Follow

google, privacy, e-mail, from :birdsite: 

Google started editing people's e-mails in GSuite, replacing links with a link through google.com:
mobile.twitter.com/sneakdotber
twitter.com/tblodt/status/1317

This means that Google will track a click on a link *in e-mail* even if you're using an external client.

I am *guessing* this is under the pretext of phishing protection, but it actually *creates* additional phishing risk for text-only clients, since now all links are google.com links.

google, privacy, e-mail, from :birdsite: 

hey @sneak I should have tagged you in this. for some reason the fact that you're here was completely lost on me

re: google, privacy, e-mail, from :birdsite: 

@rysiek I really need to move my domain off google apps. Still looking for a good alternative though.

re: google, privacy, e-mail, from :birdsite: 

@loke @rysiek
I've heard migadu is good, but I've never tried it, so I cannot vouch for it.

@wolf480pl @loke @rysiek we use migadu, it is indeed quite good. would definitely recommend

google, privacy, e-mail, from :birdsite: 

@rysiek also, isn't this gonna trip all the phishing warnings in Thunderbird in case of HTML email?

google, privacy, e-mail, from :birdsite: 

@rysiek I'm seeing some data-saferedirecturl attributes in the links in 3 different accounts but the href seems to still be the correct one in all of them. But stuff like this is what made me switch to mailbox.org for my personal e-mail.

google, privacy, e-mail, from :birdsite: 

@rysiek from the twitter thread I saw this is something configurable and it's off for the domain I control on gmail, and I assume it's also off for the other I don't.

google, privacy, e-mail, from :birdsite: 

@jmcs yeah, apparently it is on by default for domains where "enable future security enhancements" or whatever the checkbox is called is checked.

I still feel this needed way better communication. "Guys, we will start replacing links in your e-mails since you have that checkbox checked" would have helped.

google, privacy, e-mail, from :birdsite: 

@rysiek I wonder how that behaves if you GPG sign an email from an external client. Will it break the signature? This should be tested... Hmm.

google, privacy, e-mail, from :birdsite: 

@sa0bse I would guess so, yes.

google, privacy, e-mail, from :birdsite: 

@rysiek that was already happening in Google Hangouts for a while. I used to copy and paste the link text instead of clicking on it. Now it is time to start doing that in emails as well.

google, privacy, e-mail, from :birdsite: 

@brunofontes sure, but modifying e-mails seems like a particularly important line in the sand. it's an open protocol, it's been around for half a century, there's a certain well-established expectation how it works that closely mirrors snail-mail. And modifying snail-mail in-transit has a really bad rep even amongst regular non-techie people.

google, privacy, e-mail, from :birdsite: 

@rysiek Yes, I agree with you!

That's why I created my own email server (still use Gmail for work and I have my gmail account though). But I prefer to have it untouched and static, so I keep disabled the dynamic email option since day one.

google, privacy, e-mail, from :birdsite: 

@rysiek well, this explains why a bunch of links I got sent today triggered Thunderbird's phishing filter.

google, privacy, e-mail, from :birdsite: 

@rysiek 🤷🏻‍♂️

re: google, privacy, e-mail, from :birdsite: 

@rysiek Doesn't Outlook.com / O365 already do this?

re: google, privacy, e-mail, from :birdsite: 

@lnxw37a2 I am unaware. Does it?

I know Outlook/O365 used to follow links in e-mails to presumably check them for phishing and such, which meant one-time password reset links and such were constantly fscked for users there.

google, privacy, e-mail, from :birdsite: 

@rysiek This looks like the last straw. Do they do this with non-g-suite Gmail too?

google, privacy, e-mail, from :birdsite: 

@rysiek can confirm: my Canadian email provider switched to GSuite, and today links like helloworld.ca/
in the browser show
google.com/url?q=https%3A%2F%2 on mouse over. So its the same scummy trick as birdsite or bookface.

re: google, privacy, e-mail, from :birdsite: 

@rysiek Nope, it's for tracking.

re: google, privacy, e-mail, from :birdsite: 

@drwho oh, definitely. I wasn't talking about actual reason. Just the *pretext*. 😉

re: google, privacy, e-mail, from :birdsite: 

@rysiek Oh. Okay.

google, privacy, e-mail, from :birdsite: 

@rysiek it's also annoying because it breaks f-droid.org/en/packages/app.fe .

The GMail Android app is even more insidious: it shows the original URL when you long-press, but goes via a google redirect when you click the link. If you use a browser that just follows the redirect you won't notice.

google, privacy, e-mail, from :birdsite: 

@raboof holy cow...

google, privacy, e-mail, from :birdsite: 

@rysiek I think amazon does the same, propably the other big 4 or 5 and other services will join this too, I'm not a fan of it

@rysiek G-Suite is corporate service and no privacy can be expected from these.

But yes, I wonder how long until they deploy it everywhere.

@alex the issue is that this is enabled by default for G-Suite users who have the "enable future security improvements" or whatever it's called thing enabled -- which is also enabled by default, as far as I can tell.

There's a world of difference between privacy encroachment by your employer and privacy encroachment by the service provider of your employer, potentially without your employer's knowledge.

@alex @rysiek Being an IT guy myself I think it is employer's job to keep track of tools they use for business or there can be nasty surprises. Especially with SaS.

By the way I always found this popularity of G-Suite weird. It isn't that cheap if you have more than just a few people and things like this one keep happening.
@alex @rysiek whatever proprietary software may contain Easter eggs, back-doors and unpleasant sudden changes in behavior that nobody expected. this is the general property of closed source commercial software. they need money, not user safety.

@alex @rysiek Canada (unlike some other countries) has privacy laws, my home province stronger ones and a privacy commission with teeth and claws, and I think my Canadian ISP is about to be mauled for promising things that their new friends in California can't deliver

google, privacy, e-mail, from :birdsite: 

@rysiek God, I can't wait until I can finish my degree and I can finally get rid of my Google account.

google, privacy, e-mail, from :birdsite: 

@rysiek coming from a company who once said that letting them read your email was like "letting your dog see you naked," it seems that this dog has become quite smart - not to say intrusive.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!