse since users can't ignore image attachments anymore - google automatically hit the tracker url for them...

Re:And google will retain that info exclusively.

google automatically hit the tracker url for them...

I think that's the problem. Marketers won't know when YOU have read their email. Google's marketing team, however, will know.

Re:And google will retain that info exclusively.

[hairyfeet]

Do those even work anymore on anything other than XP? Because I fix PCs 6 days a week and I haven't seen one in years. The way most folks get infected nowadays is 1.- "Hey its your (insert friend's name) on (insert IM) and I found this great new thing that made my PC faster, just (click this link,push this button)". 2.- "You want to see teh lesbians? To watch this hot video just run 'IzNotViruzIzCodec.exe'". 3.- (insert friend name) just sent you an e-card for (insert holiday), just go here and receive your e-card!" 4.- "Oh noes, you have teh viruz OMG! Run 'IzNotViruzIzCleaner.exe' to get rid of it". That last one works well on old folks BTW

As for TFA yet again another change that fucks the user or takes a valuable tool away from the user while giving Google more power....are we even surprised anymore? the only nice thing about Google in the last year is only the hardcore Googleaid drinkers buy the "Do no evil" "don't be evil" horseshit, the rest of the world can see its as much bullshit as "think different" and "where do you want to go today", Google has become just as nasty as the other two and in some ways worse.

Re:And google will retain that info exclusively.

"And if Google proxies and caches the images as soon as the service receives the mail, marketers can verify if the address is a valid gmail address or not by just sending mails and waiting for Google to cache the image. Expect more spam if this is the case."

Marketeers already know the address exists the moment they get a 200 on the RCPT TO: header. Spammers, using botnets, generally don't care about the maildelivery itself, for these the autodownload of images is extra information.

Re:And google will retain that info exclusively.

I'd keep an eye on their APIs to see when they start to SELL back this

Re:And google will retain that info exclusively.

[noh8rz10]

ding ding ding

Re:And google will retain that info exclusively.

[icebike]

While I applaud the move, it is about competitive advantage for Google.

If you applaud this you haven't thought it out very far.

Almost ever SPAM has small uniquely named images embedded. Often single pixel images.
These are encoded to your email address. If you fetch this image, your email address is VERIFIED. You just did the spammer a favor.

If you were reading the email with a mail client, you would NEVER fetch these, because 1) spam is spam, and 2) most
email clients don't download images by default and most email recipients are just fine with that.

With Google pre-fetching all of these, every GMAIL address id Verified for the Spammers.

Its not a well thought out scheme at all. No sensible person would read Gmail with a web browser from now on.
The wise choice is to use a traditional Email Client, (something like Thunderbird, Kmail, k-9 mail, Evolution, etc), and set them not to load images at all.

Re:And google will retain that info exclusively.

[icebike]

De-duping of images that have unique names keyed to your email address? Really?

All the spammer has to do is watch his web server logs to know that the address was a REAL email address, because google will be hitting every one of those images.

Since spammers arrange to never receive bounced mail, the uniquely coded embedded image url has been the favorite tactic for email verification for over 10 years. Google is going to give these guys a gift.

Read your gmail from a email client (pop or imap) and hope Google is smart enough not to hit those links unless you are using a web browser.

Re:And google will retain that info exclusively.

[icebike]

Marketeers already know the address exists the moment they get a 200 on the RCPT TO: header. Spammers, using botnets, generally don't care about the maildelivery itself, for these the autodownload of images is extra information.

Spammers do everything in their power not to get bounce messages. They do everything they can to not personally contact your (google's) mail server.

The fact that uniquely encoded image URLs are embedded in virtually ALL spam and UCE should be proof enough for you that you haven't thought your argument through. Go look at your email raw view someday.

Re:And google will retain that info exclusively.

You don't make any sense. Your email address is "verified" the moment the SMTP server send a "250 Recipient OK".

Re:And google will retain that info exclusively.

Yes, the point is that now other people don't know... Hence the competitive advantage gained.

Re:And google will retain that info exclusively.

2.Most mailing software generates unique images to track opens, so you're still being tracked. It's actually decreases privacy for Google to auto-download the images.

No, it still helps here, because google will download all of the images. The spammers rely on you downloading them only when you read the message to tell that you read it.

Re:And google will retain that info exclusively.

[mwvdlee]

Yes, caching HTTPS content is good if Google does it.

Re:And google will retain that info exclusively.

This.

I work for an email marketing company. Since our customers are very keen on not being mixed in with spam, we (and I think I speak for most of our competitors in this respect) take care to ensure only legit (confirmed double opt-in) email accounts are listed, to keep our servers' reputation perfect. Understand that it is in the best interest of legit senders to make customers WANT to recieve their emails. Open images and the statistics they create are primarily used to fine-tune the emails sent.

These open pixel images have practically no value to spammers (hence very few spammers actually use them); sending out spam over botnets, they don't care if an email address exists. They might care if a batch of several thousand email addresses no longer exists, but tracking and logging individual recipients... that's damn expensive if you're sending to millions of email addresses.

This cache won't hurt spammers.
It hurts companies you have subscribed to receive email messages (I sure hope you trust the average Hotmail user's taste, since emails will change to suit their needs).
And I dare bet that pretty soon, Google will start selling this information, and then everybody will be hurt.

Re:And google will retain that info exclusively.

How about if Microsoft had put this into practice. /. would applaud google for installing anal propes in everyone ("come on guys they run linux").

Re:And google will retain that info exclusively.

[StripedCow]

The solution is simple:

if(connection.ip_address in google_ip_addresses)
    write(connection, "Sorry Google, only the user may open this image!");

Re:And google will retain that info exclusively.

[StripedCow]

Uhmmm... what if google reads the images *regardless* of whether the recipient is known?

Re:And google will retain that info exclusively.

[icebike]

Funny little AC, still assumes spammers connect directly to google. How quaint.

Re:And google will retain that info exclusively.

[icebike]

Typically SMTP servers won't accept delivery if the recipient is unknown, although I suppose when you write your own SMTP server you can do pretty much as you want. I can't see any up-side for google to process mail for NO ONE.

If they don't accept the body of the message they wouldn't get the URLs.

Re:And google will retain that info exclusively.

[viperidaenz]

Yes, but now they can charge for forwarding the data.

Re: And google will retain that info exclusively.

Google knows which emails that Sylpheed has downloaded from their POP server. Not which I have read and which are filtered automatically to the trash folder. Also Sylpheed is forcing everything to plain text for me.

Re:And google will retain that info exclusively.

I dare bet that Google is most assuredly evil.

--

Re:And google will retain that info exclusively.

[mysidia]

In which case, a broken link or no image will be shown to the user, and it might result in your message being marked spam.

Re:And google will retain that info exclusively.

The problem I have found recently with Gmail read by my POP3 client (mostly SeaMonkey, sometimes its spinoff, ThunderBird), is that now I need to avoid deleting from the POP3 client (per Google's POP3 client setup instructions), or it starts deleting everything from my Gmail inbox (at least it relabels all email as trash/deleted, so I can manually recover). This seems to have started happening in the last few months.

Normally, since I set all my POP3 accounts in SM to download only headers, I could delete the obvious spams from there without any links being downloaded (well, that is the theory - the Windows version of SM will delete from the server, but the Linux version has not done so for years, except if I have an explicit filter rule that includes the delete-from-server action, so using Windows SM is actually more effective than Linux SM to delete email based on only the subjects, but I hate using Windows for any kind of web access...).

I do find that most Android clients' deleting POP3 email does delete from the server (except K-9 since about a year ago, so I gave up on it). As with web Gmail and my POP3 clients, I have the set the option to block automatic picture download, but it's a mess, and this could make it messier.

