Google Makes It Harder For Marketers To Collect User Data

cagraham writes "In a seemingly minor update, Google announced that all Gmail images will now be cached on their own servers, before being displayed to users. This means that users won't have to click to download images in every email now — they'll just automatically be shown. For marketers, however, the change has serious implications. Because each user won't download the images from a third-party server, marketers won't be able to see open-rates, log IP addresses, or gather information on user location and browser type. Google says the changes are intended to enhance user privacy and security."

And google will retain that info exclusively.

[Spamalope]

While I applaud the move, it is about competitive advantage for Google.

Re:And google will retain that info exclusively.

[jaseuk]

Yes and the point the summary misses, is that the images are used to verify that you have received and viewed the e-mail. This is far more important than browser types / locations etc.

It also prevents some evil things, such as first time you hit the page you get a drive by, the second time (with cookie set) you get the actual image and all seems fine.

Jason.

Re:And google will retain that info exclusively.

[pradeepsekar]

The article does not state of all images would be cached automatically even if you have not read your mail. It only says that images would be served through a Google proxy server, which caches the images.

So if Google proxies and caches the images when you open the mail, there is no protection added from marketers, except for the fact that Google can scan the images for exploits.

And if Google proxies and caches the images as soon as the service receives the mail, marketers can verify if the address is a valid gmail address or not by just sending mails and waiting for Google to cache the image. Expect more spam if this is the case.

There will be true protection from email tracking only if Google caches the images in all emails it receives, even if the email address is invalid - and that would increase the load on Google servers quite a bit.

Re:And google will retain that info exclusively.

[KiloByte]

And if Google proxies and caches the images as soon as the service receives the mail, marketers can verify if the address is a valid gmail address or not by just sending mails and waiting for Google to cache the image. Expect more spam if this is the case.

Verifying that foobar@gmail.com is a valid address doesn't give spammers any real information: the namespace is so full even most pwgen outputs point to existing names, as long as you don't have embedded numbers (on gmail, addresses seem to have numbers at the end).

Thus, that check can be quite simplified to "does a Markov chain say this string of letters is pronounceable?". Not a big benefit to a spammer. On the other hand, they don't get told anything about the recipient anymore.

While for a small mail provider this change might leak some info, for Gmail it seems to be nearly entirely positive.

I for one don't use Gmail for privacy reasons, and don't fetch remote images, but good luck training aunt Lucy about that.

Re:And google will retain that info exclusively.

This.

I work for an email marketing company. Since our customers are very keen on not being mixed in with spam, we (and I think I speak for most of our competitors in this respect) take care to ensure only legit (confirmed double opt-in) email accounts are listed, to keep our servers' reputation perfect. Understand that it is in the best interest of legit senders to make customers WANT to recieve their emails. Open images and the statistics they create are primarily used to fine-tune the emails sent.

These open pixel images have practically no value to spammers (hence very few spammers actually use them); sending out spam over botnets, they don't care if an email address exists. They might care if a batch of several thousand email addresses no longer exists, but tracking and logging individual recipients... that's damn expensive if you're sending to millions of email addresses.

This cache won't hurt spammers.
It hurts companies you have subscribed to receive email messages (I sure hope you trust the average Hotmail user's taste, since emails will change to suit their needs).
And I dare bet that pretty soon, Google will start selling this information, and then everybody will be hurt.

Re:And google will retain that info exclusively.

[mrt_2394871]

If you want to know if I've read an email:
request a return receipt
If I want to give you that information, I will.

Goodness, there's an existing, non-scummy way of working all this out which preserves user expectations of privacy and provides you with the information you actually want, not a poor proxy of it.

Re:And google will retain that info exclusively.

[gsslay]

How would you feel about your customers sending tracking images to you with orders/complaints/queries? Just to "fine-tune" whether they deal with you again? I imagine it could be statistically enlightening to see how quickly you open emails, how often, and how long the response takes. Not so keen?

I appreciate your efforts to ensure that your emails lists are on target and not spammy, many companies are not so diligent. (Particularly with confirmed opt-ins.) But you have no automatic right to collate any further information about your customers unless they intentionally provide it. Tracking images are sneaky and most certainly not used by your customers intentionally. There is a reasonable expectation of privacy when reading your own email on your own computer.

You're right about two things though. The days are long gone when spammers cared about whether an address was valid or not. They are not incurring any costs spamming to invalid addresses. All they care about is how many suckers they hook with a response. And yes, the cached image hits are yet more information being sucked up by google, that will inevitably be sold in some way in the future.

Cutting into their business

Of course they're cracking down hard - stealing user data is Google's job...they don't like the competition.

Harder for **Other** Marketers

[perpenso]

Yeah. The move is to make things harder for **other** marketers. For the marketer named Google it confers advantages.

change or same mistake I made about announcement?

[patrixmyth]

Is this a new change, because after I saw the google announcement, I saw a report that they would share all that data about loading of images with marketers. End result: safer images, but just as much information for marketers, as along as they make nice with Google as 'official' email marketers. Would love to be wrong. Here's my source, Ars Technica article.
http://arstechnica.com/security/2013/12/dear-gmailer-i-know-what-you-read-last-summer-and-last-night-and-today/

Awesome for spam/tracking

[saikou]

Actually, this is rather awesome for spam/tracking of "real" addresses.
Before silly users could refuse to load external tracking pixels with unique IDs, assigned to each email.
And now? It's auto-downloaded for everyone. Yay!

While absence of IP address, Referral (if tracking image was loaded via https) and Browser info is sad, "everyone now auto-loads images" waaaay outweighs it :P You won't hide from confirming that email address that easily ;)

Re:Possible?

[symbolset]

Image formats have been used to compromise browsers in the past, so automatically loading images in your webmail or email client is a bad idea. Fortunately this is just a change from the default behavior so you can turn it off in the options.

In fact, Microsoft just patched a .tiff image format exploit last Tuesday.

Re:They do see open rates

Multiple tests by multiple individuals have shown that they do NOT honor any of the various no-cache headers.

Tracking unique users is still easy (using a unique URL) - but tracking how many times they opened the email, or where they opened it from (IP address) or on what platform is now lost.

Summary is wrong wrong wrong

[Dynedain]

This summary is garbage and complete misrepresents the implications of Gmail's change. (I already researched this last week and developed a solution to avoid cacheing with in-progress email images that might get replaced with final versions)

Every singe email marketing system already uses a unique image URL to identify a given recipient. This is frequently called a "tracking pixel" because it's usually a 1px transparent gif stuck in the corner of an email where it won't be distracting. In fact, this method has been used for web tracking as well for many years. It's how Google Analytics originally worked.

Since these unique images will still get loaded when an email is opened in Gmail, marketers will still be able to track your opens. What they won't see, however, is how many times you re-opened the email. And since the image gets cached and requested through Gmail's proxy, marketers won't get information about your machine like browser, IP address, etc. But if you click-through on a link, or you visited their site before (highly likely if you're on their mailing list) then they have most of that info anyways.

This caching by Gmail is primarily to speed up Gmail since it means images can be loaded and shared on Google's Content Delivery Network which is almost certainly faster than servers owned by the email campaign provider for image hosting.

Re:The fix that breaks things

[Cassini2]

If I were google, I would download images in all incoming messages regardless if they are intended for real email boxes or not. This would let them know which websites are being used for spam. The spam detector could use this information by pattern matching every image (regardless of relabling or website copying), and mark spam accordingly.

Re: Worse, Google now blocks steganography too

They're not caching attached images, they're caching linked images.