
Images Now Showing in Gmail - roryhughes
http://gmailblog.blogspot.com/2013/12/images-now-showing.html
======
keithwinstein
[Update 2: I just tested with a newly-created Gmail account and the feature
did not seem to have been rolled out to the new account yet.]

[Update: I'm not sure when this feature will actually be rolled out. I think
my test below automatically displayed the image because my own email address
appears to be implicitly a whitelisted sender (even though "images from this
sender are always displayed" doesn't appear for it). Whether Google will alter
the behavior when they actually deploy this feature, I don't know.]

[Original message:]

I just tested and, yes, Gmail only loaded the referenced image when I clicked
on the message to open it within Gmail. I can't be sure, because perhaps if I
had waited an hour without opening the message, Gmail would have automatically
loaded the image anyway. But in reply to mherdeg below, the evidence suggests
that, yes, Gmail plans to opt everybody in to sending "read receipts" by
default for HTML messages that reference images.

I'm surprised by Google's statement that the previous behavior of prompting
was "to protect you from unknown senders who might try to use images to
compromise the security of your computer or mobile device."

I realize this was _a_ benefit, but I always thought the main purpose was for
privacy --- not to betray to the email sender when I opened the email. My
guess is that Google did not view this as a privacy setting, or they probably
would not have forcibly changed everybody's setting.

It's doubly strange that they did so without a notice inside Gmail that they
did so -- just a blog post.

~~~
danielnr
I just ran the same test and can confirm the results. Google will only load
your image if you open the email, which means Google has just opted-in all
users to mail receipts.

I don't use any Google services outside of small tests like this, but it still
makes me concerned for how this will affect the privacy of people I know.

~~~
finnh
"Email open" tracking just got a lot more reliable for all mass email &
marketing automation vendors.

On the flip side, those same solutions can no longer set a persistent cookie
with the image, so persistent tracking based on the initial email open will
stop working.

~~~
nkoren
> "Email open" tracking just got a lot more reliable for all mass email &
> marketing automation vendors.

Has it? If Google's proxy is caching images, then "email open" tracking might
have broken entirely. All the sender would see is that their email has been
opened once by the proxy -- for all gmail addresses put together.

~~~
Wilya
Mass-email senders probably would put a unique identifier in the image url
(different for all users), so Google will open each image, because it can't
know before loading them that it's the same image.

~~~
mtrimpe
Or they could retrieve every image sent to a gmail address immediately,
regardless of whether you viewed it or not.

That would essentially render open statistics meaningless and would let Google
cripple another industry after the promotions tab and 'not provided.'

I really hope they don't because it's such valuable information when creating
email copy...

~~~
Wilya
I agree they could do it, but people upthread are suggesting that Google
doesn't do that, and only loads the image when you open the message.

~~~
Gepser
they could track if an email was opened twice

first one = Google

second one = user

~~~
ktsmith
I would imagine that google caches the images so there would be one request
instead of two.

~~~
Gepser
you are right, I didn't think on that

------
alooPotato
This proxying actually rolled out on December 3rd to most gmail.com users. We,
Streak, happenned to launch an email tracking feature on the same day
([http://www.streak.com/email-tracking-in-gmail](http://www.streak.com/email-
tracking-in-gmail)).

Here's what we've learned:

\- the proxying of requests only happens when a user is viewing the mail
inside Gmail (i.e. gmail does not actually affect the message body, its just
proxying at render time)

\- gmail only caches in the image for a few minutes. So for email marketers,
if your recipient views the email then views it again a few hours later, the
marketer will see two requests for the image

\- there is basically no personally identifiable information in the request
that Google's proxy sends to the server hosting the image. So from that
perspective this is actually a boost in privacy than the previous state of the
world. None of the headers, cache controls, cookies, ip addresses, referrers
or user agents are passed to the original image server

\- obviously you can encode some ID into the image URL itself but all that
lets you do is identify the email address of the user that opened the email.
But you already had their email address because you sent them an email - so
again, no PII gets disclosed

\- it is true that marketers will see a more accurate count of opens (because
displaying images is on by default)

\- there seems to be several ways to get gmail's proxy to NOT cache the image
and simply proxy the request every time the user opens the emails

