Gmail blows up e-mail marketing by caching all images on Google servers
22 replies, posted
[I]Hosted images mean better privacy, faster load times, and less competition for Google.[/I]
by Ron Amadeo - Dec 12 2013, 2:06pm EST
[img]http://cdn.arstechnica.net/wp-content/uploads/2013/12/2013-12-12_11-55-22-640x234.png[/img]
[quote]Ever wonder why most e-mail clients hide images by default? The reason for the "display images" button is because images in an e-mail must be loaded from a third-party server. For promotional e-mails and spam, usually this server is operated by the entity that sent the e-mail. So when you load these images, you aren't just receiving an image—you're also sending a ton of data about yourself to the e-mail marketer.
Loading images from these promotional e-mails reveals a lot about you. Marketers get a rough idea of your location via your IP address. They can see the HTTP referrer, meaning the URL of the page that requested the image. With the referral data, marketers can see not only what client you are using (desktop app, Web, mobile, etc.) but also what folder you were viewing the e-mail in. For instance, if you had a Gmail folder named "Ars Technica" and loaded e-mail images, the referral URL would be "https://mail.google.com/mail/u/0/#label/Ars+Technica"—the folder is right there in the URL. The same goes for the inbox, spam, and any other location. It's even possible to uniquely identify each e-mail, so marketers can tell which e-mail address requested the images—they know that you've read the e-mail. And if it was spam, this will often earn you more spam since the spammers can tell you've read their last e-mail.
[I]Update: email marketers claim they can get Gmail folder information, but several readers correctly pointed out that common browsers like Chrome and Firefox do not, in fact, send that information themselves as part of the referrer.[/I]
But Google has just announced a move that will shut most of these tactics down: it will cache all images for Gmail users. Embedded images will now be saved by Google, and the e-mail content will be modified to display those images from Google's cache, instead of from a third-party server. E-mail marketers will no longer be able to get any information from images—they will see a single request from Google, which will then be used to send the image out to all Gmail users. Unless you click on a link, marketers will have no idea the e-mail has been seen. While this means improved privacy from e-mail marketers, Google will now be digging deeper than ever into your e-mails and literally modifying the contents. If you were worried about e-mail scanning, this may take things a step further. However, if you don't like the idea of cached images, you can turn it off in the settings.[/quote]
[url]http://arstechnica.com/information-technology/2013/12/gmail-blows-up-e-mail-marketing-by-caching-all-images-on-google-servers/[/url]
I've always wondered why Gmail and others do this, that's a great idea to cache them tho
The referer shouldn't work in any modern browser (Really, IE has had the right behaviour since IE4) if the images are served on a non HTTPS secured connection. But I have no idea what they're going to do if the URL contains the information on the target (i.e. encode the hash of the email in the URL, then provide random data back so the Gmail servers consider it unique)
Jesus, Google must have a hard drive farm bigger than Rhode Island.
[QUOTE=Dr. Evilcop;43167473]Jesus, Google must have a hard drive farm bigger than Rhode Island.[/QUOTE]
They've got storage centers all around the world, just about every Country, State, Province, Territory and County you can think of
[QUOTE=fruxodaily;43167539]They've got storage centers all around the world, just about every Country, State, Province, Territory and County you can think of[/QUOTE]
not really [url]http://www.google.com.au/about/datacenters/inside/locations/[/url]
[QUOTE=Hendo;43167783]not really [URL]http://www.google.com.au/about/datacenters/inside/locations/[/URL][/QUOTE]
ya but the exaggeration was so much cooler let it slide. google is powerful and all knowing
[QUOTE=fruxodaily;43167539]They've got storage centers all around the world, just about every Country, State, Province, Territory and County you can think of[/QUOTE]
yeah, i know that my cousins are renting out their second bedroom to google for rack space
[QUOTE=Hendo;43167783]not really [url]http://www.google.com.au/about/datacenters/inside/locations/[/url][/QUOTE]
You had to ruin my vibe man what the fuck
Won't work, you just use symbolic links to give every person their "own" image, and when Google's proxy fetches the image, the advertisers know that the email was read.
