Do you think your email on Gmail is private? If so, you may want to think again, as your Gmail messages are being scanned by Google for purchases, which are then displayed in your Google account.
This week, a user posted on Reddit about how they discovered that their Google Account's Purchases page contained all of the purchases they have made from Amazon and other online stores even though they do not use Google Pay.
When I saw this, I checked my Google Account Purchases page, located at https://myaccount.google.com/purchases, and saw that it too contained the purchases I made from online services such as Dominos, Steam, 1-800-Flowers.com, Amazon, Adidas, and more. Like the Reddit user, I do not use Google Pay.
The general consensus was that Gmail was analyzing incoming emails for purchase receipts and then extracting that information.
When BleepingComputer contacted Google about this, they confirmed the information was coming from Gmail messages. They also stated that this was being done to help their users find their data and that they do not use any information stored in your emails, including your purchases, to serve you ads.
“To help you easily view and keep track of your purchases, bookings and subscriptions in one place, we’ve created a private destination that can only be seen by you. You can delete this information at any time. We don’t use any information from your Gmail messages to serve you ads, and that includes the email receipts and confirmations shown on the Purchase page. We're always working to help people understand and manage their data.”
While they may not be using this information to serve you ads, are they using it for something else? Google has not given us a definitive answer on this question.
Deleting purchase data is a pain
While Google told us that you can delete this information at any time, they did not mention how much of a pain it is to do so.
Instead of having a single setting that allows you to control how this data is saved, you need to go into each and every purchase and click on the Remove Purchase button. This will bring you to the original email that the data was pulled from and once this email is trashed, the purchase will be removed from the Purchases page.
With my Purchases having data going as far back as 2013 and showing approximately 300 purchases, it would be a big pain to manually delete each and every one. Even worse, another account that I use for most of my purchasing has thousands of orders, which would take forever to clean up.
When searching for a way to stop Google from pulling purchases out of my Gmail emails, I could not find a setting that would allow me to do so.
CNBC who also covered this story this week, was also unable to find a setting that stopped Gmail from scanning emails and extracting purchase information.
G Suite customers appear to be spared
I use different email accounts depending on the particular purpose and one of these email accounts is through Google's G Suite service.
When I checked the Purchases page for my G Suite account, I noticed that the page was empty even though it is commonly used to make online purchases. I also asked another person who uses G Suite and they too confirmed their page was empty.
While two people is not a large sample by any means, it could indicate that this data extraction is not occurring for G Suite accounts. I also could not find any settings in the G Suite Admin console that allows me configure these settings.
We have already asked Google if G Suite is excluded from this data extraction, but have not heard back as of yet.
Comments
Dave1949 - 4 years ago
I also had a local over-the-counter purchase (NOT on line) listed, from September last year, with only the basic details of the product, which worried and baffled me somewhat. The clue may be that I reserved the product to make sure it was in stock for collection and had a confirmation e-mail from the store to my G-Mail account, containing all the details, which I strongly suspect was skimmed for data by Google and maybe interpreted as an invoice. I am not happy about this at all. I wonder if there are any legal ramifications.
GT500 - 4 years ago
If filtering spam is legal, then doing this is legal, as both essentially require automated processing of mail contents and a certain amount of storage of data (many anti-spam systems are designed to learn more about what is and isn't spam over time, and this requires saving information about e-mails that will help filter spam more accurately).
It's easy to be disgusted by a company like Google processing e-mail data to keep track of your purchases. It's also easy to forget that this isn't the only reason they process our mail and log data from it.
Here's something else to consider. How many mail servers still don't encrypt SMTP traffic? How many of your e-mails are being intercepted and processed before they ever reach your mail provider? Well, the NSA and its divisions probably already have every e-mail you've ever sent and/or received stored somewhere. Backbone providers, or perhaps even untrustworthy employees who work for them, could have many of them as well.
Crogon - 4 years ago
Intent, GT500, intent. Stop making excuses for Google. They haven't been trustworthy for a few years now. The sooner that they go the way of the Dodo, the better.
GT500 - 4 years ago
Were they ever trustworthy?
britechguy - 4 years ago
Were they ever not? Google has been crystal clear about the fact that they scan your e-mail under Gmail since the day it was introduced. They also track and collect your browsing history if you use the Google search engine, which is also well known and well publicized.
If Google collecting data, and lots of it, on the users of their services is coming as a shock at this point in time then you (the generic you) have been living under a rock. It's their stock in trade and you should know, from the outset, that data collection is part of the deal for using their services at no cost (of the direct monetary sort) to you.
