1. 30

  2. 60

    Its a little ironic that this blog automatically subjects the user to google analytics tracking without the users consent.

    1. 26

      To answer the (probably rhetorical) question in the headline: you agreed to this when you accepted Google’s terms. They give themselves the right to do basically anything with “your” information, but explicitly mention collection of information about purchases.

      I know most people don’t read these things before they accept, but to people who care about privacy, I don’t understand how this is a surprise.

      1. 5

        I don’t read them because they are not legally binding.

        Nobody reads those, and nothing in them constitutes a contract or otherwise excuses the companies who write them from the requirements set forth by the law and the Constitution, or gives those companies any power which they would not possess without the notice.

        1. 11

          They may not be legally binding, but they definitely give indications on how they will use information they collect about you.

          1. 4

            I don’t read them because they are not legally binding.

            I don’t see the logic in that. It’s inconsistent to both act surprised and upset about this type of data sharing, but then also complain that you couldn’t be bothered to read the TOS. Legally binding or not, they tell you they’re going to do this type of thing.

            1. 1

              I don’t act surprised or upset. They’re going to do this type of thing.

              1. 1

                Maybe I don’t see what you’re getting at, then.

                They’re going to do this type of thing.

                Only to people who let them. There are plenty of alternatives for those of us who care about our privacy.

                1. 1

                  And I use alternatives whenever it’s practical to do so. I just felt obligated to point out that myself, and nobody who I know, makes a habit out of reading those terms of service, they are not legally binding

            2. 0

              Sorry, I think you you are confusing things. They are legally binding.

            3. 0

              Figure we just ran out of things to be outraged about.

            4. 15

              The link to the transactions page says:

              Your transactions, including deliveries and online orders, gathered from Google services like your Assistant and Gmail

              So looks like it’s just a different view on your emails. There is nothing inherently nefarious about this. If you use gmail you’re already trusting Google with your purchase details, and aggregating that data on an overview page seems like a reasonable feature. The “Reservations” feature (“Your upcoming and past reservations for flights, hotels, and events gathered from Google services, like your Assistant or Gmail”) seems even more useful!

              The issue here seems to be one of trust. You don’t trust Google does things with this data rather than present this overview to you. This is fair enough, but … why use Gmail if you don’t trust Google with this data?

              There is a link to a privacy document. What does that say? I can’t check, as this list is empty for me as I don’t use Gmail. You say that “I DO NOT want someone to use my personal data to grow their business or run analytics without my consent”, which is fair enough, but it’s not at all clear to me that this data is anything other than just a handy overview.

              1. 9

                Trust is not a binary, and consent for privacy purposes is tied to intended use.

                I suspect many people are okay with Google displaying ads based on keywords/crude email content analysis in exchange for GMail, but entirely not okay with Google analyzing email contents to extract private data out of it and then do detailed processing/data aggregation on it.

                Purchases displayed in a structured way is not just another view on existing emails. The emails have been specifically processed into structured data. There are a lot of things you could infer based on email contents that most users wouldn’t be comfortable with. To give you a related example, Uber got a lot of blowback last year, because their data collection ended up with their employees spying on celebs and people they knew to find out who is having sex with who, amongst other things.

                Having data at a company, and expecting the company not to store it in a personalized, structured, individualized way with unclear access are two very different things.

                1. 2

                  unclear access

                  I’m reasonably sure the linked privacy document should clarify that. As mentioned in me previous comment, I don’t have the link so I can’t read it.

                  I don’t disagree that processing data in to structured data can be a risk in and of itself, but the article was written in a way that makes this seem something different from what it is, and makes various unsubstantiated claims, such that Google is “using” the data in some way, that Google will “use my personal data to grow their business or run analytics”, and that “purchases we do or the credit card bank details that is being shared to make these purchases”.