~~~
thedufer
> obviously you can encode some ID into the image URL itself but all that lets
> you do is identify the email address of the user that opened the email. But
> you already had their email address because you sent them an email - so
> again, no PII gets disclosed

All that lets you do is...confirm that the email address exists. Until this
change, that was a very difficult thing to do; now, its equivalent to getting
a message through a spam filter. This is going to help spammers _a lot_.

~~~
alooPotato
It wasn't very difficult to do - in our testing, approx 60% of emails we sent
out had images requested for them meaning users clicked on the display images
link. May be us nerds dont do it but regular users seem more likely to.

~~~
thedufer
That's assuming that people are just as likely to allow images from a message
that kinda looks like spam as they are from a message that's from a
person/service they know.

------
mherdeg
Is Google loading these images when a user opens mail? (Have they just
automatically opted users in to "read receipts"?)

Or are these images pre-cached when mail is delivered (so that the fact that
an image was loaded is just proof of delivery, which you should be able to get
anyway?)

------
rasengan
This is a step in the right direction. However, please understand that it
doesn't really make a difference in forms of real privacy Googlers!

The e-mail spam/list creators are a different kind of adversary than, for
example, web trackers.

They will do something like this: http www theirimageserver
com/images/img53.jpg?to=you@email.com (Obviously they will obfuscate and use
some kind of hash instead of cleartext e-mail to disguise their tracking
ways).

Regardless of whether some.google.ip loads it, or your.home.ip loads it, it
won't change the fact that you@email.com loaded it and your email is very
active, not just active in that it didn't bounce, but active in that you
actually read it.

Once again, it's a step in the right direction though, and I'm looking forward
to seeing greater innovations from Google in the privacy space, because I'm
confident that there are Googlers who understand that privacy is not a feature
nor a PR thing... it's the difference between the preservation of humanity and
society versus not.

~~~
herge
They can mitigate that by downloading all images that come to any address
@gmail.com. That way spammers won't know if you@gmail.com is real or not, and
still be at step 0 (and hopefully taking some bandwidth/processing time/log
space from the spammer at the same time!).

~~~
m_ram
This is probably obvious to people who do email marketing, but I just tested
whether gmail bounces bad addresses. They do bounce addresses that have never
been registered and addresses that have been deleted. This means that even
before this change, spammers could find out if an address is active.

~~~
herge
Bouncing badly typed addresses is more useful for users than stymieing
spammers. However, a spammer doesn't need to know if an existing gmail address
is being actively used or not.

------
steven2012
I hate to be "that guy", but does this mean Google is storing every one of our
pics on their proxy servers? For how long do they store them, and what is
their data retention policy?

Also, remembering that Google has no obligation to protect non-American users,
does that give the NSA access to them, to run things like facial recognition,
etc?

~~~
arsenerei
Honest question: Does this differ from them storing the email which already
contains the pictures?

~~~
shabble
Yes. Whilst you can embed images as MIME attachments (or data:// uri trickery
and the like), the vast majority are <img> tags referencing external
[http://](http://) uris. A message with remote image references is not a
complete document, and won't render correctly unless those references can be
followed. Google are instead fetching and caching those remote references,
then serving them indirectly to you.

As comparison, Firefox has a 'save page' function which distinguishes between
'html only' (akin to the mail message), and 'complete', which would include
all images, stylesheets, external js files, etc.

~~~
arsenerei
Fair point, I wasn't considering external links, only embedded images. Thanks.

------
mjbraun
I'm curious if this will help spammers. AFAIK, loading a tracking pixel helps
validate an email address as active (since, by design, bounce messages
probably wouldn't make it back to the spammer), even if the recipient didn't
otherwise respond to the message. AFAIK, "Validated" email address lists are
worth more than unchecked lists and if Google is preloading images for valid
accounts, then that seems to make validation even easier for spammers.

~~~
spb
However, if they make requests (that they don't necessarily have to keep) for
images for _all_ accounts (preloading on receive and not read), it does the
opposite, which is a good thing.

