Gmail Privacy Proxy: Right Idea, Wrong Execution
Today, Google Mail announced that they will be proxying images received through GMail through their safer, faster proxy servers. At first glance, this appears to be an amazing step in the right direction in terms of privacy. After all, Google has decided to provide a proxy to access images thus masking your IP from remote web/image servers. However, unfortunately, there were a lot of decisions that could have been better thought out.
Google’s Fair Attempt at Privacy
To be fair, Google did make a serious attempt to protect the privacy of Gmail users. By loading images through a proxy, remote web/image servers are not able to see Gmail users’ IP addresses. This does offer a fair amount of protection, as an IP address can certainly provide a significant amount of identifying information. Web/IP tracking in combination with E-mail/IP tracking does sound like it would be quite intrusive in terms of our privacy.
Privacy Is Not Just a Buzzword
The problem, however, is that Gmail users’ adversaries are not really after IP addresses. They simply want to be sure that an e-mail address is valid. In order to do so, many spammers may employ functionality in their e-mails such that they are able to track which e-mail addresses are active, and which are not. For example, a mass spammer could send out a specially auto-generated e-mail with image links in the form:
http://www.someimageserverspam.com/img/[email protected]
When you load this image, regardless, they will know that the ‘[email protected]’ was accessed which, in general, would imply that the e-mail address [email protected] opened/loaded that image and is an active e-mail address.
The Right Approach vs the Wrong Approach
Some very intelligent HN readers brought up a compelling argument that Google may prefetch all images upon receipt which would effectively remove the ability to track whether an e-mail address is active or not. This was a very good point, and had Google implemented this, it would have been a much better approach toward protecting user privacy.
However, I did run a simple test by sending an e-mail with an image to one of my GMail accounts 3 times. All times, no matter how I changed the timing, the image was loaded when I clicked on the e-mail. In other words, the spammer would know that my e-mail is active and when I clicked on it.
Note: One of our developers suggests that had they rolled the proxies in, but simply kept the original behavior (i.a., asking whether to display images or not to the user), they would have then had priorities at privacy first, security second and usability third. However, like this, it remains as a rollout focused on usability first, security second and privacy third.
Final Notes
It would be best, in the future, if when introducing privacy features, all pros and cons are weighed out as decisions made by a company of Google’s magnitude has serious effect on society. It would also be wise, when making changes that have dramatic effects on user privacy, to send out a privacy policy update rather than a blog post.
That being said, it is warming to know that Google does care about privacy and is committed to taking the steps to ensuring as such. For that, they deserve applause.
Comments are closed.
6 Comments
Respectfully disagree.
Firstly, I’m sceptical of the assertion that “Google’s adversaries are after valid email addresses”. I’ve never heard of a spammer trying to wash their email list. I expect they only ever add to their email lists and just spam all addresses on that list regardless.
Further to this point, you seem to be implying that spammers are now going to start sending lots of exploratory emails to auto-generated email addresses, to try and discover new email addresses. This isn’t an unfounded concern, but I would counter it by saying this is exactly the kind of activity Google already diverts straight to the spam bin (or outright blocks). I doubt it would ever work en masse.
Secondly, you can still turn off the auto-loading of images and revert to the “click here to display images below” way of doing things. So now you’re you’re even more secure than before.
Finally, this isn’t just about masking IP addresses (if it ever wasl). As stated on the Google blog, it’s about scanning and removing malicious images (images designed to exploit security holes in the various image renderers and run malicious code) – something your browser can’t do.
Also, I wouldn’t be so gung-ho about the idea of pre-fetching all images mentioned in an email. This would be a perfect way for someone to launch a google-backed DOS attack against someone.
I think that while this move by Google was publicized as a user protection feature it is partly that but it is also a move to get more people to allow image loading by default so that mass mailings can get better statistics. I am pro Google, my entire digital world is on their servers but they are an advertising company and if at all possible they will prioritize advertising.
I deactivated that “feature” when Gmail presented it to me because of privacy (like I previously had images not load automatically).
But now, for work emails with images that need the VPN (+ corp login) to load, no more options to have them show in emails, as Google servers do not have access (yet ;) to my company’s VPN.
You shouldn’t be using gmail in the first place.
You’ll need to elaborate more. Some of us are serious about privacy, but too lazy to go beyond just simply having a VPN (I <3 PIA). I use gmail for 8 different addresses. Is there something more secure? Is there one that offers two-factor authentication?
I think security wise Google is one of the best, there have not been any breaches in security (like leaked passwords) that I’ve been aware of. But obviously they will comply with laws and regulations in the countries that they are operating in so your data may be handed over to the government if they ask for it properly, but even there Google does stand by it’s users by exhausting every possible legal protection and being public about government inquiries even before it was cool (search Google Transparency Report) ;-)