                  Maybe those claims are true – I suspect they’re not, but could be wrong. However, the article has failed in demonstrating that they’re true. Instead, it seems like that author saw this overview and immediately proceeded to draw conclusions and write this without looking much further in to it. There are many details that are unclear, and those details are vastly important. I hold little love for Google (I only use their services when there’s no other good choice, like Android) but not everything Google does is some sort of plot to get at our data.

                  1. 3

                    Given that Google explicitly negotiated paid access to something like 70% of physical store purchase data in the US, combined with the fact that having this purchase history is both marginal utility to a GMail user AND very valuable to a corporation, I highly doubt that this data is only being used to provide some UI features to GMail users.

                    It is exceedingly likely that Google includes this purchase data as part of user targeting/profiling, sells the aggregate info, makes the detailed data available to “partners” and allows small enough subgroups in targeting to make individual users identifiable.

                    1. 2

                      Perhaps. But is this substantiated by the information in the privacy document?

                      1. 4

                        Why do you care about Google’s privacy document? Almost all of those are written in a way to maximize what a company lets themselves do with your data, while seeming like they don’t.

                        And even those extremely vague self-imposed limits are regularly breached across the IT sector.

                        1. 2

                          Don’t you think that serious allegations such as “Google is harvesting personal and using or selling data from emails” warrants some kind of evidence beyond “well, they stand to gain from it?”

                          I am not a fan of Google by any means, but I also think it’s important to not immediately jump to the first conclusion when there are other options, especially if it’s confirming a pre-held belief.

                          1. 4

                            Aren’t you overdoing the devil’s advocate thing a bit?

                            Your post might have been reasonable around 2013-15, but the past three years have been full of data misuse, especially and particularly 2018. As far as I’m concerned, it’s up to Google to explain in clear terms why they are collecting structured data like that and to make iron-clad legal guarantees that it is not used for any other purpose that the users haven’t consented to.

                            If you trust Google enough to give them the benefit of the doubt after all this, that’s certainly your choice.

                            1. 2

                              I don’t like Google any more than you; I’ve been careful of them for years, and haven’t used their products if it can be avoided, long before it was cool. But I’m also not going to immediately assume the worst when there are still open questions; I think that’s a good example of confirmation bias.

                              it’s up to Google to explain in clear terms why they are collecting structured data like that and to make iron-clad legal guarantees that it is not used for any other purpose that the users haven’t consented to.

                              I completely agree with that; that’s exactly why I’m asking what Google says about this data.

                2. 4

                  If someone sent you a letter and then you saw the postman outside reading your letter before giving it to you, would that be ok? You had your letters sent through the post office so you should be ok with them reading your letters.

                  The difference between delivering messages and reading/processing/extracting info from is very important.

                  1. 7

                    If the postman had for years been providing an indexing service, telling you at any point in time which email contained a word or phrase, and covering costs for the time spent by using the knowledge of what they read to pick better flyers for you, I think finding them reading your mail should be entirely unsurprising.

                    1. 1

                      This is where it all broke down, the post man is a government service, and yeah they can’t pick and choose customers, associations, or even rifle through your stuff (well they most certainly can thanks to terrorism laws).

                      Google however, is not the government, and they are free to do whatever they please, especially after you click the ‘I agree’ button. Go ahead, and try to migrate off their platform after using it for 10+ years. It’s a nightmare. I still have services and people who just insist on using my gmail instead of something that I own (well technically after the stormfront thing, its very obvious that nobody owns anything).

                      Add in those ‘public private partnerships’ and you can bet that everything is being shared.

                      1. 2

                        (well technically after the stormfront thing, its very obvious that nobody owns anything).

                        Would you like to expand on this? I’m unclear on the context.

                        1. 1

                          Stormfront is a popular neo-Nazi website (well, as “popular” as these things get anyway). Their domain registrar got fed up with them after a member killed a few people for being black. It took them a while to find a new place to host their website, as no one was willing to host, you know, literal neo-Nazis discussing how great it is to kill non-whites.

