
Gmail tracks the history of things you buy, and it’s hard to delete - coloneltcb
https://www.cnbc.com/2019/05/17/google-gmail-tracks-purchase-history-how-to-delete-it.html
======
buro9
Where this gets weird is when the purchases are not yours.

I own a first.last@gmail.com address and it turns out there are a lot of
people who share that name.

So when I started receiving emails for other people I just hit spam, until the
day that wasn't enough. When I noticed that Google Assistant was telling me
about flights and hotel bookings for other people who share my name whose
email I'd long deleted.

And is it possible to delete those things? To rid yourself of the various
places the intelligent data emerges? Seemingly no. I found no way to stop
being told about these actions relating to other people... constantly being
shown PII relating to those other people (flight booking numbers, delivery
addresses for things they'd ordered).

I deleted and marked those emails as spam as much to ensure I wasn't receiving
other people's PII... yet Google was "intelligently" preserving this and
showing it back to me at every opportunity.

Very frustrating, and it makes me wonder if I ever enter an email incorrectly
where my personal data will end up.

Edit: I couldn't even see the flights I've been prompted about recently on
[https://myaccount.google.com/purchases](https://myaccount.google.com/purchases)
so I guess there are additional systems that have similar functionality.

~~~
hermitdev
Ive gotten delivery tracking emails to my gmail from Amazon for crap I didn't
order sent to an address ive never lived at. Apparently something like this
was happening.

What scares the crap out of me is in the last week I've been getting bombarded
with Zyrtek (an allergy med) ads. Now, I'd never seen an allergist or been
diagnosed with an allergy until 9 days ago. The only person I communicated
this to electronically was my father, and over SMS. I've not been researching
allergies online, my doc gave me plenty of dead tree material.

So, how do Google and other advertisers know I have an allergy? Are they
harvesting SMS as well? Are carriers selling SMS data for targeted
advertising? If my health care provider is selling that info, thatd be a HUGE
HIPPA violation. (Yes, I'm in the US).

Edit: grammar and clarity of thought.

~~~
leppr
Android's default SMS app sends your messages to Google to activate the
"Quick-reply suggestions" and "Messages for Web" features.

~~~
avh02
Just checked my pixel's settings cos I freaked out, explicitly says generated
on device.

~~~
taneq
Does it explicitly say texts not sent to Google?

~~~
avh02
To be fair it does not, but I'd say the implication that it doesn't is strong,
In my device menu at least.

The help section it links to omits a statement used in another section, namely
the " Copy a code in a message" section note:
[https://support.google.com/messages/answer/6080324?p=smart_r...](https://support.google.com/messages/answer/6080324?p=smart_reply&visit_id=636942350834586887-3379646105&rd=1#smart_reply)

------
curiousguy
For anyone thinking in leaving gmail, I recommend to get your own domain. For
example: firstnamelastname.com This gives the flexibility of email provider.

I did that 2 years ago and decided to go with Fastmail. And then I slowly
updated my accounts/contacts to my new email: mail@firstnamelastname.com

Nowdays I never get new emails on my gmail account and last weekend I decided
to finally remove gmail from my phone (but configured to automatically forward
just in case).

~~~
FabHK
When you have your own domain, I suggest enabling a catch-all email. You can
then make up a new email for every account
("hackernews@firstnamelastname.com"), enabling you to track where spam comes
from, disabling certain emails, etc.

migadu.com even offers reg-ex based catch-alls, pretty nifty.

[https://www.migadu.com/en/benefits.html#anchor_catchalls](https://www.migadu.com/en/benefits.html#anchor_catchalls)

~~~
atoav
I want to elaborate a little further because I thought this might be unclear
if you don't really know what a catch-all adress is:

A catch-all adress is an adress where all emails of your domain that you
didn't explicictly make a email adress for will land.

So if you own foobar.eu and you made catchall@foobar.eu your catch-all adress,
you could just make up arbitray email adresses on the spot (e.g. shady-online-
service-x@foobar.com) and all mails that are sent to that adress will land in
your catch-all adress.

There are multiple cool things about this: \- you can just block that adress
if it annoys you \- if you ever get spam and it is adressed to shady-online-
service-x@foobar.com you know exactly who fucked with your data \- you don't
have to disclose your primary email adress to stranges, you can just make
something up.

