If you don’t think senders should be able to snoop on when you open their emails, take a look at gmail settings and choose “Ask before displaying external images”.

This isn’t just about giving information to spammers. Do you want to broadcast your mail reading schedule to anyone who sends you mail? Not displaying external images isn’t only about whether the images are secure to view. It’s also about giving others information unintentionally.


Alan Cox December 18, 2013 10:04

Not sure how google works but many systems expose ip address client info etc in the direct fetch.

Curtis Olson December 18, 2013 10:41

In my view, awareness of this issue is slightly more important than the specific changes google is making.  Most people will just show the pictures and not realize there could ever be a privacy/tracking issue.  This is a sneaky one … hadn’t thought about it before myself.  And right, a direct fetch could expose IP, OS or hardware info, city/country, etc.  So don’t open up that spam, not even just for a quick peek.

Michael K Johnson December 18, 2013 11:10

Google changed the fetch to be through their servers to re-encoded images, rather than direct, but between my points and +Alan Cox’s points, that only (potentially) addresses issues regarding malicious images being used to subvert client systems, not privacy generally (inclusive of privacy that is security-relevant).

Michael K Johnson December 19, 2013 14:06

+Scott Mcdermott If google fetches them when receiving the mail, and explicitly not when displaying the mail, and doesn’t fetch anything external when displaying the mail, then I don’t care much. (That’s not how this has been documented so far, though.)

My point was that google changed the default for users, making them actively change their configuration to restore privacy, and it was that kind of unilateral change on facebook’s part that made me want not to join facebook.

Google does better by at least telling you when they make the change, but the way this option is described is not making the privacy implications obvious to most users, and certainly not to non-technical users.

Curtis Olson December 19, 2013 14:17

If google fetches the images and stores them the moment it receives the email, that would help I think.  But if the image server then gets flooded, there would be many errors fetching the images.  So how hard would google work to retry the fetch?  If the initial image pull failed would they then just wait until the user opens the email and requests them?  There’d have to be a balance to minimize google’s servers hammering the images servers in a death spiral vs. privacy … and if google backed off after the initial try and waited, then the spam server could perhaps fail for some time before succeeding to attempt to screw up google’s pre-pull of the image.  This could go back and forth and back and forth.

My point is that most users won’t understand any of this, and will blindly click show pictures if you ask.  And if you explain the issue before letting them click they won’t read it, and if they read it they probably won’t understand or care.  When I project my brain into google land, I can see it both ways … it might be interesting to know usage stats … maybe 99.999% immediately click show images anyway?

Anyway, I agree that your point that changing security/privacy preferences silently behind your back is not good – but it’s a complicated nit picky issue for most people so forcing everyone to read a 2 page article and make an informed choice may not be a viable option either?  Maybe they get more complaints about not showing the pictures and request to default to showing pictures by far than requests for privacy?  I’ve typed way too much here ….  sorry!

Imported from Google+ — content and formatting may not be reliable