A web search (using Google or other search engines) on "data Google collects about its users" returns enough on just the first page to allow anyone to have a very decent overview of what they're actually doing, and some of that actually comes directly from Google, though a lot of it is in popular and tech press articles.
kernelpaniced - 4 years ago
It is very disappointing that email is so essential but it is not very private in some ways anyway. I wish there were more paid alternatives that could match the features Gmail has. (Protonmail is the only one I know of that has labels for crying out loud!)
britechguy - 4 years ago
All labels are is Gmail's weird implementation of IMAP folders. You can create these on any IMAP server or via your e-mail client's interaction with same.
ObviousSense - 4 years ago
GT500, i understand you. People seem to be more and more oblivious now and days. Good answer.
Warthog-Fan - 4 years ago
I try to stay away from anything Google. I use DuckDuckGo for searches and Thunderbird for email. I guess I'm stuck using Google to have an account on YouTube, but that is the only service of theirs that I'm utilizing. If I wanted to access my email from a remote location, I can use my ISP's Webmail account. I also do not have an account on Facebook, Twitter, Instagram, or any other social media sites that skim data from their users.
LegitX - 4 years ago
I don't think anyone actually realises that Google own android and ALL Google apps, such as Gmail. Stop saying that they are spying when they literally own the app. It's in the terms and conditions that nobody reads. It is very legal. And it's there to keep the user safe
britechguy - 4 years ago
Indeed. I knew, from day one, that Gmail was not private in the traditional sense of the term. Google has been as above board as any company about the fact that they scan each and every e-mail message you send and receive. When there is no monetary cost to you, the end user, it is you (via your data) that is the product, and that has always been the case with Google. In this case, and because I read my user agreement way back when (and still do when signing up for new stuff elsewhere) I was well aware of what the exchange was.
While I absolutely think that there should be regulations enacted regarding making EULA summaries that are easy for anyone to read, as the "legalese" that's in the full ones is anything but, this information is presented, in writing. The old saw, "Well, then, put it in writing," has been done by Google, Microsoft, and pretty much everyone since day one. It is not these companies faults that many end users simply don't read anything, even a quick scan through, and then get in high moral dudgeon when what they've documented in writing is told to them by another source.
Caveat Emptor applies. Those who don't bother to read what they're agreeing to, and understand its implications (at least broadly), will get no sympathy from me when they're aghast when what I've known forever is revealed to them.
Google is never going to stop coming up with new data to collect. No one is forcing anyone to use Gmail or any Google service. No one is forcing anyone to use any "free at the point of service" services from any company whose actual price comes in the form of data collection and mining regarding the user. You have options, most, but not all, involving paying for services that don't do this. There is a price, in money or information, for getting what you want. The sooner this truism becomes known and accepted the better. And it isn't Google or anyone else who's hiding what they've been doing (on the whole, anyway). It's those who just can't and won't pay attention being shocked at learning what they should have known all along.
Dominique1 - 4 years ago
Not surprised! It was a question of time.
fanchkevin - 4 years ago
Enough is enough. I deleted my Google account. I switched to /e/ on my mobile, which is privacy oriented Android OS and doesn't send any data to Google. I'm much happy this way. Check: e.foundation
britechguy - 4 years ago
". . . Android OS and doesn't send any data to Google."
Citation, please. Android is a Google Product and employs telemetry. There is tons of data exchange with Google. Now whether that's personal data is a separate thing altogether, but don't delude yourself or mislead others that Android does not "phone home" to Google.
Starkman - 4 years ago
disregard
Starkman - 4 years ago
See, this is why all of you--everyone--should go back to using Hotmail; Microsoft would NEVER collect data, of any kind, like this. NEVER!
Wait...what?
MRDUMAS - 4 years ago
What a heartwarming trustworthy company. They just want to make sure we can see our transaction history easily. They are here to keep our data safe.
HAHA JK. It's never too late to quit 'Google panopticon'!
bobsage - 4 years ago
Google uses this for some of their services to help users (although I'm sure for their own benefit as well). For example if you subscribe to a subscription service google will give you a heads up a few days ahead of the expiration date that it's expiring.
DerekCurrie - 4 years ago
• Another reason why I stopped using Gmail for anything other than Google.
• Another reason why I have encrypted email accounts with Lavabit, Protonmail and Tutanota.
• Another reason why I use encrypted GPGMail.
BIG MARKETING BROTHER IS WATCHING! (O_O)