~~~
tsjq
thanks for adding that clarity. much helpful !

------
minimaxir
Relevant HN discussion about this behavior 7 months ago:
[https://news.ycombinator.com/item?id=18090590](https://news.ycombinator.com/item?id=18090590)

(I don't think this article is a dupe; current events have recontextualized
the debate)

------
reaperducer
I find this curious because I have been repeatedly told by Google people on HN
that Google stopped reading GMail years ago.

~~~
crazygringo
Yeah... it was maybe one and a half years ago I think?

But they stopped reading it for showing contextual ads.

They're still reading it to show you useful information across Google
properties, like in Google Maps the location of the theater you bought tickets
to see a play to tonight. Removing that would be removing a useful features
that people liked (unlike the ads).

~~~
jgalt212
there's always a catch with these guys.

~~~
jonny_eh
They also read emails to catch spam and phishing attempts.

~~~
ma2rten
They also read emails to index them for search.

~~~
JetSpiegel
Even though email search can't find anything. Ridiculous coming from Google.

~~~
raverbashing
Really? I don't have a problem usually with gmail

~~~
reaperducer
I support the parent's comment.

I've had e-mail messages open in the GMail web interface that when I search
for the words I can actually see on my screen come up with nothing.

------
gerash
These stories have turned into click baits.

The data in question here is nothing compared to what your credit card
company, bank, Amazon or TurboTax has.

Unlike many folks here I find value in this and can't see it harming my
privacy. In fact I think Gmail is still dumb compared to what Google or maybe
a startup could potentially provide.

I'd love to be able to ask a query such as "show me the receipt for that red
flower pot I bought last year" or "show me all my dentist appointments this
year".

~~~
human20190310
The difference is that I know that the credit card company or Amazon is
collecting my information because I'm directly involving them in the
transaction.

I thought I had all my Google privacy settings at "paranoid", but I did not
know this was even occurring.

~~~
Zopieux
Exactly how are you not involving Gmail when you set your transaction receipt
email address to be your @gmail.com?

While I do understand the point that /purchases looks creepy, your comparison
is dishonest.

~~~
human20190310
I'm not involving gmail in the transaction because I didn't ask them to _read_
the mail.

If gmail (and email in general) is going to make use of the "mail" analogy,
that comes with the expectation that they do not open your mail.

------
ProAm
Just pay for Fastmail, I finally did it and its so nice. Easily worth the
money.

~~~
the_jeremy
I want a service that can handle all my domain's traffic on a per domain per
month basis instead of per user. PurelyMail is the only one like this that
I've found but it's still in beta and the owner has been having some problems
getting past Microsoft's spam filters.

Is there any service that will host my email with as many users as I want for
a flat (or bandwidth/storage-based) fee?

~~~
stonogo
Look at [https://mxroute.com/](https://mxroute.com/)

They've come in handy for a couple of my colleagues.

~~~
newscracker
I took a look at it and liked it (though it doesn't seem to expand much on
privacy), but the service being situated and hosted in the U.S. is something I
do not prefer at this point. I wish there were services like this outside the
five eyes, nine eyes and fourteen eyes countries (I know Migadu the company is
in Switzerland but has its servers in France, but it doesn't seem to have
adequate staff or the intention to respond to people).

Additionally, mxroute does not seem to provide any trials. Its policies say
that payment issues from the customer have to be resolved within 24 hours, but
that refunds to the customer may take 72 hours. That seems unfriendly to me.

------
mehrdadn
Can someone explain what the point of deleting a purchase is? The email is
still there, the data is still there... how is this affecting what Google does
with your data?

~~~
belltaco
If there is no point then why does Google allow you to do it?

~~~
mehrdadn
Reduce clutter? Maybe you want to only remove some but not others?

Let me turn the tables on you -- why _doesn 't_ Google have a button to delete
all of them at once?

~~~
hn23
A guess: They build a model of you as a customer. If you delete some
information step by step then you possibly start with what bothers you most.
So you do the data cleaning for them and train their algorithms. Not to
mention that deletion is most likely just "hide this".

