
Ask HN: Is this a privacy/security issue with Gmail? - thegabez
I&#x27;ve been using gmail for a long time and have just noticed something that is a bit concerning from a privacy&#x2F;security standpoint.<p>When you compose an email to a valid gmail account, it will provide you with additional details of the account, if the user provides it, even if you have never corresponded previously via email. This works for emails with @gmail and also @somebusiness.<p>For example, go to gmail and compose an email to foobar@gmail.com, then hover over the address in the To: field.<p>You now know this is a valid email, who it belongs to, and a fairly decent amount if information about that person.
======
gmisra
GMail doesn't really "leak" information about e-mail addresses, it just
displays any public information tied to that address's Google Plus profile.

Once upon a time, Google dedicated a massive amount of resources to launch a
social network to compete with Facebook, Google Plus. When G+ launched, one of
the "features" was linking your GMail account with your G+ account. G+ didn't
really take off (obviously), but all Google employees were "strongly
encouraged" to join, and the account you're looking at (foobar@gmail.com)
belongs to former Google engineer, who does have a public G+ profile. If you
go to plus.google.com and search for that e-mail address, it will bring up
their profile page. If you know any GMail addresses that don't have public G+
profiles, you can verify their information isn't leaked.

Aside: G+ was the reason why Google Reader was killed #NeverForget

~~~
thegabez
If its tied to G+ then why does this work with business gmail domains as well?

~~~
balent
They are probably using Google+ with their business gmail email address.

------
prepend
It depends on what info the address owner shares with the public through
gmail/google+. It’s not a security issue if the owner consciously sets it.

In the good old days, there was a finger protocol you could use to find out
info on the account. It was abused by owners not understanding it and sharing
info inadvertently, and then behaving as if that info were secret (eg,
existing, last log on, etc).

I wish we could go back to finger, rather than depending on particular
services like Goog’s.

~~~
pavel_lishin
> _It’s not a security issue if the owner consciously sets it._

It depends on how conscious the decision was; were they explicitly aware that
the information would be shared with the world at large?

------
badrabbit
Dude.yes.

They just this year stopped scanning keywords in your email body for
advertising purposes.

I won't say don't use gmail,maybe the risk is acceptable to you. But I highly
recommend paying for protonmail.

> When you compose an email to a valid gmail account, it will provide you with
> additional details of the account, if the user provides it, even if you have
> never corresponded previously via email. This works for emails with @gmail
> and also @somebusiness

This isn't surprising,google probably thinks the usefulness of such a feature
is more important than privacy of the recipient. This is their M.O., what
little pseudo-privacy you get with a google product is via opt-out.

My mini-rant aside,as a business owner, I suppose google auto filling your
contact metadata in that scenario would not be a bad thing(but then again,
just about every controversial feature of a google product benefits business
owners seeking to advertise on their platform)

~~~
hedora
> They just this year stopped scanning keywords in your email body for
> advertising purposes.

Not true (except maybe for the narrowest readings of the phrase “for
advertising”):

[https://news.ycombinator.com/item?id=17067151](https://news.ycombinator.com/item?id=17067151)

~~~
badrabbit
> “Google has decided to follow suit later this year in our free consumer
> Gmail service. Consumer Gmail content will not be used or scanned for any
> ads "personalisation after this change.”

That's from the google blog post announcing the change. They scanned emails
and supposedly now they've stopped

------
pasbesoin
I believe it's actually a "Google profile", although it got a lot of attention
around the time of the Plus push.

At that time, Google cajoled and borderline tricked people into filling in
their profile (e.g. "dark patterns): Name, a profile photo, etc.

They also made this information publicly accessible.

I recall, for a while, actively working to navigate all the Google UI
dedicated to prompting me into filling out or supplying this information.
(Particularly, I recall the photo part -- no thanks.)

I recall, also, a time or two following suggestions to navigate to my profile
and check what was on it and whether it was public.

This all blurs together in my mind, somewhat, to similar efforts to fight the
morphing Facebook UI and its attempts to gather and publicize my profile data.
So, all the details are a bit vague in my memory, now.

Note, too, that you can -- or could, at times -- provide information regarding
contacts that would appear in your own UI views. You could/can upload a photo
for whatever contact, so that their presence in the UI is more "recognizable
to you". And who knows.

Do I trust Google segregation/isolation of all these possible inputs to the
profile-esque data it has on someone? Not really. Even where this isn't intent
or malice, the various moving pieces of all their morphing projects seem rife
for lack of knowledge as to effects, slip-ups, and neglect.

\--

P.S. Reading other comments here is causing me increased concern, on multiple
fronts. What Docs (or "Drive" \-- whatever) may pop up for an address you
start to share to. Whether bcc addresses are "hidden" but not removed from the
copies going to other recipients. Etc.

P.P.S I did a quick test and am not observing the bcc leakage. As I replied
elsewhere in this thread:

I just checked this and am not observing it -- at least, not between various
Gmail accounts and checking/dowloading the "original message" using the Gmail
web UI.

------
hedora
My favorite “feature” on these lines is the fact that it displays the BCC list
at all the recipients.

‘Cause the “B” in “BCC” doesn’t stand for “blind”. It stands for “Ha ha! You
told me a secret and I blabbed and now you’re embarassed/fired! Can we still
be friends?”

~~~
pasbesoin
I just checked this and am not observing it -- at least, not between various
Gmail accounts and checking/dowloading the "original message" using the Gmail
web UI.

------
Gustomaximus
I've flagged similar as a bug to Google. You can use their docs share function
to get non-publicly available names from email addresses and confirm if they
are an existing email.

To test I setup a spreadsheet with randomly generated words and it does grab
names for you. Personally I feel a bit annoyed Gmail would share my
first/surname to people if they test a non-identifiable email address. Also I
believe scams could use this to improve their success rate if they can insert
peoples names to false business emails type thing.

But according to Google this is 'a feature' not a bug.

------
beatrobot
It means they have a Google+ profile. If you remove your profile, the info
should not shown on Gmail.

------
borplk
I think it's information that is technically public.

