Slashdot Mirror
Google Makes It Harder For Marketers To Collect User Data
cagraham writes "In a seemingly minor update, Google announced that all Gmail images will now be cached on their own servers, before being displayed to users. This means that users won't have to click to download images in every email now — they'll just automatically be shown. For marketers, however, the change has serious implications. Because each user won't download the images from a third-party server, marketers won't be able to see open-rates, log IP addresses, or gather information on user location and browser type. Google says the changes are intended to enhance user privacy and security."
While I applaud the move, it is about competitive advantage for Google.
Of course they're cracking down hard - stealing user data is Google's job...they don't like the competition.
The cache system honors no-cache headers. As long as your images are served no-cache, you do see exactly when the email was opened, since the GMail servers refetch it every time. If each user gets a unique URL, you know exactly who opened the email.
Well, pulling all the images certainly solves the problem of having to display emails with images. The only reason we (I) don't click the display-images button is because the images allow us to be tracked, the images may have some sort of exploit (rare). Originally this used to be due to limited download speeds.
I suspect caching the images allow pre-processing of the images and therefore making the whole system more secure by default. Images could therefore be displayed in full by default with images, preferably with some large images being intelligently excluded by default.
Google could release a mass marketing email API/gateway and monetise that allowing marketeers access to data regardless of whether you open the images/email or not. This is slightly more valuable information.
This fixes: opening ratio, opening time, user's IP.
This breaks: spammers will now have confirmation is the @gmail email is valid or not.
is a monopoly tightening its grip on the market it monopolizes.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Yeah. The move is to make things harder for **other** marketers. For the marketer named Google it confers advantages.
Is this a new change, because after I saw the google announcement, I saw a report that they would share all that data about loading of images with marketers. End result: safer images, but just as much information for marketers, as along as they make nice with Google as 'official' email marketers. Would love to be wrong. Here's my source, Ars Technica article.
http://arstechnica.com/security/2013/12/dear-gmailer-i-know-what-you-read-last-summer-and-last-night-and-today/
"Don't you know you're going to shock the monkey?"- Peter Gabriel
Actually, this is rather awesome for spam/tracking of "real" addresses.
Before silly users could refuse to load external tracking pixels with unique IDs, assigned to each email.
And now? It's auto-downloaded for everyone. Yay!
While absence of IP address, Referral (if tracking image was loaded via https) and Browser info is sad, "everyone now auto-loads images" waaaay outweighs it :P You won't hide from confirming that email address that easily ;)
Hyperom.com
No, because Google will scan the images for viruses and common inconsistencies, then convert them to raw pixel data, using there decoding libraries that don't have these exploits, and then re-encode them into consistent and buffer-overflow-free images, that will work on any old and/or bug-riddled operating system or browser used by the recipient.
I hope google will also re-sacale images when people embed 3000 DPI company logo's in HTML-emails.
If Google is smart, they'll download approximately 1 copy of each image, ignoring the tracking ID in the URL.
"Most successful tech company in the world" suggests that they may in fact be smart.
I suspect Google will load the image even if the gmail address is invalid, or else it would be an easy way to build a list of all valid gmail addresses. So your example does not indicate that it ended up in someones in-box (or spam box!), let along that someone actually opened the email.
You make the tracking ID part of the image name. Set up a cgi to always return the same image regardless of what it is called. Use a fake hashed etag thingy so they are always different.
Google has to download the image to see if it is the same, marketing mission accomplished.
e.g. http://examplemarketing.com/images/gjdfkadfdhkhkfdhkdsfhkhfdsqiuqr.gif
Oh. Please send royalties to A.C. @ Slashdot.
This summary is garbage and complete misrepresents the implications of Gmail's change. (I already researched this last week and developed a solution to avoid cacheing with in-progress email images that might get replaced with final versions)
Every singe email marketing system already uses a unique image URL to identify a given recipient. This is frequently called a "tracking pixel" because it's usually a 1px transparent gif stuck in the corner of an email where it won't be distracting. In fact, this method has been used for web tracking as well for many years. It's how Google Analytics originally worked.
Since these unique images will still get loaded when an email is opened in Gmail, marketers will still be able to track your opens. What they won't see, however, is how many times you re-opened the email. And since the image gets cached and requested through Gmail's proxy, marketers won't get information about your machine like browser, IP address, etc. But if you click-through on a link, or you visited their site before (highly likely if you're on their mailing list) then they have most of that info anyways.
This caching by Gmail is primarily to speed up Gmail since it means images can be loaded and shared on Google's Content Delivery Network which is almost certainly faster than servers owned by the email campaign provider for image hosting.