                          Daily Stormer had similar problems; they helped organize the Charlottesville neo-Nazi protests, and got kicked off their host, and also had some trouble finding a new host as few were willing to accept them.

                          So neozeed’s point presumably is, that “owning” your own domain isn’t really a guarantee for anything; you can still get kicked off the internet. If you’re not a literal neo-Nazi, then you’ve got little to fear though (personally, I am okay with that situation).

                          1. 2

                            It’s not even that they were censored; they were refused service. They are welcome to setup their own DC and buy network capacity from a common carrier (who can’t refuse).

                    2. 1

                      This is a false analogy; the postman is a human being with an understanding of what they’re reading. A script to aggregate data in a single overview isn’t.

                      1. 11

                        Its even worse. The postman likely can’t do anything with the data but Google can use it to build a profile on you and influence your purchasing decisions as well as report it all back to any government that asks for it.

                        1. 2

                          The postman likely can’t do anything with the data

                          A real person with sensitive information on another real person they know the identify of can probably do more if they really wanted to.

                          Google can use it

                          “Can use” is not the same as “actually using”.

                          influence your purchasing decisions

                          Where did you get that from? It seems quite a leap to me.

                          report it all back to any government that asks for it.

                          It’s not like Google just hands out information just because a government asks nicely. And I’m fairly sure that governments read postal mail when they consider it warranted, too.

                          1. 12

                            Where did you get that from? It seems quite a leap to me

                            I mean, Google’s entire business model is predicated on influencing purchasing decisions. They’re an advertising company. Influencing your purchasing is how they make money. It’s a bit absurd to think that they’re not going to attempt to do what their entire business is built to do, using every tool in their arsenal to do it.

                            1. 6

                              It’s not like Google just hands out information just because a government asks nicely. And I’m fairly sure that governments read postal mail when they consider it warranted, too.

                              Actually, they do. In the first half of 2018 they received almost 60000 requests from governments of which 67% were processed. You can see the details at https://transparencyreport.google.com/user-data/overview?hl=en

                              I think in most countries asking nicely is exactly what governments do. Through a standard process with a template letter signed off by some government official in which they just have to substitute your account name.

                              1. 1

                                Dont forget places like facebook & their shadow profiles. Don’t you love it when you see the ‘share/thumbs up’ buttons? You are being tracked, and profiled.

                            2. 6

                              This is the most dangerous and naive way to think in the age of AI and ML.

                              The difference between that human and that script is getting narrower and narrower.

                              In fact, the script (which is really a warehouse-size facilituy full of data processing servers) probably does a MUCH better job understanding and using that email than the human does.

                              Don’t think it is just “a script to aggregate data” - it is most likely a script to parse, understand, process, correlate, profile-build the data.

                              Remember that Gmail is free for a reason. You are the product. Your email is being used to generate money.

                          2. 3

                            So looks like it’s just a different view on your emails. There is nothing inherently nefarious about this.

                            And yet it feels different because Google has taken the time to scan the contents of my email and attempt to understand it in some way.

                            What’s interesting is that it’s nothing another email provider couldn’t do, either technically or legally - it’s just more obvious here. I suspect (based only on my experience of Google’s products) that Google are better at it than most, but there’s no reason to believe other hosted email providers aren’t doing this sort of thing.

                            1. 4

                              I’m not convinced this is even legal, Europe’s GDPR might make this quite illegal. Google et al are probably looking at multi-billion euro fines from the way these companies structured their attitude to consent and privacy.

                              1. 1

                                Quite possibly! I’m not a lawyer, or anywhere near familiar enough with the relevant laws. But I suspect the relevant question is what @arp242 hints at - does Google use this data for advertising? Or is it simply presented as a search filter on your emails (albeit one augmented by some smart content processing)?

                                I assume the former, since we already know that’s Google’s business. But would be interested to know whether that distinction would affect their legal standing.

