By Zak Doffman
Yet again this week we have seen headlines pitching Apple against Facebook, as the iPhone makerâs crackdown on user tracking threatens mobile ad revenues. But while Facebook is clearly in Appleâs sights, it is Google just as much as Facebook that is being hit hard by the new and long-delayed flight to privacy.
Gmail has already come under attack for its alarming privacy labels. But a new update from Apple, combined with a privacy backlash this month against âcreepyâ mail tracking, should now be the final convincer for millions of users to delete their Gmail apps, ensuring that their data is not being secretly harvested.
Until now, Apple versus Google on privacy has focused on Androidâs continual game of catch-up on mobile data permissions. But Apple is also pressuring Google when it comes to its feasting on data from the billion iPhone users. And just as with its other apps, Googleâs Gmail is a privacy nightmare compared to Appleâs alternative.
Earlier this year, Google cleverly allowed Facebook to play the role of minesweeper when Appleâs privacy labels exposed the sheer extent of the previously invisible data harvesting taking place. Google let its own iOS apps run stale, delaying updates until the furor had settled, before showing that its own apps were no better.
And so, one by one, we saw Googleâs flagship iOS appsâGmail, Maps, Photos, Chrome, YouTube, Docsâfill in the alarming blanks. And because this is Google, it was suddenly very important to remember that thereâs an account-based system linking all these apps together and a spiderâs web of trackers following users around.
As DuckDuckGo warns, âGoogleâs trackers are installed on 75% of the top million websitesâthe next closest is Facebook at 25%. Google sells ads not only on their search engine, but also on over 2.2 million other websites and over 1 million apps. Every time you visit one of these sites or apps, Google is storing that information and using it to target ads at you.â Google dwarfs Facebook when it comes to this trackingâperiod.
Apple has been publicly cracking down on Facebook with App Tracking Transparency and doing the same to Google by adding new privacy innovations to Safari to tempt users away from market-leading Chrome and enhancing other apps, notably Maps, to pull its users away from Googleâs data-hungry ecosystem.
The other critical innovation that Apple will bring with iOS 15 will likely be as big a hammer blow to the data marketing industry as App Tracking Transparency and blocking third-party web tracking cookies by default in Safari.
Right now, 70% of the emails you receive are laced with secretive trackers that send information back to their handlersâhave you opened the email, when and how often; where were you when you read the content and what device were you using. All this data feeds the nefarious algorithms that manipulate what you buy, think and do.
According to security researcher Mike Thompson, secretive mail tracking âhas become a reality we now live with, where we have to accept to some extent that our privacy was washed down the river a long time ago… How do we deal with it? Ban email providers from rendering this content? Not gonna happen.â
But with iOS 15, Appleâs new Mail Privacy Protection will at long last âstop senders from using invisible pixels to collect information about users. The new feature helps prevent senders from knowing when they open an email and masks their IP address so it canât be linked to other online activity or used to determine their location.â
If youâre in any doubt as to the impact this will have, then take a look at the marketing trades and their response to whatâs coming. Mail tracking was seen as a defense against App Tracking Transparency, to recover some value from iOS users. But Apple is now slamming that door tight shut as well. It really is all change.
@Apple suggests they will preload all images on emails when marketing emails are sent â not opened. Itâs day 1, so more testing is needed to confirm.
— Brian Sisolak (@bsisolak) June 8, 2021
As Iâve said multiple times in this column, mail tracking is a nasty technology that has appeared to escape the clampdown it deserves. Itâs a marketing tool that has gotten completely out of control, with most emails now tracking user behaviors. Suffice to say, make sure you enable Mail Privacy Protection when iOS 15 arrives.
âTracking pixels are a concerningly normal part of todayâs internet and yet another example of how peopleâs privacy is being intruded upon on a day-to-day basis,â Proton founder Andy Yen warns. âThe volume of information a company can gather with something as simple as an invisible image is incredible.â
Until now, the best way to prevent these pixels tracking your activity has been to prevent remote images loading automatically. This stops most invisible tracking, but it removes the richness of the emails you open and if you do want to see any of the images, email by email, then those tracking pixels come along as well.