~~~
mjbraun
The problem is, if the filename/URL is unique to the user like
"spammersite.tld/images/50093825343.jpg" and 50093825343" is tied to my unique
email, then on Gmail's download and caching of the image, they've validated my
email. If another email has 023503850485.jpg, gmail wouldn't know that the
underlying file is the same unless it loads it. I don't even have to have
checked my mail for this to happen.

------
Ricapar
I kinda like this. More often than not, I never click the "Display Images"
link because I know doing so will essentially feed information back to the
people who sent the email (the fact that I opened it, my geoIP location,
browser, etc). I've been fine with a slightly degraded and less pretty email
experience in order to give me some extra privacy and keep my information out
of marketer's systems.

With this I guess I can see emails with all the images and other goodies
without that worry. Works for me.

On the other hand... There's a good chance Google is caching all this now. But
seeing as they're running the mail system I don't feel like it's too major of
an intrusion beyond what they already have.

~~~
lukeschlather
This just means they'll be paying Google for that info instead of being able
to gather it themselves.

------
oh_sigh
Since images usually contain tracking information, I wonder how this helps?
Maybe the proxy automatically gets and stores the image as soon as the email
is received? So in this manner, they will not be able to tell if/when a user
actually clicks on a link?

------
draz
How does this affect invisible pixels (for analytics)?

~~~
badbrain
Badly: [http://blog.movableink.com/gmails-recent-image-handling-
chan...](http://blog.movableink.com/gmails-recent-image-handling-changes-the-
impact-and-resolution)

~~~
Anonymous98236
To clarify, it's bad for marketing people, but good for users desiring
privacy.

~~~
GrinningFool
To an extent - it seems that google indirectly confirms that emails are
received (even though additional data is lost).

~~~
Anonymous98236
I believe they still have an "Ask before displaying external images" setting.

~~~
GrinningFool
Yes, but it is unclear whether their servers will load them regardless of
whether or not they're sent to my browser.

------
tehwebguy
Protect me from images? That is _not_ why I used this feature.

I used it so that images like /verifyRealEmail.php?email=$myaddress wouldn't
work.

~~~
macspoofing
If the gmail proxy caches _every_ image that is sent to a gmail address, then
this bad for spammers, and good for everyone else. That's one less mechanism
to verify valid (or active) email address.

~~~
tehwebguy
I wonder if Google will access an image URL in an email sent to a nonexistent
address

~~~
macspoofing
They almost have to, otherwise it would be much too easy to scrape gmail
addresses (from Google itself!).

------
mike-cardwell
Just tried this out with
[https://emailprivacytester.com/](https://emailprivacytester.com/) \- The
proxy request only happened when I viewed the email. It came from 66.249.88.50
(google-proxy-66-249-88-50.google.com) and had the User-Agent:

Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.7) Gecko/2009021910
Firefox/3.0.7 (via ggpht.com)

I viewed the email using Firefox 26 on Debian.

------
antr

        "Google’s own secure proxy servers"
    

will that mean that people who track me opening their email with 1px images
won't be able to track that? I hope this is the case...

~~~
prezjordan
Sure looks like it. I wonder how analytics companies feel about this. It's
important to know how many people are opening your emails.

~~~
antr
I guess the compromise is giving the user the option to choose: (i) I would
like to be tracked, (ii) I don't want to be tracked. I genuinly dislike people
who send me personal/work emails with tracking mechanisms...

------
spindritf
So if you send a different picture to each recipient, you can track if they
open your message? Or does Google pull all images, whether you view the
message or not?

------
swedegeek
Yea, it's hard to not think this is ultimately not a great move. It seems
rather shortsighted from a Gmail user's perspective if Google can't address
concerns over spammers being able to verify email addresses, or even just
analytic trackers. It is also vastly less appealing to hear that Google plans
to cache all images, which we know Big Brother is grabbing as well. And in the
case where someone may want to actually see images for a marketing email
(albeit, extremely rare for me), it actually hamstrings the source of the
email from possibly providing customized images/content based on
geolocation/browser/etc. that I could be interested in seeing.

So, what's the upside vs. just having the option to display images as desired
and NOT have Google cache them?

