Follow

google, privacy, e-mail, from :birdsite: 

Google started editing people's e-mails in GSuite, replacing links with a link through google.com:
mobile.twitter.com/sneakdotber
twitter.com/tblodt/status/1317

This means that Google will track a click on a link *in e-mail* even if you're using an external client.

I am *guessing* this is under the pretext of phishing protection, but it actually *creates* additional phishing risk for text-only clients, since now all links are google.com links.

google, privacy, e-mail, from :birdsite: 

hey @sneak I should have tagged you in this. for some reason the fact that you're here was completely lost on me

Show thread

re: google, privacy, e-mail, from :birdsite: 

@rysiek I really need to move my domain off google apps. Still looking for a good alternative though.

re: google, privacy, e-mail, from :birdsite: 

@loke @rysiek
I've heard migadu is good, but I've never tried it, so I cannot vouch for it.

@wolf480pl @loke @rysiek we use migadu, it is indeed quite good. would definitely recommend

google, privacy, e-mail, from :birdsite: 

@rysiek also, isn't this gonna trip all the phishing warnings in Thunderbird in case of HTML email?

google, privacy, e-mail, from :birdsite: 

@rysiek I'm seeing some data-saferedirecturl attributes in the links in 3 different accounts but the href seems to still be the correct one in all of them. But stuff like this is what made me switch to mailbox.org for my personal e-mail.

google, privacy, e-mail, from :birdsite: 

@rysiek from the twitter thread I saw this is something configurable and it's off for the domain I control on gmail, and I assume it's also off for the other I don't.

google, privacy, e-mail, from :birdsite: 

@jmcs yeah, apparently it is on by default for domains where "enable future security enhancements" or whatever the checkbox is called is checked.

I still feel this needed way better communication. "Guys, we will start replacing links in your e-mails since you have that checkbox checked" would have helped.

google, privacy, e-mail, from :birdsite: 

@rysiek I wonder how that behaves if you GPG sign an email from an external client. Will it break the signature? This should be tested... Hmm.

google, privacy, e-mail, from :birdsite: 

@sa0bse I would guess so, yes.

google, privacy, e-mail, from :birdsite: 

@rysiek that was already happening in Google Hangouts for a while. I used to copy and paste the link text instead of clicking on it. Now it is time to start doing that in emails as well.

google, privacy, e-mail, from :birdsite: 

@brunofontes sure, but modifying e-mails seems like a particularly important line in the sand. it's an open protocol, it's been around for half a century, there's a certain well-established expectation how it works that closely mirrors snail-mail. And modifying snail-mail in-transit has a really bad rep even amongst regular non-techie people.

google, privacy, e-mail, from :birdsite: 

@rysiek Yes, I agree with you!

That's why I created my own email server (still use Gmail for work and I have my gmail account though). But I prefer to have it untouched and static, so I keep disabled the dynamic email option since day one.

re: google, privacy, e-mail, from :birdsite: 

@rysiek i'm reading the comments, surprised by how many people called it "false info" and how hn marked it as suspicious. it's so bad people would rather believe that the author is lying.

google, privacy, e-mail, from :birdsite: 

@rysiek well, this explains why a bunch of links I got sent today triggered Thunderbird's phishing filter.

google, privacy, e-mail, from :birdsite: 

@rysiek 🤷🏻‍♂️

re: google, privacy, e-mail, from :birdsite: 

@rysiek Doesn't Outlook.com / O365 already do this?

re: google, privacy, e-mail, from :birdsite: 

@lnxw37a2 I am unaware. Does it?

I know Outlook/O365 used to follow links in e-mails to presumably check them for phishing and such, which meant one-time password reset links and such were constantly fscked for users there.

google, privacy, e-mail, from :birdsite: 

@rysiek This looks like the last straw. Do they do this with non-g-suite Gmail too?

google, privacy, e-mail, from :birdsite: 

@rysiek can confirm: my Canadian email provider switched to GSuite, and today links like helloworld.ca/
in the browser show
google.com/url?q=https%3A%2F%2 on mouse over. So its the same scummy trick as birdsite or bookface.

re: google, privacy, e-mail, from :birdsite: 

@rysiek Nope, it's for tracking.

re: google, privacy, e-mail, from :birdsite: 

@drwho oh, definitely. I wasn't talking about actual reason. Just the *pretext*. 😉

re: google, privacy, e-mail, from :birdsite: 

@rysiek Oh. Okay.

google, privacy, e-mail, from :birdsite: 

@rysiek it's also annoying because it breaks f-droid.org/en/packages/app.fe .

The GMail Android app is even more insidious: it shows the original URL when you long-press, but goes via a google redirect when you click the link. If you use a browser that just follows the redirect you won't notice.

google, privacy, e-mail, from :birdsite: 

@raboof holy cow...

google, privacy, e-mail, from :birdsite: 

@rysiek I think amazon does the same, propably the other big 4 or 5 and other services will join this too, I'm not a fan of it

@rysiek G-Suite is corporate service and no privacy can be expected from these.

But yes, I wonder how long until they deploy it everywhere.

@alex the issue is that this is enabled by default for G-Suite users who have the "enable future security improvements" or whatever it's called thing enabled -- which is also enabled by default, as far as I can tell.

There's a world of difference between privacy encroachment by your employer and privacy encroachment by the service provider of your employer, potentially without your employer's knowledge.

@alex @rysiek Being an IT guy myself I think it is employer's job to keep track of tools they use for business or there can be nasty surprises. Especially with SaS.

By the way I always found this popularity of G-Suite weird. It isn't that cheap if you have more than just a few people and things like this one keep happening.
@alex @rysiek whatever proprietary software may contain Easter eggs, back-doors and unpleasant sudden changes in behavior that nobody expected. this is the general property of closed source commercial software. they need money, not user safety.

@alex @rysiek Canada (unlike some other countries) has privacy laws, my home province stronger ones and a privacy commission with teeth and claws, and I think my Canadian ISP is about to be mauled for promising things that their new friends in California can't deliver

google, privacy, e-mail, from :birdsite: 

@rysiek God, I can't wait until I can finish my degree and I can finally get rid of my Google account.

google, privacy, e-mail, from :birdsite: 

@rysiek coming from a company who once said that letting them read your email was like "letting your dog see you naked," it seems that this dog has become quite smart - not to say intrusive.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!