YMMV

Re:And google will retain that info exclusively.

[icebike]

You need to consider setting your Gmail Account to IMAP and disabling POP.

POP is old school, and has always suffered from the problem of having to manage deletion on only one station, or risk not knowing where your mail went.
SM and Thunderbird handle IMAP as can K-9, and just about every modern email program.

Re:And google will retain that info exclusively.

[MillionthMonkey]

With Google pre-fetching all of these, every GMAIL address id Verified for the Spammers.

But Google doesn't need to prefetch all of them for everybody. That would be merely equivalent to just flat out *removing* their "Load Images" link feature. Maybe that is what they're doing, if their marketing department has gotten vicious enough. But they may be smarter than that.

Presumably, a spammer will send the same image to a million email addresses using a unique image URL for each one. For this maneuver, all Google needs to do is load some images that arrive in emails that bounce or that are addressed to a population of dummy recipients. They can store them along with the results of any algorithm that can recognize the same image when someone else gets it from a slightly similar URL. If a few thousand dummy recipients are getting the same image from unique image URLs, they can test whether the images look the same and how they can doctor the URL in various ways without changing or losing the image. If they figure it out, they can perform the same munge algorithm on the image URL in your email, or simply display the image they have already cached from their dummy recipients without hitting the external image server at all anymore.

Your example of devious spammers using single-pixel images is a really poor one. Google probably has all those images stored somewhere already.

Its not a well thought out scheme at all. No sensible person would read Gmail with a web browser from now on. The wise choice is to use a traditional Email Client, (something like Thunderbird, Kmail, k-9 mail, Evolution, etc), and set them not to load images at all.

Or, go to Settings, click on the "Always ask before displaying external images" radio button, and then on "Save Changes".

There are plenty of reasons to avoid Google, but this one isn't very compelling.

Re:And google will retain that info exclusively.

[LordLimecat]

De-duping of images that have unique names keyed to your email address? Really?

Its called block-level deduplication, and its not terribly exotic as storage technologies go.

Re:And google will retain that info exclusively.

[icebike]

Your example of devious spammers using single-pixel images is a really poor one. Google probably has all those images stored somewhere already.

No, its not a poor example. I get them all the time.
Here's one for you: (it took me all of 15 seconds to find one in my spam bin)

https://q4fg3t1i.emltrk.com/q4fg3t1i?p&d=3D3215081772,F2A9FJZZ,TC05EM,CMNC04,U007

Grep the raw text of your UCE and SPAM mails. LOTS AND LOTS of companies use emltrk.com In fact, that's all that company does.
But lots of companies don't use a service like that, they just have a bazillion random images on one of their own web servers.

Further, google can't very well decide by itself that Image A127867 sent to Joe Sixpack is the same as image B835234 sent to Martha Uptight.
After all, one genital selfie might look a whole lot like another.

Re: And google will retain that info exclusively.

This is how this tracking now works, unique links.

Re:And google will retain that info exclusively.

[tlhIngan]

Verifying that foobar@gmail.com is a valid address doesn't give spammers any real information: the namespace is so full even most pwgen outputs point to existing names, as long as you don't have embedded numbers (on gmail, addresses seem to have numbers at the end).

Actually, it does. Because it tells the spammers that the recipient opened the email

Google doesn't fetch the image until you open the email. And the moment you do, Google just confirmed that the email was read. And that information is very valuable.

There are two ways Google can fix it:

1) Set "Don't load images" back as default again, as it is now and in every email client.
2) Simply load every image, so valuable information like that isn't revealed - the marketer just pays for bandwidth and gets zero information - they don't even know if the image is read. No storage requirements as Google can re-write the email to self-contain all the images.

Of course, Google is probably going into email marketing - given how Gmail has sprouted that "Promotions" tab (yes, you can turn it off, but don't you think it immediately foreshadows something? It's not Spam, but "Promotions" - what, spam that someone paid to bypass Google's filters?). And they don't need competition - best way to squash it is to starve out the existing marketers.

And of course, since Google's in the information business, selling that information is very valuable - Google knows what you like, so they can sell targeted ads into your inbox.

Re:And google will retain that info exclusively.

[Inflammatory+Fallacy]

Besides, if they weren't going to turn around and sell the data to the people they took it from, would it really be Google?

Re:And google will retain that info exclusively.

[chromas]

They'd have to hit the server with the unique name before they could find out if the data is in cache.

Re:And google will retain that info exclusively.

[johanw]

If those mails are only sent to double-verified addresses, why do you care about such statistics? And even if I would want to read the information, that does not mean I want to be tracked that way. That's one reason I have a ad-blocking hosts file besides adblock plus and ghostery: to prevent other applications than a browser from such behaviour too.

Re:And google will retain that info exclusively.

[mrt_2394871]

If you want to know if I've read an email:
request a return receipt
If I want to give you that information, I will.

Goodness, there's an existing, non-scummy way of working all this out which preserves user expectations of privacy and provides you with the information you actually want, not a poor proxy of it.

Re:And google will retain that info exclusively.

[gsslay]

How would you feel about your customers sending tracking images to you with orders/complaints/queries? Just to "fine-tune" whether they deal with you again? I imagine it could be statistically enlightening to see how quickly you open emails, how often, and how long the response takes. Not so keen?

I appreciate your efforts to ensure that your emails lists are on target and not spammy, many companies are not so diligent. (Particularly with confirmed opt-ins.) But you have no automatic right to collate any further information about your customers unless they intentionally provide it. Tracking images are sneaky and most certainly not used by your customers intentionally. There is a reasonable expectation of privacy when reading your own email on your own computer.

You're right about two things though. The days are long gone when spammers cared about whether an address was valid or not. They are not incurring any costs spamming to invalid addresses. All they care about is how many suckers they hook with a response. And yes, the cached image hits are yet more information being sucked up by google, that will inevitably be sold in some way in the future.

Re:And google will retain that info exclusively.

[jonbryce]

Every mail does have a separate link to the picture, that is the whole point. They want to know which people opened the emails.

Re: And google will retain that info exclusively.

[Mabhatter]

But Google sees that imgabc123.png is 32x32 pixles and in the same DIV tag on every email. So Google replaces all the "identified" images for every recipiant with the first one they pulled and cached. Your browser is only going to pull the image from Google while the Advertizers don't get any tracking at all.

Then Google goes to customers with a "deal" for how many of your email subscribers opened emails about your product... The emails you paid SOMEBODY ELSE to send out....

Re:And google will retain that info exclusively.

but I thought cache's were illegal copies and infringed ip and copyright law? Didnt we have that argument back in the 90's?

Re:And google will retain that info exclusively.

[bluegutang]

A great example of the free market at work. Google does something that helps them relative to other advertisers. This competition leads to a better product for Gmail users.

Re:And google will retain that info exclusively.

[phorm]

Set "Don't load images" back as default again, as it is now and in every email client.

Was that turned off? It's always been that way on my gmail accounts, except for sender addresses I've whitelisted.

Re:And google will retain that info exclusively.

[Urza9814]

Here's a novel idea: If you want to know your readers' opinions, how about you *ask them* instead of assuming you are the all-knowing guru who best knows what everybody else wants?

Yes, I realize that's difficult. Yes, I realize most people won't respond. Those people don't care, so why should you? Then your data will be based on people who actually want and read your mailings rather than people like me who just open everything so it's all marked as read. Although I block all images anyway to prevent the exact sort of spyware you're pushing....

Re:And google will retain that info exclusively.

[Aristos+Mazer]

> Google doesn't fetch the image until you open the email.