I'm out of my mind right now, but feel free to leave a message.....
From the OP: "Google says the changes are intended to enhance user privacy and security."
I find this lie from google/doubleclick insanely funny yet darkly cynical.
To enhance user privacy and security, don't use services from this huge ad broker which has a small army of lobbyists working Washington to prevent laws that would harness our privacy, and which works with the NSA to rape our liberty and privacy. If you use gmail, you should have no expectations of privacy or security whatsoever. That would be insane. It is everything their prime directive is not - i.e. make money of your privacy.
No, you are completely misunderstanding that article.
Before mail clients stopped loading images by default, it was possible to embed a "web bug" image in an email. Essentially a transparent non-image that is referenced with a unique ID for each user. When the email was viewed, the mail client would request this web bug, and their server could record a) that this particular user opened the email, b) when they opened it, and c) whatever information they could glean from a normal HTTP request - where in the world you are, what software you are using to read the email, what language you have your mail client configured to use, etc.
If at any point you click "Load images", you will be sending this information to whomever sent the email. It's just that by default this would not occur in the majority of mail clients.
Gmail are switching to proxying the images and loading them by default. This means that email senders will get a) and b) by default. You can remedy this by switching your Gmail settings back to the old default of not loading images by default.
However because they are proxying the requests for the images, the people sending emails no longer get access to c) - things like your IP address, location, software, etc.
You seem to have invented some kind of nefarious arrangement between email marketers and Google, but that appears nowhere in the article you link to. It does not describe Google sharing data at all. All the article describes is the fact that by default, email marketers can now get a) and b) by using web bugs - this is something you don't need an agreement with Google to use, it's a natural consequence of the technology in question. It's your browser that shares the data, and it does so by performing a normal HTTP request - this is information you send to each and every website you visit. There's no http://google.com/download-private-data-muhahaha.zip link that email marketers now have access to.
This change improves privacy and has no loss of privacy if you change your settings to not load images by default. If you leave the settings at their defaults, you gain privacy in some ways and lose it in others.
Bogtha Bogtha Bogtha
I'm surprised that everyone is focused only on how this affects advertisers. That might be just a decoy excuse for the modifications.
A far more fundamental change is that Google will now be transcoding all images, which inherently blocks the sender's ability to transmit steganographically hidden information with plausible deniability. I bet the NSA has been requesting Google to do that for ages, as it must have been an extreme headache to have to scan all images just to find the few with a hidden payload. No such payloads now.
Spooks aside, the effect of this on photography will probably be far more dramatic for the general population, since photographers often transmit precisely controlled images. Google's new transcoding means that Gmail is no longer suitable for sending bit-perfect images of known properties or quality, so we're going to have to put our images in archives from now on, which will be a pain to view.
It seems that Gmail is becoming strictly a conduit for advertising. Google is at least consistent in their evil.
Not necessarily. A lot of email virus scanners will pre-fetch images and follow links in emails, for example. They'll do it even if they're just forwarding the mail to another server, and sometimes before the mail even gets to the delivery agent.
I am TheRaven on Soylent News
Google caches content only for it's own Gmail client, so you have no choice of clients with regards to this caching.
That makes no sense.
If they only cache for their Gmail client, that would mean I DO have a choice, by simply using another client.
As for the disable feature, that is the FIRST thing I did. This feature does nothing to protect the user. Its all about giving google an advantage. It MAY be illegal. Its not at all clear that Google has the right to cache image files that were intended to be sent directly from my Brokerage account to me via an embedded URL in an email.
Sig Battery depleted. Reverting to safe mode.
So do they want privacy or not?
On one hand they're claiming to serve up images by proxy to protect users privacy, on the other hand, they're using Google+ and youtube to force users to display their real name.
We had the issue where Google started forcibly customizing google services for you based on you signing up for Google+. When I signed up a couple years ago, it broke my news archive search, because it would only search news sites in Korea, and in Korean despite having everything in English and my account being created in Canada (I happen to be in Korea). While several months later that was actually fixed, they also went ahead and first removed the insanely useful timeline from the archive, and then just recently killed off the archive entirely, because who could ever want to read news more than 30 days old.
Butchering services, heavy handed user manipulation, my patience with google is quickly wearing thin.
Yep and in fact despite what I said earlier, this could be worse. If google pre-fetch every image for instance, then this could have some horrid consequences. Such as confirming e-mail addresses.
Jason
You all seem to assume you are the first people to realise this, ten to one says some Google engineer also realised this and so is just going to get the software to do a hit on the sending or linked server for every image, even if the email address it was sent to does not exist. Then, they can use the content of that image as an additional way to help identify unsolicited email.
I dont read