Recently I came across this story by Todd Haselton that describes how the author located an obscure “purchases” page in his Google account settings and there found a methodical list of his online purchasing history, from third-party outside vendors, going back to 2o12.
The upshot of the story was that:
- Google saves years of information on purchases you’ve made, even outside Google, and pulls this information from Gmail.
- It’s complicated to delete this private information, and options to turn it off are hidden in privacy settings.
- Google says it doesn’t use this information to sell you ads.
Naturally, I flagged this story for the next edition of our #AxisOfEasy newsletter. Haselton reports that it isn’t easy to locate and delete this information, nor is there a straight-forward path to find it in your privacy settings to disable this behaviour.
This can’t be true (can it?)
The more I thought about this the more I thought “this can’t be true”. I apologize for doubting Haselton, but I thought he had to have it wrong, that maybe he had a stored credit card in his browser that he had forgotten or something, because the ramifications if true, are dire.
First, it means that in order to isolate and parse purchases, Google must then be scanning every email, otherwise, how would they know what’s a purchase and what isn’t?
Further, if they were scanning every email for purchases, what else where they scanning for? Either now, or in the future? The important mechanism, the infrastructure and methodology to scan and parse every inbound email is clearly in place and operational now, adding additional criterion is just a matter of tweaking the parameters.
Then, there is the matter that Google is doing this without informing their users. We can probably wager that there is buried down the rabbit hole of the ToS some clause that alludes to the possibility that Google reserves the right from time to time (including all the time) to do something or another with your email that may or may not involve machine reading it and dissecting it for your behavioural patterns; none of us have ever read it.
More importantly, it didn’t require an explicit opt-in to fire it up.
[ As a belated aside – everybody in tech already knew that the point of Gmail was it was free, and they would scan the contents to target ads. At some point I think they may have announced that they stopped doing that, I can’t remember. But the vast majority of normies (defined as people who don’t dream in XML), don’t realize this, or haven’t given it much thought. However this, parsing out financial transaction data specifically, takes it to a new level.]
I’ve personally verified this is happening
As I said, I initially thought that Haselton had perhaps stored credit cards in his Chrome browser and his purchase history was being populated from that. I still couldn’t believe that Google was in essence reading your email and cataloging your purchases on it’s own.
My Google purchases page existed, but was empty. To test it, I configured my gmail account (which I barely use, for anything other than Google news alerts) to receive any email from my Amazon account. None of my web browsers have any credit cards stored. Then I went and picked up a new audiobook.
Sure enough…within seconds, my heretofore empty purchases page, suddenly had an entry:
Hovering over the “info” icon anticipates the question, how did this get here?
And so we click to find out…
We get it from Google’s mouth:
“This purchase was found in your Gmail” (emphasis added, because properly rendered it should read “We found this financial transaction sifting through your email”).
Why this is problematic
Before this revelation, I was already habitually remarking how it simply astounded me whenever I came across a law firm, or an investment fund, or medical professional, or financial services firm, or any outfit that routinely carries out propriety or confidential communications (you know them by the typical disclaimer they append to every single email they send):
“This email and any accompanying attachments contain confidential information intended only for the individual or entity named above. Any dissemination or action taken in reliance on this email or attachments by anyone other than the intended recipient is strictly prohibited.”
…and find they’re using Gmail? Yikes. Those disclaimers should be modified to read:
This firm’s email and all accompanying attachments and any of your replies to us will be scanned, parsed and analyzed by our email provider. Hope you’re cool with that.”.
Because that’s what’s actually happening. Here’s the shortlist of problems with this:
- We don’t know what else they are scanning for, what else they are parsing out, where they are storing it and what they are doing with it.
- Google says they are not using this info to target ads, as if that settles matters. Then what are they doing with it or why else would they even bother? Further, Google says a lot of things, some of them turn out to be disingenuous. Google once testified before the US Congress that they don’t manually intervene in search results, it was later revealed that they …manually intervene in search results.
- Whatever data mining and collation and cataloging systems and resources are in place could be abused by Google staff. There are ample cases of tech giant employees abusing their positions and their visibility into user data.
- These same systems could be abused or exploited by partners, as has been reported in #AxisOfEasy in previous instances.
- These systems could be used (or are being used) under a larger umbrella of State surveillance, which we all know is happening – thanks to the likes of Edward Snowden (see his recent talk to Dalhousie University here). Google’s startup financing came in part from the US intelligence apparatus and, as is frequently observed here and elsewhere, now a major contractor to world governments and the US military.