Are we sure about that? I didn't see timing information in the article. Google could cache the images as soon as their server receives the message. In fact, the second article says that Google will automatically download all *incomming* messages. That suggests they're pulling them when the e-mail is sent, thus cloaking whether or not the user has read them. And since that's Google's goal, I'll wager that's exactly what they are doing.

Re:And google will retain that info exclusively.

[Aristos+Mazer]

> With Google pre-fetching all of these, every GMAIL address id Verified for the Spammers.

Not necessarily. The article says Google is pre-fetching all incoming images. It could be doing that *regardless* of whether or not the e-mail address is valid. I'm willing to bet that Google engineers thought through all of these arguments and has implemented a system that actually achieves their goals of blocking that sort of information.

Re:And google will retain that info exclusively.

[Dynedain]

Many email clients do not support return receipt. That's an extension to the basic email protocol added by Microsoft and is not widely supported outside of Outlook.

Re:And google will retain that info exclusively.

[Dynedain]

Google isn't prefetching the images. They're dynamically rewriting the email's HTML to use their servers as a proxy when you open the email in Gmail's web interface.

Re:And google will retain that info exclusively.

[Urza9814]

Unless you have previously enabled 'don't load external content' (which is off by default), external images will now load by default. Prior to this change they would not.

Re:And google will retain that info exclusively.

[MillionthMonkey]

Further, google can't very well decide by itself that Image A127867 sent to Joe Sixpack is the same as image B835234 sent to Martha Uptight. After all, one genital selfie might look a whole lot like another.

Sure they can. All genital selfies can be reproduced by discriminating between just two images.

Re:And google will retain that info exclusively.

[Urza9814]

As Google *always* cache the image, the sender does not knows anymore when or even if the image was viewed and, so, doesn't knows anymore if the email was opened.

If they have specific knowledge about Gmail. Unfortunately, mailers that don't would make the more dangerous assumption (that you read the mail) under that behavior.

...which will result in a massive amount of their spam mailings being sent to Gmail addresses which do not exist, which I'd hope Google would be smart enough to detect as a sign of spam. After all, if you're using standard double-opt-in, it shouldn't really be possible to get any non-existent addresses on your list.

So, contrary to that being the most damaging possible result, it may actually be the most *helpful* possible result in terms of curtailing spam.

Re:And google will retain that info exclusively.

[mcgrew]

I work for an email marketing company. Since our customers are very keen on not being mixed in with spam

Email marketing IS spam. I buy stuff from Amazon occasionally. They have my address for useful purposes, like telling me when my order has shipped. But those (at least) two emails sent to me daily about some crap they think I might want to buy? It's spam. Amazon spams their customers and I can find no way to opt out once in.

Amazon.com are spammers and so are you. Just because I bough a few books and DVDs doesn't make your sales pitches spam. I can see why you would comment anonymously, if I were a spammer I would, too.

Re:And google will retain that info exclusively.

[icebike]

If Google is running a standards compliant SMPT server, they do not get the body of emails with invalid addresses. The channel is closed before that is fetched.
Spammers, of course, go out of their way to never directly connect to the ultimate SMPT server, preferring to route through spam friendly middle men, or compromised machines. Therefore they never see the bounce messages.

However they would see the pre-fetched urls in their web-server logs.

Re:And google will retain that info exclusively.

If the SMTP server rejects unknown recipients, then you don't even need to go as far as using tracking images to find out if the address is valid.

I thought no servers nowadays respected the naÃve parts of the standard anymore which were done in a time before spammers.

Re:And google will retain that info exclusively.

[icebike]

If the SMTP server rejects unknown recipients, then you don't even need to go as far as using tracking images to find out if the address is valid.

You do if you are a spammer. They never connect directly to the target smtp server. They are using your mom's machine to send out emails.

Re:And google will retain that info exclusively.

[Phoenix+Rising]

Emails that wind up in "Promotions" are verified valid marketing material. I.e. it passes DKIM and SPF, comes from a known good behavior IP, isn't spammy...

For now, at least, Google seems to be (mostly) playing along with the marketing folks while still trying to (a) enhance their user experience and (b) give themselves a leg up. The image pre-load is definitely going to alter things like newsletter and ad read rates that marketers depend on to tell how well they're targeting their subscribers; I imagine the marketers will work their way around it in short order if they feel they're losing too much information.

Re:And google will retain that info exclusively.

[Compaqt]

Erm, actually it's the same storage requirements for Google, even if they rewrite the image to be contained in the email.

E.g.: 1KB email, 40 KB image. Image stored separately, 41 KB storage space required.

1KB email, 40 KB image. Image stored in email, 41 KB storage space required.

Cutting into their business

Of course they're cracking down hard - stealing user data is Google's job...they don't like the competition.

Re:Cutting into their business

It really is just this: "Don't be evil (because we don't like competition)"

They do see open rates

The cache system honors no-cache headers. As long as your images are served no-cache, you do see exactly when the email was opened, since the GMail servers refetch it every time. If each user gets a unique URL, you know exactly who opened the email.

Re:They do see open rates

Multiple tests by multiple individuals have shown that they do NOT honor any of the various no-cache headers.

Tracking unique users is still easy (using a unique URL) - but tracking how many times they opened the email, or where they opened it from (IP address) or on what platform is now lost.

Re:They do see open rates

[StripedCow]

Tracking unique users is still easy (using a unique URL)

Not if google simply opens all e-mail behind the scenes, regardless of whether the user exists or not.

Possible?

[Tim12s]

Well, pulling all the images certainly solves the problem of having to display emails with images. The only reason we (I) don't click the display-images button is because the images allow us to be tracked, the images may have some sort of exploit (rare). Originally this used to be due to limited download speeds.

I suspect caching the images allow pre-processing of the images and therefore making the whole system more secure by default. Images could therefore be displayed in full by default with images, preferably with some large images being intelligently excluded by default.

Google could release a mass marketing email API/gateway and monetise that allowing marketeers access to data regardless of whether you open the images/email or not. This is slightly more valuable information.

Re:Possible?

[EvanED]

I suspect caching the images allow pre-processing of the images and therefore making the whole system more secure by default.

I saw mention that Google will be transcoding them, so yeah, you should be more protected by exploits.

That said, I still turned off the showing of images by default because of the first issue you mention -- otherwise Google will still go out and download the tracking bugs.

Re:Possible?

[symbolset]

Image formats have been used to compromise browsers in the past, so automatically loading images in your webmail or email client is a bad idea. Fortunately this is just a change from the default behavior so you can turn it off in the options.

In fact, Microsoft just patched a .tiff image format exploit last Tuesday.

Re:Possible?

Google will also be transcoding all images, this will block their use as a vector to infect users. It does open the possibility of Google's servers being compromised this way though, and in turn if that did happen the attacker could insert an exploit in to every single image that passed through the server, though I guess Google could mitigate this by using VMs for the servers and frequently loading clean VMs.

Re:Possible?

[symbolset]

Sure, you can rely on Google to not screw this up. Or you can change your settings to only see images from people you know, and only then when the image might have useful content. Or both. Which approach do you think improves the odds that if there is a problem, someone else discovers it first and it gets fixed before it is a problem for you?

while (Marketer != Google) loop

[OffTheLip]

continue: }

And when the next JPEG or PNG exploit comes along

[93+Escort+Wagon]

You'll get hit automatically! It's a win-win!

Not according to Ars

http://arstechnica.com/security/2013/12/dear-gmailer-i-know-what-you-read-last-summer-and-last-night-and-today/

Makes it easier?

[WPIDalamar]

As long as you're giving a unique url to each user who you email, this actually makes open-rate calculations a lot more accurate, doesn't it? Instead of a large percentage of your users never seeing the image, they'll all get loaded.