------
techntoke
You can easily delete purchases here:

[https://myaccount.google.com/payments-and-
subscriptions](https://myaccount.google.com/payments-and-subscriptions)

However, I have a feeling that removing your Google history doesn't actually
remove it, just prevents you from seeing it.

~~~
alxlaz
Just for the fun of it, I figured I'd try to log in and see if Google has any
info on stuff I've purchased.

I'm over VPN so they insist this device isn't recognized (even though I've
signed in from this exact machine, over this exact VPN connection, last week).
Google helpfully offers to send me a security code over the phone.

Even better, though, it has a "Can't use your phone?" option. You know what
happens if you click that option?

It takes you to a screen that says "You're trying to sign in on a device
Google doesn't recognize. For your security, use your phone to show it's you
signing in and not a hacker." and the only option on that screen is "Go back &
use phone."

I think there's a joke about how to understand recursion here but I can't
quite put my finger on it yet.

~~~
techntoke
I'd recommend removing your phone from here, and setting up 2-Step
verification instead:

[https://myaccount.google.com/security](https://myaccount.google.com/security)

------
integrate-this
Google has gotten to the point where it creeps me out. I've switched away from
Chrome. I don't use their search engine unless I can't find the results on
Bing or DuckDuckGo.

I don't know if it's going to get to the point where it hurts their business
(I'm just one person), but I'm to the point that targeted advertising is a
really good way to make me not want to buy a product.

~~~
ne01
I second this. Try DuckDuckGo + FastMail and (Safari + Wipr extension for an
advertisement free WWW)

I too switched away after being a lifetime Google Advocate: Android,
Chromebook, GCP, Linux + Chrome and many, many of their products. Honestly, I
don't care about privacy that much I'm just sick and tired of how good Google
became at distracting me! Never mind the ads and how I had to use incognito
search for anything because if I searched something (e.g. buying a monitor)
google keeps suggesting similar stuff to get my attention or suggesting
articles on the homepage of Chrome (mostly android).

What was once a simple beautiful tool to find answers, fast. became part of
every aspect of my life, trying to get more and more of my attention/time.

Time is gold. Google lost respect for my time and I lost respect for Google.

~~~
jen729w
Agreed, and a quick shout to migadu.com for email. I’m a long time happy
Fastmail customer but Migadu’s offering is interesting and different enough to
have a look at.

~~~
52-6F-62
I’ve been hiding my time with Gmail. Planning my exit.

Fastmail is a leading contender, but thanks for posting Migadu. It does sound
interesting.

They offer a lot for a low price, but I wonder how?

I’m intrigued!

~~~
newscracker
> They offer a lot for a low price, but I wonder how?

They don't respond to queries or requests. I presume that's how. To avoid
repeating my comments too many times, let me suggest looking at my other
comments on this post.

~~~
jen729w
Couldn't disagree more. I've mailed them twice and had a personal response
within a few hours.

~~~
newscracker
That’s good to hear. But I haven’t had the luck to hear back from them. So my
guess is still that it’s a tiny team with many other priorities than this
platform, and so misses responding or acting many a times.

------
burlesona
I would love to leave gmail but two things hold me back:

1\. Archive export. This is the main thing, I've got a 15 year record of
emails and now and then being able to search back to something that happened
5-10 years ago is a life-saver. Is there even a way to export your gmail
archive?

2\. What to replace it with? I've heard FastMail is a good alternative, and
some people really like ProtonMail, but I've had a hard time evaluating
services because it's not a trivial thing to set up and use an alternative
email account, and I'm not sure what other than real daily use would be a
valid test run.

~~~
cbhl
1\. For export, takeout.google.com lets you export your emails in mbox format.
[https://support.google.com/accounts/answer/3024190](https://support.google.com/accounts/answer/3024190)

Third-party email services may also have flows for importing email from GMail,
for example Microsoft Office 365:

[https://support.office.com/en-us/article/import-gmail-to-
out...](https://support.office.com/en-us/article/import-gmail-to-
outlook-20fdb8f2-fed8-4b14-baf0-bf04b9c44bf7)

------
forrestthewoods
This information is also scraped and sold by unscrupulous companies that you
give access to your email.

If you’ve ever let a service scrape your inbox for travel itineraries they
probably read all your email ever and sold that information. Surprise!

------
javagram
I use all my mail through G Suite on a domain I own through a third party
registrar.

I logged into the link provided in the article and got a message “You don't
have any purchases”.

Maybe this feature isn’t available to me since I’m a G Suite user rather than
a gmail user? I actually wouldn’t mind having this feature available, although
I do keep google’s location history disabled.