~~~
maxerickson
Aren't verified email addresses a relic of the past? Does anybody actually get
anything other than nonsense spam anymore?

~~~
swedegeek
That feels a bit like the "I have nothing to hide argument." Should we just
accept that probably spammers no longer send address verifying emails, and
tacitly approve this change helping them out if they do? Ultimately, the
default should be to let people decide for themselves to opt in to something
like this. Forcing this with some pretty big head scratching holes in the
benefits seems rather evil.

~~~
maxerickson
Looking at the preference, it isn't auto loading images in 'suspicious'
messages (the help text more or less says this).

So trusted messages are now leaking read receipts.

------
Aldo_MX
This is relevant for email marketers:

    
    
      In some cases, senders may be able to know whether an individual has opened
      a message with unique image links. As always, Gmail scans every message for
      suspicious content and if Gmail considers a sender or message potentially
      suspicious, images won’t be displayed and you’ll be asked whether you want
      to see the images.
    

[https://support.google.com/mail/answer/145919](https://support.google.com/mail/answer/145919)

------
skloubkov
Seems like a privacy hole.

Mailer can setup url that is composed of random words and is unique per email.

Ex: www.tracker.com/weather-dog-city-nice.jpg could identify you + timestamp
of request and bam, you have record of: valid email, address isn't blocked and
that user reads emails from recipient. No proxy in a world would be able to
make this request anonymous.

No idea what advantage of this is apart from google eventually offering an
alternative to gmail (think of comment system being replaced on youtube)

------
enraged_camel
Is there a way to turn it off? I'm on a limited data plan on my iPhone and I
don't want images to load by default.

~~~
arsenerei
It's in the article.

> Of course, those who prefer to authorize image display on a per message
> basis can choose the option “Ask before displaying external images” under
> the General tab in Settings. That option will also be the default for users
> who previously selected “Ask before displaying external content”.

------
dsaber
I think that's a great feature. Loading images manually is always annoying and
isn't a great user experience. Novice user's don't always understand why it's
risky and they probably opt to display the images anyways.

However, one interesting question is how can third-party analytics will
workaround this? Is there a way? Given that gmail holds a large market share
of email users, this is really going to negatively affect the usefulness of
such services.

------
natch
Seems it's being rolled out in a sloppy fashion. In my Gmail account, images
in email have suddenly stopped working. There is still a "display images"
button, and when I click it, the images do not load. When I attempt to open an
image link from the email message in another tab, I get a 404 error on
Google's proxy server, with a super long URL.

------
forgotAgain
_In some cases, senders may be able to know whether an individual has opened a
message with unique image links._

From
[https://support.google.com/mail/answer/145919?p=display_imag...](https://support.google.com/mail/answer/145919?p=display_images&rd=1)

------
taggartbg
Does this mean that every image will be saved onto Google's proxy server at
the time that Google receives it, or at the time that the user opens it?

I don't want to lose the ability to track email opens to gmail users through
Mandrill/SendGrid/whatever...

~~~
roshodgekiss
Many ESPs already have a workaround in place for ensuring that open % stats
are not affected. Here's Campaign Monitor's take on the issue:
[http://www.campaignmonitor.com/blog/post/4118/how-gmails-
ima...](http://www.campaignmonitor.com/blog/post/4118/how-gmails-image-
display-changes-will-affect-your-reports)

Also, a postmaster's version: [http://emailexpert.org/gmail-tracking-changes-
the-fix-what-y...](http://emailexpert.org/gmail-tracking-changes-the-fix-what-
you-need-to-know/)

Disclosure that I'm from Campaign Monitor and wrote that first post. As you
can imagine, we've been getting a fair few enquiries about image tracking and
opens today...!

------
duaneb
Just because it's through a proxy doesn't mean identifying information can't
be embedded in the URL.... This is used as a "customer read email" callback.

------
Pirate-of-SV
So it's going to break
[https://emailprivacytester.com/](https://emailprivacytester.com/) by default?

------
pdknsk
I wonder if Google will eventually PageSpeed the images and advertise it as a
feature. "Mails load faster with Google Mail!".

------
pyalot2
And since images are now no longer proxied, that's the end to this "email DRM"
sillyness. Good riddance.