Sure you can't track cookies, get IP addresses, or any of that anymore...

I'm assuming Google is only downloading images of emails that people open. If Google is downloading every image of every email they get, then never mind.

cached without login?

cached when you open the email or cached if you are not even logged in? this could either verify active email addresses for spammers or hinder spammers, which is it?

The fix that breaks things

[Kvasio]

This fixes: opening ratio, opening time, user's IP.

This breaks: spammers will now have confirmation is the @gmail email is valid or not.

Re:The fix that breaks things

You mistakingly assume spammers care about someone reading there spam. They could test whether there mail makes it through Googles spam-filter, yet they send it to millions of gmail addresses anyway, all ending up in users spam boxes, never to be read.
Spammers are not in the product selling business, they are in the mail sending business. They are paid for each mail send, even if they know in advance that the millions of copies they send to gmail addresses will all end up in spam-boxes.
It doesn't have to work when someone is willing to pay for it regardless.

Re:The fix that breaks things

[Cassini2]

If I were google, I would download images in all incoming messages regardless if they are intended for real email boxes or not. This would let them know which websites are being used for spam. The spam detector could use this information by pattern matching every image (regardless of relabling or website copying), and mark spam accordingly.

Down to a single info

[bidule]

img source = "img/target/example.com/0xDEADBEEF.png"

Yes, target@example.com received our email.

We don't know where he was, what tool he used and anything more.

Re:Down to a single info

I suspect Google will load the image even if the gmail address is invalid, or else it would be an easy way to build a list of all valid gmail addresses. So your example does not indicate that it ended up in someones in-box (or spam box!), let along that someone actually opened the email.

What this is really

[Rosco+P.+Coltrane]

is a monopoly tightening its grip on the market it monopolizes.

Re:What this is really

There is no pretense by Google any longer. They are basically in full-out "as evil as possible" mode now. Pretty much everything they've done for a long time has zero benefit for the end user. Today it is removing the ability for end users to block third party images. Yesterday it was removing the ability of end users to control privacy settings for Android apps. Day after day, Google does something that is good for them and bad for end users. They are an evil that never sleeps, a cold machine intelligence that has but one law -- "Embrace, Extend, Extinguish".

Re:What this is really

It's amusing to see how the worm turns. I'm old enough to remember when Microsoft was a media darling, bravely standing up to the big, bad IBM empire.

Everything old is new again. Who shall be the next hero to save us from the evil machinations of Google?

Re:What this is really

Alas, for the most part, evil increases over time. Google is a more aggressive, more virulent, more intelligent, evil than Microsoft ever was. What comes to "save us" from Google will be something even worse than Google.

Re:What this is really

[KingOfBLASH]

s a monopoly tightening its grip on the market it monopolizes.

On email? You really should look up the definition of monopoly.

I use gmail because i like it. I use it because it's the best free email service I can find, and I've tried quite a few of them.

I use google search because I like it. Back in the day when new search engines were coming out I used to switch between them quite often. Remember Altavista? Jeeves?

Google is not a monopoly. They play in markets with very very low barriers to entry. And a lot of users choose to use them, despite the numerous choices out there.

If all of a sudden their search results started to suck, or I couldn't get into my email without seeing a big giant flash I'd stop using them in a heart beat. And so would many other users.

Ergo, by definition Google is not a monopoly.

Re:What this is really

[penix1]

Oh popycock! The market you refuse to acknowledge they are a monopoly in is... Wait for it... Marketing which this move is directed at. It attempts to limit the tracking to themselves being the only one who can track you albeit very poorly. Other marketers will have to find the loopholes in this strategy which gives Google the upper hand for a while.

Re:What this is really

[KingOfBLASH]

Are you seriously saying google has a monopoly on Marketing?

Even assuming you're talking about just online media, there are plenty of other places to market than google. If you decided to boycott google you could :

• Market directly on websites relevant to your product. Selling viagra? You might consider the AARP site
• Market via Facebook and their "social advertising" platform. Analysts in the know are betting whether Facebook might conquer google.
• Banner ads on general interest sites people go to to waste time (I'm looking at you slashdot)

That's what I came up with in 30 seconds while taking a coffee break. I'm sure someone in the business of advertising could come up with many many more.

Google is indeed big. Huge actually. And by preventing beacons within mail, they are putting their foot down to say that if you want access to their user base, you have to go through them.

But there are plenty of alternatives to google. They're simply not a monopoly.

And, if you look at all of their initiatives like Google+, it seems they're afraid of losing you as a customers. They're branching out to stay competitive. They're afraid that Facebook is going to drink their milk shake (Facebook had revenues over $5 billion in 2012, and the bulk of it comes from Ads).

And active competition is not something a monopoly has to do.

Re:What this is really

[penix1]

Market directly on websites relevant to your product. Selling viagra? You might consider the AARP site
        Market via Facebook and their "social advertising" platform. Analysts in the know are betting whether Facebook might conquer google.
        Banner ads on general interest sites people go to to waste time (I'm looking at you slashdot)

Inefficient because Google is already there. Just try and find a site that doesn't use Google adsense and google analytics. Good luck to you there.

And active competition is not something a monopoly has to do.

Yes it does to maintain its monopoly. Anyone entering the market is either bought out or kicked out by the monopoly.

Re:What this is really

[KingOfBLASH]

Utter rubbish. Are you saying the slashdot ads come from google AdSense? What about other sites like CNN? Where's the google adsense on Strobist?

Come to think of it I can't think of a website I regularly read with AdSense. It may be big, but it's not a monopoly.

Yes it does to maintain its monopoly. Anyone entering the market is either bought out or kicked out by the monopoly.

Maybe you could provide some examples?

Re:What this is really

[iluvcapra]

The slashdot homage showed me an AdChoices/AdSense banner for GoPro when I checked just now. CNN presently has a very nice background image ad for Volvo presented by Doubleclick, a Google subsidiary.

Re:What this is really

[Voyager529]

Facebook is the new Google.
Google is the new Apple.
Apple is the new Microsoft.
Microsoft is the new IBM.
IBM is the new Xerox.

Re:What this is really

Um, you can opt out of automatically showing images (I did). Also, it's not like Gmail needs you to to load images to determine whether or not you've opened an email, so it's the same information for Google and strictly less (though not nothing) for everyone else.

Re:What this is really

[Aristos+Mazer]

How is this evil? As far as I'm concerned, this is a great customer service. I can actually see e-mails that I want to read without having all sorts of metadata that I'm not interested in sharing with the entire world shared. Google becomes the one and only company whose behavior I have to monitor, instead of every business online that I work with. Monitoring one is a lot easier than monitoring all of them.

It also beefs up security.

[JLennox]

If I could likely deduce that inside our local software you owned an item with the id 9, I could email you:

Because the request goes out with your authorization cookie it'll executes successfully.

This is why you should only accept post requests for actions that change data and use xsrf tokens (that aren't stored in cookies, local storage, etc).

Re:It also beefs up security.

Security? Using e-mail in a browser fed from a server at Google throws security out of the window from the start. What you are talking about doesn't matter the slightest. It's like having all of your snail mail go to The Snail Mail Company and calling them to read it for you.

Re:It also beefs up security.

[Arancaytar]

Did you accidentally a URL?

Re:It also beefs up security.

[JLennox]

Sorry, my point was obscured because it ate my html. I was saying you could send a link like img src="http://10.10.10.10/things/delete?id=9" and that being in an email, gets sent with your auth cookies to the server and issues the delete without you realizing it.

In that sense it's a big plus for security, but also hurts your privacy like you're saying.

Re:It also beefs up security.