                                1. 0


                                  The GDPR does not matter since you agreed to the Gmail Terms of Usage.

                                  The GDPR is not some magical protection for features you don’t like. That would be severely limiting to services.

                                  1. 8

                                    The GDPR does not matter since you agreed to the Gmail Terms of Usage.

                                    Yes, it does.

                                    Consent must be a specific, freely-given, plainly-worded, and unambiguous affirmation given by the data subject; an online form which has consent options structured as an opt-out selected by default is a violation of the GDPR, as the consent is not unambiguously affirmed by the user. In addition, multiple types of processing may not be “bundled” together into a single affirmation prompt, as this is not specific to each use of data, and the individual permissions are not freely-given. (Recital 32) https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Lawful_basis_for_processing

                                    If the Purchases page is legal, it’s legal because you already consented to GMail having access to, and indexing, your email. Not because it’s buried under the ToS. Consenting to having your email automatically categorized and indexed would also not implicitly give Google permission to use it for ad targetting.

                                    There’s a reason everybody’s so panicked about the GDPR. It is very, very strict.

                              2. 2

                                My question is if I delete an email, does the purchase disappear?

                                1. 1

                                  According to Reddit, yes.

                                2. 1

                                  You should read the Gmail Terms of Service instead. It will clearly explain that Google can do whatever they want with your email. According to the ToS they can even publish it or share it with “those we work with”.

                                3. 6

                                  What did you expect?

                                  Google is the world’s largest ad company, highly specialized in profile building, data mining and tracking.

                                  And. You. Gave. Them. Full. Unfiltered. Access. To. Your Email.

                                  The Gmail terms of use link to https://policies.google.com/terms?gl=US&hl=en#toc-content where you can read:

                                  Some of our Services allow you to upload, submit, store, send or receive content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.

                                  Good news, you own your email :-)

                                  But …

                                  Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.

                                  And …

                                  When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.

                                  Again, how can you be surprised?

                                  1. 1

                                    This is the correct analysis.

                                    Fun story: when I log into that /purchases route with my G Suite (Google for business) account, there’s nothing listed.

                                    But I pay for that account, every month, with cash. Happily, too.

                                    1. 1

                                      Does that mean you excempt? Your comment reads like you’re implying you are. Why do you think that’s the case?

                                      1. 2

                                        No advertising in G Suite There is no advertising in the G Suite Core Services, and we have no plans to change this in the future. Google does not collect, scan or use data in G Suite Core Services for advertising purposes. Customer administrators can restrict access to Non-Core Services from the G Suite Admin console. Google indexes customer data to provide beneficial services, such as spam filtering, virus detection, spellcheck and the ability to search for emails and files within an individual account


                                  2. 3

                                    I think the more concerning thing is these kind of standard form contracts could easily be pushed by every other email service provider. Of course there really isn’t any alternative since self hosted email will be mired in silent filtering and spam rejections.

                                    1. 4

                                      There are plenty of alternatives. ProtonMail, FastMail, Migadu. Hell, even iCloud is a good alternative for Gmail.

                                      1. 1

                                        All of which require agreeing to a EULA. I’m not aware of what those services state in their EULAs

                                        1. 2

                                          I’m not aware of what those services state in their EULAs

                                          You could, you know, read them. Many of them are not terribly long, and they are usually very clear about what expectations are.

                                    2. 3

                                      I’ve said this a few times (even here!), but I really stopped trusting google when Google+ recommended a sensitive client contact to me as a Google+ connection.

                                      I had:

                                      • all phone contacts set to “Device Only” on that phone
                                      • no backups of contacts to cloud or the like
                                      • (I thought) set Google+ to be disallowed from accessing phone contacts

                                      I don’t think Apple is “better” about this sort of thing, but they seem to mainly use it to make improvements to the daily use-cases of their users… for now. Once they start to tap or sell that data in a large spread way, it’ll be too late in any case, and it’ll just be another Facebook/Google situation.

