Gmail Privacy Proxy: Right Idea, Wrong Execution
Today, Google Mail announced that they will be proxying images received through GMail through their safer, faster proxy servers. At first glance, this appears to be an amazing step in the right direction in terms of privacy. After all, Google has decided to provide a proxy to access images thus masking your IP from remote web/image servers. However, unfortunately, there were a lot of decisions that could have been better thought out.
Google’s Fair Attempt at Privacy
To be fair, Google did make a serious attempt to protect the privacy of Gmail users. By loading images through a proxy, remote web/image servers are not able to see Gmail users’ IP addresses. This does offer a fair amount of protection, as an IP address can certainly provide a significant amount of identifying information. Web/IP tracking in combination with E-mail/IP tracking does sound like it would be quite intrusive in terms of our privacy.
Privacy Is Not Just a Buzzword
The problem, however, is that Gmail users’ adversaries are not really after IP addresses. They simply want to be sure that an e-mail address is valid. In order to do so, many spammers may employ functionality in their e-mails such that they are able to track which e-mail addresses are active, and which are not. For example, a mass spammer could send out a specially auto-generated e-mail with image links in the form:
When you load this image, regardless, they will know that the ‘firstname.lastname@example.org’ was accessed which, in general, would imply that the e-mail address email@example.com opened/loaded that image and is an active e-mail address.
The Right Approach vs the Wrong Approach
Some very intelligent HN readers brought up a compelling argument that Google may prefetch all images upon receipt which would effectively remove the ability to track whether an e-mail address is active or not. This was a very good point, and had Google implemented this, it would have been a much better approach toward protecting user privacy.
However, I did run a simple test by sending an e-mail with an image to one of my GMail accounts 3 times. All times, no matter how I changed the timing, the image was loaded when I clicked on the e-mail. In other words, the spammer would know that my e-mail is active and when I clicked on it.
Note: One of our developers suggests that had they rolled the proxies in, but simply kept the original behavior (i.a., asking whether to display images or not to the user), they would have then had priorities at privacy first, security second and usability third. However, like this, it remains as a rollout focused on usability first, security second and privacy third.
That being said, it is warming to know that Google does care about privacy and is committed to taking the steps to ensuring as such. For that, they deserve applause.