[eWarz]

Oh I dare say it's far worse then that. Google might go so far as to grab images only when you open emails, but this opens up the possibility of using google to DoS a target. Think: Now merely sending an email out to millions will have google request those images millions of times, potentially drowning the unsuspecting site with requests.

Harder for **Other** Marketers

[perpenso]

Yeah. The move is to make things harder for **other** marketers. For the marketer named Google it confers advantages.

Re:Harder for **Other** Marketers

[Chalnoth]

What marketing advantage do you think this provides for Google?

Re:Harder for **Other** Marketers

Google's advantage is the disadvantage to other marketers.

Re:Harder for **Other** Marketers

they can now sell a product:

google API's for email tracking or somesuch -
if your email uses THEIR tracker, you can still find out tracking information... otherwise it gets cached

Re:Harder for **Other** Marketers

[Andrewkov]

It makes life more difficult for the competition, plus they can sell the data to the competition later.

Alternate Headline

[FuzzNugget]

Google Makes it Harder for the Competition to Collect User Data

change or same mistake I made about announcement?

[patrixmyth]

Is this a new change, because after I saw the google announcement, I saw a report that they would share all that data about loading of images with marketers. End result: safer images, but just as much information for marketers, as along as they make nice with Google as 'official' email marketers. Would love to be wrong. Here's my source, Ars Technica article.
http://arstechnica.com/security/2013/12/dear-gmailer-i-know-what-you-read-last-summer-and-last-night-and-today/

Wrong

Wrong on one point: Users that click on "show images" will still download the image to Google's servers, letting marketers know if an email is ever opened or not. The one thing the marketer won't get is the user's IP address (because it's Google's cache server downloading the image, rather than the end user).

Awesome for spam/tracking

[saikou]

Actually, this is rather awesome for spam/tracking of "real" addresses.
Before silly users could refuse to load external tracking pixels with unique IDs, assigned to each email.
And now? It's auto-downloaded for everyone. Yay!

While absence of IP address, Referral (if tracking image was loaded via https) and Browser info is sad, "everyone now auto-loads images" waaaay outweighs it :P You won't hide from confirming that email address that easily ;)

Re:Awesome for spam/tracking

umm... you didn't read it. The images gets autoloaded when it comes into the system; no matter what; whether the email address exists or not. It is loaded in part by the anti-spam/malware portion of gmail. There is no way to confirm one way or the other based on external image links

Re:Awesome for spam/tracking

[Stonent1]

Now all the spammers will get their servers overloaded. If they send out millions of e-mails and they all immediately get "opened" by google trying to pull in the picture data.

Re:Awesome for spam/tracking

This reply is unfortunately not correct for the standard case where the marketer has crafted the email with unique image URLs, ones that are specific to the recipient. Google needs to grab the images to cache them - which shows thge marketer you've read the mail message.

Overall this is a win for marketers - they don't get your IP, but they do know you read their message. (Unless you turn off "load external images" option in gmail settings, which I recommend.)

Re:Awesome for spam/tracking

[walter-t]

Agree. Google has a disclaimer about this "In some cases, senders may be able to know whether an individual has opened a message with unique image links." on their help page: https://support.google.com/mail/answer/145919?hl=en

Re:Awesome for spam/tracking

[Cl1mh4224rd]

Now all the spammers will get their servers overloaded. If they send out millions of e-mails and they all immediately get "opened" by google trying to pull in the picture data.

I seriously doubt that. It would be rather dumb for them to cache these images on a per-email basis and not a per-URL basis. It sounds like they're just using a (modified) caching proxy. They'll likely grab and cache the image on its first ever request. All subsequent requests for that same image would then be served by the proxy's cache.

Re:Awesome for spam/tracking

and when every url is unique per user? they grab it hte million times?

Re:Awesome for spam/tracking

That one's pretty trivial to fix at google's end, given their spam filtering doesn't just look t email accounts in isolation. What they see is 100,000 emails that are alike, with an image URL that's templated. They then only need to request one copy of the image, putting random data into the template, or even better, use a valid URL that came into an unused email address.

If I can think of that in 30 seconds, I'm sure the guys responsible for their spam filter can come up with something at least as effective!

Re:Awesome for spam/tracking

Tracking images usually have URLs unique for each address. Google won't be able to tell that spammer.com/trackId_blahblahblah.jpg and spammer.com/trackId_notblahblahblah.jpg are the same file until it requests them from the server.

Re:Awesome for spam/tracking

Seems like you missed the part that these are not generic images as in a picture of some object/scene, but are actually the unique URL's (with a picture type tag of "nothing") that would create a lot of traffic in processing these unique-per-user-email URL's. That could overload a spammer's servers/botnet, and the Internet, if the spam emails are scaled on the assumption of very few response hits. We think spam sucks up a lot of the Internet now - just think what this "spam duplexing" could lead to if unchecked.

Maybe Google will try to "check" that effect by identifying destinations for these URL's as specific to spammers, and suppress those responses. The techniques they use now to identify candidates for our Gmail spam folders could be harnessed for that. They would want to be careful, though, not to alienate "legitimate" businesses with that filtering if they hope to make money off them in this new scheme.

FWIW

Tracking Pixels

Can't believe the stupidity of this story.

Wait, images?

[Arancaytar]

You mean, like, attachments? Those are part of the email anyway.

Or are we talking about this weird new HTML-email thing I've been hearing so much about? Who even uses that crap. :P

Re:Wait, images?

The way it works is one of Satan's cock suckers embeds a unique image for each victim in the HTML emails they send. Whenever the victim opens the email in a program that renders the HTML and displays the images therein a request is sent to a server in Hell and Satan himself is informed you have read their great offer of penis enlargement pills.

Google is trying to reduce the info available to those who hire spammers so that they hire Google instead. It's a good thing in that it hurts spammers, but it doesn't changes the fact Google reads your mail.

Re:Wait, images?

Exactly. All HTML-mails are automatically spam and disappear.

Re:And when the next JPEG or PNG exploit comes alo

No, because Google will scan the images for viruses and common inconsistencies, then convert them to raw pixel data, using there decoding libraries that don't have these exploits, and then re-encode them into consistent and buffer-overflow-free images, that will work on any old and/or bug-riddled operating system or browser used by the recipient.
I hope google will also re-sacale images when people embed 3000 DPI company logo's in HTML-emails.

if Google is smart, they download 1 copy, ignoring

[raymorris]

If Google is smart, they'll download approximately 1 copy of each image, ignoring the tracking ID in the URL.

"Most successful tech company in the world" suggests that they may in fact be smart.

Score one for Google

[nurb432]

Tho, im sure they will do the tracking for their own purposes, this will help reduce 'bad things' from questionable sources. As always, its a trade-off.

Ehh, not quite

pop3 doesn't tell anyone which messages you read, only that you received them.

Re:Ehh, not quite

[znrt]

email protocol is irrelevant here.

if you use a local email client, what is relevant is under which circumstances it decides to accesss those image urls for display, regardless of protocol.
if you use a web client you are screwed anyway (as in "you have absolutely no control over what is accessed by whom and when").

Re:Ehh, not quite

Why would you allow images to be accessed from an email message? Yeah of course then you can be tracked.

Re:Ehh, not quite

[fractoid]

Bingo. Does anyone NOT have 'show linked images' turned off? Pretty sure most email clients have it disabled by default these days.

Re:Ehh, not quite

[tlhIngan]

Bingo. Does anyone NOT have 'show linked images' turned off? Pretty sure most email clients have it disabled by default these days.

Most webmail does it too - at least Hotmail and until now, Gmail. Heck, even personal webmail things normally block linked images by default.

That's right, Gmail is going to enable loading of linked images with this change.