As Apple warns, âemails may include hidden pixels that allow the email’s sender to learn information about you. As soon as you open an email, information about your activity can be collected by the sender without transparency and an ability to control what information is shared. Email senders can learn when and how many times you opened their email, whether you forwarded the email, your IP address, and other data that can be used to build a profile of your behavior and learn your location.â
âUsing/abusing pixel tracking for location tracking is in my mind over the line,â says Cyjax CISO Ian Thornton-Trump. âI think itâs an overreach and hard to justify in terms of collecting data under GDPR/PECR. Is collection of my location relevant to the goods or services being offered? Maybe. But I think it should be immensely hard to justify.â
Appleâs new solution will load all remote content using multiple proxy servers. This will do two things. First, images can be presented on all your emails without any risk of trackingâtheyâre being served from Appleâs own servers. And second, marketeers will receive a near 100% open-rate for their emails, rendering it useless data.
So, unless you click a link from within an email, there should be no way to harvest any data from your email browsing activity. The only thing Apple will provide is a broad idea of the region youâre in, to ensure any context and language is right.
The flight to privacy, fueled by Apple and others, is shining an awkward light on Google, Facebook and the data-driven digital marketing industry. âThe everyday user is waking up to the importance of privacy,â security researcher Sean Wright says. âAnything that helps them keep control over their data is a step in the right direction, but privacy is not âone size fits allâ. The power to choose how and where data is used should always be in the hands of the individual. As such, education and transparency so users can make informed decisions about which mail clients they should use is key.â
Google has actually been blocking email IP address tracking for some time now, using its own servers to preload remote images. But it still returns other data to marketeers, including âopen rates,â and thereâs no anonymization from Google itself. It continues to collect all the data it can. Apple is a very different proposition.
âApple does not learn any information about the content,â the company says. âAll remote content downloaded by Mail is routed through multiple proxy servers, preventing the sender from learning your IP address. Rather than share your IP address, which can allow the email sender to learn your location, Apple’s proxy network will randomly assign an IP address that corresponds only to the region your device is in. As a result, email senders will only receive generic information rather than information about your behavior. Apple does not access your IP address.â
I asked Google for more detail on Gmailâs use of its own servers to load remote images, how extensively it blocks user IP address harvesting, and whether Google itself has any restrictions on the location tracking data it can harvest from Gmail usage. I had not received a response ahead of publishing.
Google has already been criticized elsewhere for introducing new privacy innovations that block third-parties and so advantage Google, most notably the removal of third-party trackers in Chrome, which it has been argued will concentrate everything in Googleâs own data-harvesting hands. As such, the move has been delayed.
And, ultimately, thatâs the crux here. Appleâs new privacy innovations have been designed holistically. There are no qualifiers and workarounds. âIf you choose to turn it on,â Apple says, âMail Privacy Protection helps protect your privacy by preventing email senders, including Apple, from learning information about your Mail activity.â
It has taken too long, but we have now seen a strong clampdown on cross-site web tracking, with Safari and Firefox protecting vast numbers of users, and more specialist offerings from Brave and DuckDuckGo also hitting the market. Itâs worth noting, that when it comes to such tracking Googleâs Chrome is now an outlier in how it works by default, how much data is gathered as you browse, how data is linked to your identity.
Today we're announcing the beta release of DuckDuckGo Email Protection! Get a free Duck Address, and we'll forward emails to your current inbox after zapping hidden trackers and protecting your current email address.
That's privacy, simplified.https://t.co/Bcgz5yB7nZ
— DuckDuckGo (@DuckDuckGo) July 20, 2021
Itâs likely weâll see something similar now with mail tracking. âJust like browsing the web,â DuckDuckGo told me, âemail is used to track people without their knowledge.â The privacy-first company has just announced its own mail service to block tracking, âa free, personal @duck.com email addressâemails sent to it will forward to your regular inbox, with creepy email trackers removed.â
âEmail tracking is often completely forgotten,â warns ESETâs Jake Moore, âas it quietly operates in the background in stealth mode. It is seen as a huge invasion of privacy, possibly even dangerous if used criminally.â
Google has told me that data it collects is used to âprovide helpful and personalized experiences in Google products, including faster searching and automatic recommendations.â The company also emphasizes that users âcan control what activity gets saved to their account or delete their activity at any time.â
But that puts the onus on you to police Google and actively check on whatâs been collected, forming a judgement on what is appropriate and proportionate. As Iâve said many times, when it comes to platforms and services, just follow the money. Google generates its revenue from data-driven advertising. Itâs not complicated.
You donât need to stop using Gmail itself, albeit remember that Google can see everything youâre doing server-side. But you should use Appleâs own Mail app with Gmail rather than the Gmail app. This stops Google gathering additional data through the appâs permission settings. It also means you can use email without any concerns that anyoneâincluding Googleâis hiding invisible trackers.