- [ Added – later] As pointed out by a reader, it may also violate data privacy laws of various locales, regardless of what’s actually in the ToS.
Objections and Rationalizations
There will no doubt be people who read this and object to this being a problem on three grounds:
- “Everybody does it”, in the sense that any email provider who is running virus or spam filters at their edge are in essence scanning every inbound email. This is true, but only in the sense that they are actively seeking to separate noise, which costs everybody, including the recipient, from signal – stuff the recipient wants to receive. They are not parsing non-infected, purportedly non-spam email. Let’s call it “real email”. They aren’t parsing, and cataloging your real email based on its contents.
- It’s free so shut up. For most gmail users, this is true. But they should also realize that if they don’t want to shut up about this, then the correct response is to move one’s email away from Gmail and pay a provider you trust not to inspect and datamine your private and business correspondence.Remember the old adage: “If you’re not paying for the product, you are the product”.
- If you have nothing to hide you have nothing to fear. Often quipped by people who have never read a history book. There isn’t much to say about these unfortunates other than, go read a few.
I frequently recommend the biography of Joseph Fouché, the man who ran Napoleon’s secret police, who also cast the deciding vote to behead King Louis XVI. He is credited therein with having invented the modern police state as we know it. If you want to see a long trail of people who had nothing to hide become separated from their wealth, their liberty and their heads… start there.
What to do about it
Maybe you know all this and you really don’t care, and that’s fine. As long as your cultural choices and your political beliefs and your lifestyle match the accepted norms of a rapidly shrinking Overton Window of what constitutes “acceptable”, then you shouldn’t have to worry about anything. Really.
If you’re an easyDNS client and you use Gmail, you should probably be made aware that many of the domain packages here come with email hosting included. If you have lots of historical email at Gmail (or anyplace else) you can use our IMAP migration tool to painlessly copy everything over from Google, except, alas, your purchase history.
Encrypted Email Forwarding: If you must use Gmail, or any other third-party provider, and you are email forwarding through your own domain to those destinations should also mention, easyDNS has been offering a unique feature for years where you can enter your public GPG key into your mailmaps and we’ll use it to encrypt your email messages before we forward them to their ultimate destination. It’s not an end-to-end encryption methodology, but it does cover your data-at-rest. (Learn more).
Tomasz Darmetko says
“They are not parsing non-infected, purportedly non-spam email. ”
This is not how spam detection works. You have to parse basically every email in order to find the spam emails. Google is doing this very well. They also categorize your emails into “Primary”, “Social”, “Promotions”, “Updates”, “Forums” and “Important” based on their content.
This is something that welcomes you right after you open a new Gmail account.
The particular feature of tracking purchases is used by Google Assistant to inform you about your flights and packages arrivals.
It can, for example, inform you about delays, which gate you should go to, when is it opening/closing etc.
Very useful thing.
Jeffrey W. Baker says
I don’t like privacy derangement syndrome and I don’t think irrational paranoia is a good look for my DNS provider. I hope you’ll stick to relevant topics for your future posts. I’ll be thinking about alternatives when my domains need renewal, after thoughtlessly renewing with easydns for many years.
Scott Johnston says
I don’t like sharp sticks in the eye either Jeffrey. Not only do I not like them I don’t tolerate them. Someone shoves a sharp stake at my face I take defensive and offensive measures to make sure it doesn’t happen again. If you are not concerned with your own privacy and personal security perhaps like all other dogs that have not been properly trained you just haven’t been zapped by the electric cord they were chewing on. You haven’t run across the situation yet where your gmail data was used by Google (or a third party that Google allowed to access your private data). When it happens though, its too late. What happens if that data thats used (even if it is not used nefariously with you as the target) exposes trade secrets of your company or your company’s clients? What happens if it exposes you to scrutiny because the information released points to potential breaching current local state or federal statutes? Its what is known as risk. You may never have such an incident happening. Then again you may have it happen. If it happens it will happen nearly guaranteed at a time when you can ill afford it to.
Who will you cry to then?
If you go to
you can see Google Pay payment methods, Purchases, Subscriptions, and Reservations.
I reached it via myaccount.google.com and ‘Payments & subscriptions’ in the left column.
So, yeah, it’s a thing. Also sometimes useful.
Ernesto B. Levey says
Thank you for your alert and tips!