Unless Google prefetches the image as soon as the email is received.
Some people are seeing fetches as soon as the image is received, others whenever it's opened (Allowing for even better tracking), and some are seeing both.
I hope they'll do this for standalone clients too.
[QUOTE]If you were worried about e-mail scanning, this may take things a step further. However, if you don't like the idea of cached images, you can turn it off in the settings.[/QUOTE]
...what about if [i]both[/i] ideas sound terrible, though? I don't want my emails snooped through AND I don't want the images loading and thus feeding the spammers info...
I kind of thought they already did this since they already provide virus scanning when you're downloading and opening attachments
[QUOTE=garychencool;43169651]I kind of thought they already did this since they already provide virus scanning when you're downloading and opening attachments[/QUOTE]
Virus scanning =/= preloading images. They're fetching the image from the 3rd party server, so your computer doesn't have to. It's all from Google's servers now.
basically google is downloading all images sent to any *@gmail.com
so now they don't get any usable marketing data because the images have already been viewed
[QUOTE=TestECull;43169585]...what about if [i]both[/i] ideas sound terrible, though? I don't want my emails snooped through AND I don't want the images loading and thus feeding the spammers info...[/QUOTE]
Your emails are always "snooped through" because that's the only way anti-spam measures work
Actually Google isn't really being as big of a hero as the OP's article implies:
[url]https://support.google.com/mail/answer/145919?p=display_images&rd=1[/url]
[quote]In some cases, senders may be able to know whether an individual has opened a message[/quote]
Also this change effectively means that while Marketers will have a harder time getting direct access to knowing your IP and such from images you've downloaded from emails, Google now controls all this information. And they are basically an information/ad brokering company at this point.
I mean there are some good things with this but that particular article is playing it off as if Google is stopping the practice entirely, when it really isn't and is instead now controlling your email browsing privacy themselves.
[QUOTE=TestECull;43169585]...what about if [i]both[/i] ideas sound terrible, though? I don't want my emails snooped through AND I don't want the images loading and thus feeding the spammers info...[/QUOTE]
Run your own mail server then, it's not resource intensive, you don't have to worry about mailbox size, never have to worry about your provider handing over data to marketers or such.
There are pre-existing images that turn a RPi into a fully functioning IMAP/SMTP server for small businesses that have strong security and include a webmail UI, all for free (Literally all you need is a domain name and a system to run it)
[QUOTE=TestECull;43169585]...what about if [I]both[/I] ideas sound terrible, though? I don't want my emails snooped through AND I don't want the images loading and thus feeding the spammers info...[/QUOTE]
Don't want your emails snooped? Don't use gmail. Its that simple, its the trade off for a free mail service from Google.
[QUOTE=KorJax;43171661]Actually Google isn't really being as big of a hero as the OP's article implies:
[url]https://support.google.com/mail/answer/145919?p=display_images&rd=1[/url]
Also this change effectively means that while Marketers will have a harder time getting direct access to knowing your IP and such from images you've downloaded from emails, Google now controls all this information. And they are basically an information/ad brokering company at this point.
I mean there are some good things with this but that particular article is playing it off as if Google is stopping the practice entirely, when it really isn't and is instead now controlling your email browsing privacy themselves.[/QUOTE]
You neglected to quote the entire sentence of
[QUOTE]In some cases, senders may be able to know whether an individual has opened a message [b]with unique image links.[/b][/QUOTE] As each recipient gets sent an email with unique image links (that likely resolve to the same image on the original server but there's no way to tell), there's really nothing that can be done to stymie tracking of this nature. Requests are still getting proxied through Google so the senders have no way of getting referrer information, but they do still get to see whether the image was accessed in the first place (which when using unique links allows for "did <specific recipient> open the email" tracking.) There's no way for Google to tell that the images themselves might be the same when the links are different so they just go grab the "new" image to cache.
