Gmail recently changed the way it displays images to you (Official Gmail Blog). From a user perspective this can be good, from a security perspective this might be good, from a privacy perspective I’m not convinced this is a good move for the sender or recipient. First let me explain what changes Google has made and how it affects you.
Usually when you receive an image embedded in an email you’ll see a bar at the top of the email letting you know that there are images in this e-mail, but that they haven’t been displayed. You can optionally click the “display images below” link and Gmail will display the images. The reason Gmail, and most other email clients have chosen not to load the images is because the images are loaded from the e-mail sender’s servers. This means the sender can know quite a lot about your computer when you load that message.
Source: Official Gmail Blog
Let’s say you are using Gmail through a web browser. When you load your e-mail you’ll get the text of that e-mail from the server, most likely that text is actually HTML, and as the page loads each image in turn it loads those images from the sender’s server. Each time the browser makes a request to any server it sends quite a lot of information about you. This isn’t specifically personal information, but it is enough to uniquely identify you and to tell the sender at least the following information:
- Your language
- Your Device type (Desktop, mobile device, tablet, etc.)
- Your browser and Operating System
- Your location (via IP)
- Possibly your web browser’s capabilities such as flash, etc.
This is only sent to the senders server if you request those images, however they use another trick to figure out some more information. E-mail senders may use is to put a unique “beacon” image in your e-mail, which uniquely identifies you and when you open the message. Since your browser will request the image when you open the mail the sender can discover that you opened the image and when you, in particular, opened the e-mail. This is how they can figure out how many e-mail views a particular e-mail campaign receives.
If this sounds pretty bad to you, you’d be right. If you load the images from an e-mail you’re sending quite a lot of information about yourself to the sender. This is why the default has been for Gmail and almost every other email client to only retrieve the images when you tell it to.
What’s changing then?
As of today, the Gmail team has announced that they will be automatically loading images for you by default (Images Now Showing - Gmail Blog), but they say they’re doing it in a secure way that won’t share all of that information about you to the sender. Of course you’ll still be sending this information to Google, but they already had the information because you’re using their service and servers directly.
The way they’re attempting to do this is to automatically download all the images in each e-mail through a proxy server. This proxy server will make the requests on your behalf and will strip out the header information which includes that bulleted list of data from above. From early reports the proxy servers seem to be used for gmail only
However, based on the limited information from their blog post it looks like it’s still making the request at the time of message open. This means the sender will still know that you opened the message. If they’re using unique tracking beacons that information will still be shared. This is the new default, so this information will be shared unless you take action. Note: I haven’t been able to test this on my account, as they haven’t rolled out the new features to all addresses yet. I’ll update this as I have more information.
What this means for Privacy and Security
From a Privacy and Security perspective this is better than requesting the images in the old system, but not as good as not requesting them at all. In the old system no information about you or when you opened the document was sent to the sender. In the new system the sender will be able to know when you open your e-mail.
There’s also the concern of Gmail routing your images through their servers. Before the images would be sent via a direct request to you from the sender’s servers. This isn’t a good thing when it’s a SPAM sender, but it does provide a small bit of privacy when it’s coming from a secondary server (say somebody’s personal or corporate e-mail server). Of course if you’re sending to and from a gmail address no change is made. In the new system Google is accessing the images sent directly to you on your behalf.
If images are routed through Gmail’s servers it is impossible to know what they’ll do with them. In an ideal situation Gmail’s proxy servers will be used only to route the images to you and no data will be stored on their servers. This seems unlikely to me coming from a company whose motto is “to organize the world's information and make it universally accessible and useful.”
There is strong incentive for them to store images on their servers. If they serve the image from their servers they can cut down on their bandwidth costs by only requesting an image once. They can cut down on the total amount of data they have to store using deduplication techniques. They also have to store this information securely, and ensure that only the right person has access to the right information.
Google has a decent history of keeping information safe, but security is difficult to do and with every new feature comes new attack surface and new security concerns. Although you can change a setting in your e-mail so that it will continue to ask to display images before loading them the images will still be routed through the Google servers. If the idea of Google viewing, storing or routing your images concerns you, you may want to look to switch e-mail providers. Unfortunately that is the only option at this time.
Comment on Reddit
Posted By: Joe Basirico