It's a setting - you can switch it back, but who knows how long Google will keep that option available... Just that the default setting is show all images now. (And default settings are important - few actually bother changing default settings).

Re:if Google is smart, they download 1 copy, ignor

You make the tracking ID part of the image name. Set up a cgi to always return the same image regardless of what it is called. Use a fake hashed etag thingy so they are always different.
Google has to download the image to see if it is the same, marketing mission accomplished.

e.g. http://examplemarketing.com/images/gjdfkadfdhkhkfdhkdsfhkhfdsqiuqr.gif

Oh. Please send royalties to A.C. @ Slashdot.

Facebook has been doing this from day one

Google is a bit late. Facebook has been doing this in posts to its site since day one. It makes a huge difference in
security, privacy and speed... finally.

Hah

Yeah, because it will take all of two seconds to generate a unique tracking bug per email address. Two 32 bits pixels offers a lot of data storage.

Re:Hah

[jaseuk]

Yep and in fact despite what I said earlier, this could be worse. If google pre-fetch every image for instance, then this could have some horrid consequences. Such as confirming e-mail addresses.

Jason

Re:Hah

[Reeses]

Which is what most direct marketers do. Images in marketing emails are not embedded, they're links to remote images ( tag FTW!). Most images have a hashed part of its URL that is your "unique" identifier in their logs.

What the cache will likely do is pre-emptively grab the images, triggering higher hit rates on the marketer's servers, leading them to believe more people are reading their emails, meaning more spam.

Re:Hah

[TheRaven64]

Not necessarily. A lot of email virus scanners will pre-fetch images and follow links in emails, for example. They'll do it even if they're just forwarding the mail to another server, and sometimes before the mail even gets to the delivery agent.

Re:Hah

[icebike]

What the cache will likely do is pre-emptively grab the images, triggering higher hit rates on the marketer's servers, leading them to believe more people are reading their emails, meaning more spam.

Supposedly Google only hits the image when you request the mail, and then only from a web browser. So the best thing to do is use an email client with image suppression on.

But If google decides to hit every image even before you read the mail, they initially play right into the hands of the spammers. However, other than verifying that the email address exists, it may make this uniquely coded url a useless indicator for the spammers. Why go to the trouble when every single one of them will verify?

Re:Hah

[mwvdlee]

Google caches content only for it's own Gmail client, so you have no choice of clients with regards to this caching.

Also; did you notice the convenient popup in Gmail stating that, unless you explicitely disable the feature, all images will now be automatically loaded?

Re:Hah

[icebike]

Google caches content only for it's own Gmail client, so you have no choice of clients with regards to this caching.

That makes no sense.
If they only cache for their Gmail client, that would mean I DO have a choice, by simply using another client.

As for the disable feature, that is the FIRST thing I did. This feature does nothing to protect the user. Its all about giving google an advantage. It MAY be illegal. Its not at all clear that Google has the right to cache image files that were intended to be sent directly from my Brokerage account to me via an embedded URL in an email.

Re:Hah

[Vitriol+Angst]

I think it's only meant to protect you from marketers getting FREE access to your cache.

They can still buy this info from Google, right?

Re:Hah

[Ash+Vince]

Yep and in fact despite what I said earlier, this could be worse. If google pre-fetch every image for instance, then this could have some horrid consequences. Such as confirming e-mail addresses.

Jason

You all seem to assume you are the first people to realise this, ten to one says some Google engineer also realised this and so is just going to get the software to do a hit on the sending or linked server for every image, even if the email address it was sent to does not exist. Then, they can use the content of that image as an additional way to help identify unsolicited email.

Re:Hah

[Urza9814]

Its not at all clear that Google has the right to cache image files that were intended to be sent directly from my Brokerage account to me via an embedded URL in an email.

Right. And I suppose they may have no legal right to scan for spam or viruses? And my ISP has no legal right to cache traffic like DNS requests?

Your service providers can do pretty much whatever they want. If you have a problem with that, use encryption.

Re:Hah

[icebike]

When someone sends a URL via Email, the content of that URL never touches Google's servers. Its exactly opposite of sending a file as an attachment, or requesting a DNS. Embedded links are meant to be fetched only by the recipient's browser. For google to play man in the middle, and pre-fetch all of these urls, may well be illegal.

That you are willing to hand over this right, without even a hint of objection is somewhat disturbing.
That you are unaware of how embedded links work in html email suggests you probably aren't the best person to be commenting on this subject.

Re:Hah

[Urza9814]

Embedded links are meant to be fetched only by the recipient's browser.

No, they're not. They're public URLs, and the only sane assumption is that anybody and everybody can and will try to access those. If it needs to be secure, it needs a login.

For google to play man in the middle, and pre-fetch all of these urls, may well be illegal.

Again, my ISP does it. My university did it. My employer does it. Everybody does it. You lost this battle at least a decade ago man. It's already over and accepted. That's just how proxies work. And yes, it is like caching DNS requests -- when I request a DNS entry, my ISP does not go out and get the location of my request on demand. They already have it stored somewhere, from some other request, probably not even initiated by a user in many cases,

That you are willing to hand over this right, without even a hint of objection is somewhat disturbing.

What "right"? First of all, rights (at least in American law) don't really come into play in a private business relationship. That's why NDAs are legal even though you have a right to free speech.

Secondly, sure I'm willing to allow them to do that in order to better combat spam and such. Actually, *I* don't, because I don't load images. Ever. But even if I did, it's not like they're secretly monitoring everything you view. It's an automated system proxying requests. It's entirely public, and it's not being analyzed -- at least not in regards to *you*. If that is found to be false, then I'd be concerned. Until then, why the hell *would* I care?

That you are unaware of how embedded links work in html email suggests you probably aren't the best person to be commenting on this subject.

I certainly know what a URL is -- do *YOU*?

Email is not a secure technology, and it's pretty well assumed that each endpoint at least will perform some automated processes on the contents of your message. These images are embedded into the message, which makes them a part of that message -- just like the Slashdot logo is a part of the Slashdot page, even though it's really just a URL that points to a separate resource. So why in your mind is it legal to scan some parts of the message, but not others?

Also, I would perhaps be somewhat outraged were they following href attributes. But they're not; they're following src attributes. There's a difference.

Re:Hah

[davester666]

Unfortunately, at least for right now, Google may cache the results, but EVERY time you happen to view the email, Google re-downloads the image from the original source [so they are informed every time you view the email, essentially in real-time].

Downsides:

[yakatz]

Marketers will at least know that the user opened the email because the images were loaded somewhere. See MailChimp's post on the subject. This means that you can not longer look at a message even once without the marketer knowing that you did.

Re:Downsides:

Actually, they won't if gmail precaches images for all incoming messages, regardless of weather you open them.

Good and bad?

[Sits]

GMail will be fetching the images by default but only after the user opens the mail. So it's an improvement because the user's browser and IP address will be hidden (as it will be Google's servers doing the fetching) and it's a step back because it is tracking images will work by default. If you want the old behaviour of not showing images you will need to opt into it so only those who explicitly don't want to be tracked will remain anonymous.

Sources: Wired, Ars Technica

Okay

[ledow]

So, presumably they don't actually rewrite the message as such, just change the way it's displayed in the web interface (through an intermediate proxy). Rewriting the message would break all those nice email verification systems, no?

So what about those people using IMAP and not GMail's web interface? Presumably, it's business as usual.

Fact is, if I don't want you to be able to know when I've loaded your images, I won't load your images unless I think they are vital. Which is why my mail-client doesn't download any images by default anyway.

I see this as a good thing - Google are protecting users who are dumb enough to use the web interface for email and rely on it, but not touching anyone who would do things properly anyway.