~~~
jzl
I think this is because Google just doesn't do a lot of the data scraping in G
Suite accounts that it does in gmail accounts. So I think it just doesn't have
any stored "purchases" to show, rather the fact that the purchase interface
doesn't work.

I say this based on information I've read in the past about how G Suite /
Google Apps accounts are treated. I hope this is the case, but am certainly
not sure about it.

------
Brendinooo
Sometimes Google seems totally unaware of _why_ people might find this stuff
discomforting.

~~~
ganeshkrishnan
They are absolutely aware. They banned my dev play account because few
competitors reported as similar app and there is no human to view my case.

They just stopped giving a shit. Funny, how all the senators talk about
breaking up Facebook when Google is 100x bigger and 100x monopolistic.

Break up Google. And unban my account in the process ;)

------
smonff
It's always amusing how people are _shocked_ when stuff like are discovered,
although Gmail is designed to serve those kind of things. This is a free
service, and as a free service they have to make money with something. I don't
see any problem with that. If you don't want this, don't use Gmail, there are
lots of available alternatives.

------
jlelse
Just setup your own mail server using mailcow for example. Pretty easy and
awesome for privacy. I did it too: [https://jlelse.blog/thoughts/2019/mail-
server/](https://jlelse.blog/thoughts/2019/mail-server/)

------
beshrkayali
Same thing for your flights/hotel reservations btw via
myaccount.google.com/reservations

------
jgalt212
They own up to this practice--albeit not the top link, at least for me.

[https://www.google.com/search?q=gmail+purchase+history](https://www.google.com/search?q=gmail+purchase+history)

~~~
jvolkman
It's not exactly hidden:
[https://www.google.com/search?q=my+purchases](https://www.google.com/search?q=my+purchases)

------
squarefoot
I wish it was just the things I buy. All my Ebay sales and purchases get
confirmation to my Google email, all bank reports come via email, and my
doctor too uses a service to send my prescriptions to my gmail address.
Recently someone at that service changed the way they operate so now I receive
a link where I have to put my equivalent of SSN to download the prescriptions,
so data theft while absolutely possible, in this case has to be deliberate.
Still, the amount of personal information available for mining to Google and
others is plain scary: I've seen with these eyes lawyers sending photos of
sensitive documentation via Facebook or Whatsapp; that's even beyond stupid.

------
jwr
I don't understand why people don't have a problem trusting Google with all
their information (as is the case if you use Gmail).

Even if you ignore the privacy implications and the fact that it's a company
whose business is to target ads, there is still incompetence. Case in point:
my YouTube history regularly gets mixed with somebody else's. I get videos
watched by a child that likes Masha and the Bear and Peppa the Pig. Reported
to YouTube a number of times, they seemingly ignored it and don't care.

I turned off my history, but I still get recommendations for Masha and the
Bear.

Now, that purchase history of yours, who else gets to see it?

------
jmole
Look at the difference between the emails you get from amazon today when you
make a purchase, and several years ago.

Today, this is what shows up:
[https://imgur.com/UF2YBVa](https://imgur.com/UF2YBVa)

5-6 years ago, here's what it looked like:
[https://imgur.com/lBWWkin](https://imgur.com/lBWWkin)

Honestly, amazon has so much information about what I buy and why I buy it,
I'm a little upset that I can't get these data from any retailer I shop at and
import it into some software where I can actually look at what the trends are.

------
arkitaip
I routinely revise my Google privacy settings across a bunch of different
pages and I was totally unaware they tracked purchases by scanning email in
Gmail. I don't see the value this offers to customers but I see why harvesting
rich e-commerce data makes sense to Google.

~~~
compiler-guy
I can see some value for those who want someone to automatically track what
they buy. That may be useful for records, or reorders, or whatever.

Seems likely to be useful for Google too in the way you describe, although it
isn't clear to me how Google uses it.

~~~
fjsolwmv
Sure, maybe it could be useful. But why is it hidden where no one knows it's
there to be used?

------
bryanrasmussen
well I went and looked at it and realized I don't really buy very much online
at all, but I was thinking - what about the invoices I send out - they should
have that organized somewhere too.