(If the above was confusing, here's a little example)
Non unique images (the usual case where Google can best protect users):
1) Marketer sends email to persons A, B, and C with image C.jpg
2) Person A opens the email. Google servers cache C.jpg. Marketer knows that C.jpg has been accessed (but no specific information about person A).
3) Person B opens the email. C.jpg is loaded from Google servers. Marketer does not know that C.jpg has been accessed.
4) Person C opens the email. Again it is loaded from Google's cache and the marketer gets no information.
Unique images (as mentioned by that support page):
1) Marketer sends email to persons A, B, and C, with image Ca.jpg for person A, Cb.jpg for person B, and Cc.jpg for person C. All images are the same they just have different URLs.
2) Person A opens the email. Google servers cache Ca.jpg. Marketer knows that Ca.jpg has been accessed (but gets no browser/OS/etc info about person A). Due to using unique URLs, they know that person A has read the email as only person A recieved Ca.jpg.
3) Person B opens the email. Google servers cache Cb.jpg, as they have no way of telling that it is the same as Ca.jpg. Marketer knows that Cb.jpg has been accessed, and so now knows that person B has read the email. (however they still do not get referrer info due to the proxy)
4) Person C opens the email. Google servers cache Cb.jpg, again not knowing that it is the same as Ca and Cb. Marketer can tell that person C has read the email.
So the proxying does block all the referrer info from reaching the marketers, and if identical links are used then they only know that the image was accessed once regardless of how many Gmail users view it. If unique links are used Google is forced to load each image even if the content is the same (there is no way to tell just by URL), allowing the marketers to track viewership (they still do not get referrer information).
So it seems to me like they're doing all they realistically can.
[QUOTE=BMCHa;43178367]You neglected to quote the entire sentence of
As each recipient gets sent an email with unique image links (that likely resolve to the same image on the original server but there's no way to tell), there's really nothing that can be done to stymie tracking of this nature. Requests are still getting proxied through Google so the senders have no way of getting referrer information, but they do still get to see whether the image was accessed in the first place (which when using unique links allows for "did <specific recipient> open the email" tracking.) There's no way for Google to tell that the images themselves might be the same when the links are different so they just go grab the "new" image to cache.
(If the above was confusing, here's a little example)
Non unique images (the usual case where Google can best protect users):
1) Marketer sends email to persons A, B, and C with image C.jpg
2) Person A opens the email. Google servers cache C.jpg. Marketer knows that C.jpg has been accessed (but no specific information about person A).
3) Person B opens the email. C.jpg is loaded from Google servers. Marketer does not know that C.jpg has been accessed.
4) Person C opens the email. Again it is loaded from Google's cache and the marketer gets no information.
Unique images (as mentioned by that support page):
1) Marketer sends email to persons A, B, and C, with image Ca.jpg for person A, Cb.jpg for person B, and Cc.jpg for person C. All images are the same they just have different URLs.
2) Person A opens the email. Google servers cache Ca.jpg. Marketer knows that Ca.jpg has been accessed (but gets no browser/OS/etc info about person A). Due to using unique URLs, they know that person A has read the email as only person A recieved Ca.jpg.
3) Person B opens the email. Google servers cache Cb.jpg, as they have no way of telling that it is the same as Ca.jpg. Marketer knows that Cb.jpg has been accessed, and so now knows that person B has read the email. (however they still do not get referrer info due to the proxy)
4) Person C opens the email. Google servers cache Cb.jpg, again not knowing that it is the same as Ca and Cb. Marketer can tell that person C has read the email.
So the proxying does block all the referrer info from reaching the marketers, and if identical links are used then they only know that the image was accessed once regardless of how many Gmail users view it. If unique links are used Google is forced to load each image even if the content is the same (there is no way to tell just by URL), allowing the marketers to track viewership (they still do not get referrer information).
So it seems to me like they're doing all they realistically can.[/QUOTE]
Unless google pre-caches all images of course, which would make the date and time of every image the same.
Sorry, you need to Log In to post a reply to this thread.