You probably don’t need a Google account for your news alerts. You can get them anonymous via RSS. I use a paid https://blogtrottr.com/ account to convert RSS to e-mail. Useful for Google news alerts, YouTube channel upload alerts (and this blog!).
What’s also annoying: there are webshops and VPN services that use Google as a sending server to confirm your purchases/payments. So you don’t even need to have a gmail account to make Google understand your purchase history. Scary.
Scot Srodes says
It sounds like you dont know that Google, FB, and other tech companies assist the NSA in collecting the information needed to track and find money for an ever-broke govt.
alain maronani says
Fouché..You are wrong on this one..the man who ran Napoleon’s secret police, who also cast the deciding vote to behead King Louis XVI…The King was condemned to death by a large margin. 310 of the deputies requested mercy, but 380 voted for the immediate execution of the death penalty including Philippe Égalité, formerly the duke of Orléans and Louis’ cousin, voted for Louis’ execution, a cause of much future bitterness among French monarchists; he would himself be guillotined on the same scaffold, Place de la Révolution, before the end of the same year, on 6 November 1793.
Last but no least. Louis XVI’s lawyer Malsherbes was executed some time after with his wife, his daughter, his so-in-law, his brother, all at the same time and one month later his older sister 78 years old..If you go to Paris there is a Malsherbes Boulevard (a large street).
Mark E. Jeftovic says
Interesting. I’m going from “Medusa’s Head”,
I wonder was there two separate votes? One at trial on guilt and the one recounted here on sentencing?
alain maronani says
Yep at least 3 choices…release, jail, death with or without delay, one of them was the 310/380. It is very well explained by some specialist of the french revolution (one industry by itself) such as Soboul (classical marxist analysis) or by François Furet. I do not know if their books are available in english.
For Malsherbes I forgot to mention his grand-children was also executed at the same time and they were all executed at the same period, sharing the same cart, on their way to the guillotine…family meeting..some sort of…
Things are far worse than your article regarding google enterprises. Used to hang out on yt livestreams & elsewhere with cannabis users & regularly speaking about freemasonry ( the root cause of everything evil in this world aka secret societies) & Bill Cooper who revealed freemasonry & secret societies in his Hour of the Time broadcasts & Bill Cooper likely the greatest truth teller ever known & exposer of gov corruption & treason in 1990s until Bill was murdered by our gov Nov 2001 after predicting 911 & stating gov would be behind it & not OsamaBLaden. Two of my computers were taken over by google chrome browsers one running XP the other Windows 10. Had to reinstall & go linux distros, Lucky had background in UNIX. My phone was also taken over and my phone controlled or cut off or harassed . Used to use google voice & gmail for messaging & email many years my family relationships over this period were destroyed with my children after the divorce. I cannot prove the latter statement but have my suspicions based on things I was told that I never said aka suspect my messages were intercepted reworded then delivered or never delivered. The last statement I cannot prove but highly suspect. My main point is therwe are cops impersonating people on yt livestreams & NSA types took over 2 of my computers & my phone. Now that is some sick stuff that I am thinking a million might not be enough for all I have been put thru by this most evil corporation aka google. Do not trust google have zero accounts with them, do not comment online ever again because like Snowden said in Live from Russia May 30th 2019 this is Mass Surveillance & YOU better believe freemasonry aka socialism aka NWO akasecret societies aka Temples with No Windows are the ones orchestrating all of it. I know for a fact this is the truth because of personal experience & research.
Basalat Raja says
We don’t dream in XML. We have nightmares in XML.
Fred Bergman says
Don’t you use any Google services other than gmail? I guess you don’t have an Android-based phone.
Google scans your email for everything. The information there is linked to the Google Assistant and your general Google profile. For instance, Hotel bookings and plane tickets are automatically put into your calendar. Your Android smartphone will automatically tell you about gate changes, delays, and even when you have to leave for the airport, taking the traffic situation into account (because it knows where you live and where the airport is).
Did you know you can type “show my flights”, “show my hotels”, “show my events” and even (gasp) “show my purchases” in regular Google search and it will display the info you seek? (if you’re logged in that is). If you have a smartphone, just ask it verbally. (“hey google, show me my latest purchases”).
Did you know that your “profile” (interests, age, gender, etc) can be seen at https://adssettings.google.com ?
These are not things people don’t know about. Except maybe Apple users.
Andy Konecny says
old news about gmail issues
you get what you pay for