Re:Okay

[Dynedain]

They rewrite the HTML on the fly as it's displayed in the Gmail web interface. Reports so far show they aren't rewriting the original email, so 3rd party clients aren't affected.

Granted, if they can do it on the fly at display time right now, then in the future it would be trivial to do it on the receiving step instead.

Google will sell the data instead

Of course, the data about the cached access will be sold by Google.

Summary is wrong wrong wrong

[Dynedain]

This summary is garbage and complete misrepresents the implications of Gmail's change. (I already researched this last week and developed a solution to avoid cacheing with in-progress email images that might get replaced with final versions)

Every singe email marketing system already uses a unique image URL to identify a given recipient. This is frequently called a "tracking pixel" because it's usually a 1px transparent gif stuck in the corner of an email where it won't be distracting. In fact, this method has been used for web tracking as well for many years. It's how Google Analytics originally worked.

Since these unique images will still get loaded when an email is opened in Gmail, marketers will still be able to track your opens. What they won't see, however, is how many times you re-opened the email. And since the image gets cached and requested through Gmail's proxy, marketers won't get information about your machine like browser, IP address, etc. But if you click-through on a link, or you visited their site before (highly likely if you're on their mailing list) then they have most of that info anyways.

This caching by Gmail is primarily to speed up Gmail since it means images can be loaded and shared on Google's Content Delivery Network which is almost certainly faster than servers owned by the email campaign provider for image hosting.

Re:Summary is wrong wrong wrong

[yahyamf]

It would be interesting if Google would hash the images and replace the image URL with a comon one per hash that is stripped of tracking info and shared by all users who got the same hashed image in their mail. It would even reduce storage requirements as the images would get deduplicated.

Re:Summary is wrong wrong wrong

They'd have to get the image to hash it...

Re:Summary is wrong wrong wrong

[Monoman]

Spammers still do the 1px thing? Who downloads images by default? .... probably most people not commenting on this thread.

Re:Summary is wrong wrong wrong

[cdrudge]

Raises hand, at least from sources that I have flagged to do such. I have a variety of retailers, newsletters, etc where I prefer to read the full HTML email, with images, rather than just text only with markup that might look correct without images turned on.

Yes I understand the implications of having images turned on. Yes I don't give a crap if Newegg knows which emails that I read or my kids school knows that received their newsletter.

Re:Summary is wrong wrong wrong

[Dynedain]

There are legitimate use cases for businesses mass-sending email. Thinks like "your monthly statement is ready".

These all use the tracking pixel because it's the only way to get any kind of data about the open rates for your email. And yes, marketers and communication managers understand the ramifications of how this hurts their overall open rate.

An average open rate in the industry is about 15%.... anything over 20% is considered really good.

Don't be fooled.

They want to make it harder for those entities to collect that data, because Google wants to collect it and sell it back to them at a premium.

Not accurate information

[gowmc]

I've done testing with my own emails with a link to my own server. The image is still only downloaded once you view the email. The only thing that is any different is that the request comes from google instead of the user's IP address. This prevents getting or reading cookie data during the image request, but does nothing to prevent image-based tracking of email opens. For image content on non-unique URLs this could mean better loading speeds, but won't do anything to make email load faster for unique images.

Nothing stops them from pre-caching these images in the future, but for now it isn't quite as catastrophic for the email marketers are some article suggest.

Re:Not accurate information

[cshark]

I don't really see where the problem is. You shouldn't be using horrible kluges to track your campaigns anyway. Even if it did kill your ability to track who is opening what... who fucking cares? The fact that a person opens an email has absolutely no bearing on whether or not they're going to buy it. Email marketing is still interruption marketing, for the most part. It's flawed in its basic premise. Innovation is the only way to stay in business long term. Stay ahead of the curve, it's more profitable. Adapt, or die.

Re:Not accurate information

Please don't adapt.

Ad broker + NSA

From the OP: "Google says the changes are intended to enhance user privacy and security."

I find this lie from google/doubleclick insanely funny yet darkly cynical.

To enhance user privacy and security, don't use services from this huge ad broker which has a small army of lobbyists working Washington to prevent laws that would harness our privacy, and which works with the NSA to rape our liberty and privacy. If you use gmail, you should have no expectations of privacy or security whatsoever. That would be insane. It is everything their prime directive is not - i.e. make money of your privacy.

Re:change or same mistake I made about announcemen

[Bogtha]

No, you are completely misunderstanding that article.

Before mail clients stopped loading images by default, it was possible to embed a "web bug" image in an email. Essentially a transparent non-image that is referenced with a unique ID for each user. When the email was viewed, the mail client would request this web bug, and their server could record a) that this particular user opened the email, b) when they opened it, and c) whatever information they could glean from a normal HTTP request - where in the world you are, what software you are using to read the email, what language you have your mail client configured to use, etc.

If at any point you click "Load images", you will be sending this information to whomever sent the email. It's just that by default this would not occur in the majority of mail clients.

Gmail are switching to proxying the images and loading them by default. This means that email senders will get a) and b) by default. You can remedy this by switching your Gmail settings back to the old default of not loading images by default.

However because they are proxying the requests for the images, the people sending emails no longer get access to c) - things like your IP address, location, software, etc.

You seem to have invented some kind of nefarious arrangement between email marketers and Google, but that appears nowhere in the article you link to. It does not describe Google sharing data at all. All the article describes is the fact that by default, email marketers can now get a) and b) by using web bugs - this is something you don't need an agreement with Google to use, it's a natural consequence of the technology in question. It's your browser that shares the data, and it does so by performing a normal HTTP request - this is information you send to each and every website you visit. There's no http://google.com/download-private-data-muhahaha.zip link that email marketers now have access to.

This change improves privacy and has no loss of privacy if you change your settings to not load images by default. If you leave the settings at their defaults, you gain privacy in some ways and lose it in others.

Worse, Google now blocks steganography too

I'm surprised that everyone is focused only on how this affects advertisers. That might be just a decoy excuse for the modifications.

A far more fundamental change is that Google will now be transcoding all images, which inherently blocks the sender's ability to transmit steganographically hidden information with plausible deniability. I bet the NSA has been requesting Google to do that for ages, as it must have been an extreme headache to have to scan all images just to find the few with a hidden payload. No such payloads now.

Spooks aside, the effect of this on photography will probably be far more dramatic for the general population, since photographers often transmit precisely controlled images. Google's new transcoding means that Gmail is no longer suitable for sending bit-perfect images of known properties or quality, so we're going to have to put our images in archives from now on, which will be a pain to view.

It seems that Gmail is becoming strictly a conduit for advertising. Google is at least consistent in their evil.

Re:Worse, Google now blocks steganography too

What's so wrong with transcoding? It will help most people. For the others, you seem to be paranoid enough to plan for steganography, but uneducated enough to think of any other way of sending binary data. My work email automatically zips all attachments -- you're telling me that Google's going to unzip an attachment, adjust the contents of a binary file, and then put it all back? Get real. And even if it did, you telling me that you couldn't use a different email provider (e.g., Yahoo), or a different way of sending files (e.g., Dropbox)?

Re: Worse, Google now blocks steganography too

They're not caching attached images, they're caching linked images.

Re:Worse, Google now blocks steganography too

Yes, I am telling you those things, although they won't bother the bit-perfect photographer since we'll just archive up our photos as I suggested myself --- you merely parroted the idea back, thanks for confirming. But yes, all archives will be unpacked and scanned by the NSA, because that's what they do.

Evidently you've never heard of someone called Snowden, as I can see you're still childishly innocent of the extent and depth of the surveillance if you think it's defeated by zipping.

I don't know where you got the ludicrous idea that archives would have to be reassembled after inspection. It seems you don't know even the most elementary things about how computers work, and the matter of plausible deniability went totally whoosh! past you.