                                      1. 1

                                        Apple says they are focused on customer privacy. Ironically, the massive amount of money they make is seen as the best guarantee that they’ll actually respect privacy - they don’t need the money like Google and Facebook does.

                                        1. 2

                                          I don’t disagree at all, I just mean it is possible at some point for that to change, and at that point they’re sitting on a mountain of data, similar to that of Google and Facebook.

                                          1. 3

                                            Yes, I agree. It’s not unreasonable for a future management at Apple to be tempted to monetize this data.

                                            The comparison of personal data with toxic waste is quite appropriate. It’s hard to store securely, it can cause a lot of problems if misused, and it can last a long time.

                                            1. 3

                                              exactly. I usually phrase it as:

                                              • it’s difficult to store securely
                                              • it’s difficult to identify procedures for safe handling
                                              • it lasts forever
                                              • when it leaks it destroys your environment.

                                              I also like the nuclear materials comparison as well, since it has many of the same features, but also has the “extremely useful when used correctly, extremely harmful when put in the wrong hands” dichotomy.

                                              1. 3

                                                As long as the cost of business of losing or misusing personal information is lower than the benefits of utilizing it (in user tracking, ad targeting etc), there’s zero chance of the industry handling personal details changing.

                                                1. 3

                                                  oh for sure; forget OPM, look at how poorly Equifax responded and their punishment has been squints at notes they’re selling more services than ever?

                                                  Their customer were not the folks impacted; their customers are other businesses and such, so nothing happened. It’s a complete shame.

                                      2. 2

                                        This is why I use fastmail now.

                                        1. 1

                                          It is being so difficult and yet so excruciating to leave both GMail (for ProtonMail in my case) and Chrome (for Brave).

                                          1. 4

                                            Why is it difficult or excruciating? There are many email services and browsers, many of which are better than gmail and Chrome in my opinion.

                                            1. 2

                                              Speaking just for myself here, but I’m probably up to 40 or 50 online accounts, each of which has my email address.

                                              Changing them all to a new email address most certainly would be difficult.

                                              1. 7

                                                When I switched away from gmail, I forwarded all messages to my new account. It took ~6 months before I had gotten most of my contacts to use the new address, and I still got a ‘real’ message every month or so after 2 years.

                                                It’s been about a year since I last got an important message to it. Everything I use has changed over in the fullness of time.

                                                Now that I own the address, I can move providers without having to go through that again :)

                                                TL;DR: The best time to plant a tree is 20 years ago; the second best time is today.

                                                1. 3

                                                  My primary email address has been at a domain I own since 2005, and I’m really thankful for that. Right now, my address just sends the mail along to gmail, but I can move to another email provider without having to change things with all of the services I use.

                                                2. 0

                                                  Not for me.

                                                  1. 3

                                                    Can I ask why?

                                                    1. 0

                                                      I am missing functionality from Brave and ProtonMail.

                                                3. 2

                                                  It is mostly difficult because Gmail is a great FREE service. That is of course for a reason - YOU are the money generating product. So if you want to turn that around, you will have to accept that you will have to pay for an alternative.

                                                  1. 3

                                                    I already pay for ProtonMail and I would gladly pay for a browser. That’s not the point. GMail and Chrome, IMHO are far superior products still.

                                                4. 1

                                                  I use inbox and this is basically just the same stuff I get in purchases. For me I don’t feel like this is much of an issue the purchases page links to this help page where they state:

                                                  Only you can see your orders

                                                  If you don’t trust them on this then use another provider.

                                                  1. 1

                                                    Our Politicians needs to review our Data protection laws and should have stringent rules to fine and penalize the one who are violating.

                                                    I agree. It seems min2bro is from India. Is there any lobbying happening to copy GDPR from the EU?

                                                    1. 1

                                                      I’m a bit surprised that URL shows no purchases for me. I have a paid Gmail account on my own domain, and there must be a knob somewhere that disables it.