Re:Worse, Google now blocks steganography too

Evidently you've never heard of someone called Snowden, as I can see you're still childishly innocent of the extent and depth of the surveillance if you think it's defeated by zipping.

If you want to encrypt your mail, encrypt your mail. If you don't want to bother, then don't. I have conversations in bars, where they can easily be overheard by other people -- if I really cared about keeping my life private, I wouldn't do that either. No one ever said that zipping would prevent data from being read -- rather, it would most likely prevent Google from wanting to transcode that, which was your actual objection -- to transcoding. You even made it in bold and italics. Clearly you cared about that aspect more than anything, no?

It's not that I'm ignorant, I just don't care. I really don't. I have more important things to do with my life than worry about all this crap.

No trust

The only way this can be of any use is if you trust the servers the images are moving to (tip, don't trust Google). Google has sucked for a long time, this is just more of the same.

Re:And when the next JPEG or PNG exploit comes alo

[...] I hope google will also re-sacale images when people embed 3000 DPI company logo's in HTML-emails.

I HATE when companies do that. My friend started working for a company that automatically adds a footer to every page. It consists of their logo and some green space to fill the rest of the image (it is set up like this: but the logo is on the left http://candacereese.files.wordpress.com/2011/02/creesej_speaker-footer-e1296867208417.jpg). The logo itself is sized to be 1.5 by 1.5 however, the actual image file downloaded is, no joke, 6000x6000 pixels and is 3MB (I tried pngcrush and it reduced it to 88KB). The green space is a block of solid green 6000 high by 18000 long and is absolutely massive and again pngcrush got it under 200KB. What a waste considering they dynamically size it using css to fill the rest of the page and be 1.5 inches high on the screen and it could literally be a single pixel png stretched out or be colored green by CSS with no image necessary.

The old definitions don't work

Google is not a monopoly.

You're too fixated on the old definitions of monopoly, which aren't really very helpful in this new world of digital services.

The questions that are asked in an anti-trust investigation aren't about whether the accused meets the definition of "monopoly" but whether the methods pursued by the company block the competing operation of others in the same space.

And what do you think the answer to that question is? Google has an almost complete stranglehold on the Internet advertising sector, and it's not necessarily because of evil actions. They're simply too good at this "free services --> advertising revenue" game, so good that they've captured most of the target audience. It's a monopoly of the black hole type --- it has attracted everything to it and there's no matter left to attract.

When someone has a free Gmail account already, there's almost no possibility of attracting them to your competing services, since you can't compete with free, and that means that your advertising business can't capture the needed eyeballs. It's effectively a monolithic sector now, and it's owned by a single player.

The old definitions don't work, yet the anti-competitive nature of what's going on is unquestionable.

Re:The old definitions don't work

[KingOfBLASH]

Old definitions of monopoly are perfectly fine to describe digital services.

If you can come up with an email service that's better than Gmail, I'd switch. Probably many other users would join me. While I do expect it to be free, i wouldn't rule out paying for something if there was value.

Same for search engines. Build me a search engine that finds stuff I want better than Google and I'll switch (as will others).

At that point, when you have the users, getting the advertisers is easy. Perhaps building such a service might require you to begin by using Google AdSense, but you could eventually switch out your own service.

The key is to get those users, you'd need to innovate. And you can't get around innovating by calling Google a Monopoly.

Salesforce

[EmperorOfCanada]

I read somewhere that salesforce did this years ago to allow people to track who actually read emails. I then renamed SalesForce to UsedCarSalesForce as that is a pure scumbag thing to do. I am a huge fan of some kind of privacy law where a company may not collect data that people haven't had clearly pointed out is being collected with the option to opt-in. You will notice opt-in as the operative word. Thus I don't even want my power company being able to sell my data even in aggregate and say that my neighbourhood uses more power than a different neighbourhood. When I see that "trusted-third-parties" thing it just ticks me off.

Google's cut

[send2erik]

I'm sure marketeers can still access the data. Only now they'll have to pay Google for it.

Re:Google's cut

I think you hit the nail on the head there.

Spammers want to know if you're reading your email

They rarely care about the actual person. They only care that their garbage is being read, and therefore potentially sold.

After all, it's not like they care about spamming to the appropriate market. They only care that they are actually sending it to someone (even that's a borderline stretch, but it's the entire purpose of the images).

Schizophrenic google

[crossmr]

So do they want privacy or not?
On one hand they're claiming to serve up images by proxy to protect users privacy, on the other hand, they're using Google+ and youtube to force users to display their real name.

We had the issue where Google started forcibly customizing google services for you based on you signing up for Google+. When I signed up a couple years ago, it broke my news archive search, because it would only search news sites in Korea, and in Korean despite having everything in English and my account being created in Canada (I happen to be in Korea). While several months later that was actually fixed, they also went ahead and first removed the insanely useful timeline from the archive, and then just recently killed off the archive entirely, because who could ever want to read news more than 30 days old.

Butchering services, heavy handed user manipulation, my patience with google is quickly wearing thin.

Re:Schizophrenic google

Nothing schizophrenic about it, it's just PR. The only way this could have any value is if you trust the server (i.e. Google). By this point, if you still trust Google, you've got rocks in your head.

Google's BIG hypocrisy

What Google is doing is a complete hypocrisy: will will protect everyone from 'something' but we do exactly the same that we are protecting everyone from.
I sincerely don't see any major advantages for the end user with this move.
What I can see is a major advantage for Google that this way has the data from everyone and doesn't allow anyone else to do exactly the same they do.

If Google does this, why doesn't Google stops collecting data from the emails for ad targetting?? Everyone knows Google looks at emails to gather data for ad purposes. A beacon of a third party email is less intrusive than harvesting data directly from email content. Major hypocrites!

I will consider cancel my email account after this.

Google's BIG hypocrisy

What Google is doing is a complete hypocrisy: will will protect everyone from 'something' but we do exactly the same that we are protecting everyone from.
I sincerely don't see any major advantages for the end user with this move.
What I can see is a major advantage for Google that this way has the data from everyone and doesn't allow anyone else to do exactly the same they do.

If Google does this, why doesn't Google stops collecting data from the emails for ad targetting?? Everyone knows Google looks at emails to gather data for ad purposes. A beacon of a third party email is less intrusive than harvesting data directly from email content. Major hypocrites!

ha ha

[setrops]

Privacy my ass.
Theywill just resell the stats to the marketers.

Except for Google, of course

Google will continue to vacuum everything you do, they are just getting rid of the competition, who will now have to pay Google for the info. No favors here, folks. We benefit inadvertently and temporarily, however.

this breaks copy and paste of rich text in gmail

[nathanbeach]

Because the image URLs are rewritten to the Google proxy server, you can no longer copy and paste rich text with embedded images from Gmail into another application. That really sucks. I need to do that all the time for a certain client. It looks like I'm now going to have to get a separate webmail service just to be able to copy and paste rich text. Ridiculous.

Re:if Google is smart, they download 1 copy, ignor

[Urza9814]

Easily defeated. Google loads a couple of the images, detects they're all the same, detects they're placed the same in the message, determines the pattern and replaces all images fitting that pattern with the first copy downloaded from their cache.

Re:if Google is smart, they download 1 copy, ignor

Yeah. I love how everyone in this thread is pointing out obvious problems which are actually not that hard to solve.
It's not like Google's engineers know anything about email, spam or caching servers...

summary is incorrect

Google gives you the OPTION to either have images AUTOMAGICALLY displayed now or NOT. I still went with not as AFAICT ATT it was across the board and I don't ALWAYS want images displayed in my email when accessed from phone/tablet.