------
RenRav
I smell a new service for backing up and then deleting the emails for you

~~~
hiccuphippo
Does Google really delete the full emails when you delete them? For example,
if they used the content of an email to generate a profile to show you ads, do
they reverse the process when you delete that email?

~~~
skybrian
At least part of your Google ad profile is editable:

[https://adssettings.google.com/authenticated](https://adssettings.google.com/authenticated)

------
suff
Even following the steps in the article, provided by Google, it is impossible
to delete purchase history.

~~~
ocdtrekkie
The only way to do it is to go to each individual email that Purchases uses as
a source and delete them from Gmail. I did it as part of moving all of that to
FastMail, personally.

------
calimac
Is there a list or mind map anywhere of all of the nefarious things google
does? Most people reading this forum can spend the next three days talking
about all the evil shit google does and Not even run out of things to say.

------
fyoving
They host your emails that is where this data comes from, if you don't like
that then delete said emails.

The media's modus operandi is to try and implicate tech companies with
supposed violations whether it's justified or not, they will gain clicks and
tarnish the reputation of a hated competitor, there are no drawbacks, they
also keep perpetuating the notion that utility and invention must be
sacrificed on the privacy altar.

~~~
Johnny555
_They host your emails that is where this data comes from, if you don 't like
that then delete said emails._

Deleting emails is no solution - Google has already scanned the email by the
time it shows up in your mailbox.

------
bwb
Why do people care about this :)?

------
tantalor
Wow next you're going to say my bank and credit card company tracks my
purchases, too? Scary!

~~~
mfer
It's worth asking "why" companies would do these things.

A credit card company can legitimately use fraud detection as a reason for
looking at purchases. They can upsell budgeting software as another legit
option people would accept.

Why would Google be tracking this information? What use is it for them if they
truely not doing it for ads?

I was oddly reminded of the Selfish Ledger video that was leaked from
Google... [https://www.theverge.com/2018/5/17/17344250/google-x-
selfish...](https://www.theverge.com/2018/5/17/17344250/google-x-selfish-
ledger-video-data-privacy)

~~~
pdkl95
From PBS Frontline's "United States Of Secrets" (part 2)[1]:

    
    
        LIZ FIGUEROA, (D) State Senator, CA, 1998-06: We walk into this room, and it’s myself
        and two of my staff— my chief of staff and one of my attorneys. And across from us
        was Larry, Sergey, and their attorney.
    
        All of a sudden, Sergey started talking to me. He said, “Senator, how would you feel
        if a robot went into your home and read your diary and read your financial records,
        read your love letters, read everything, but before leaving the house, it imploded?”
        And he said, “That’s not violating privacy.”
    
        I immediately said, “Of course it is. Yes, it is.” And he said, “No, it isn’t.
        Nothing’s kept. Nobody knows about it.” I said, “That robot has read everything.
        Does that robot know if I’m sad or if I’m feeling fear, or what’s happening?”
        And he looked at me and he said, “Oh, no. That robot knows a lot more than that.”
    

If the robot really imploded without any benefit to Google, why were they
paying to manufacture use it?

If Google truly doesn't use the purchasing data to sell ads, why did they pay
their expensive engineers to develop the tools to extract the data from email
receipts?

[1] [https://www.pbs.org/wgbh/frontline/film/united-states-of-
sec...](https://www.pbs.org/wgbh/frontline/film/united-states-of-
secrets/transcript/)

~~~
joshuamorton
Simple: if you use the Google assistant, you get notifications about packages
and flights. Flights get added to your calendar automatically, and other such
niceties (for example, I get notified when I have a credit card payment due).
A lot of people find this useful.

An ecosystem with useful features leads to profitability without any sort of
malice, like people buying Android (or pixel) phones, or google homes, or
whatever.

~~~
mfer
Consider this, Google is focused on maximizing profitability and most features
people don't pay for. How does that work? Who are the paying customers, how
does Google maximize income from them, and how does it impact the non-paying
users?

------
OrgNet
If you delete your history from Google, it only means that you aren't able to
see it anymore in your account... Google keeps everything.

~~~
crispinb
Do you have a source for that?

~~~
nullc
It's interesting to me that whenever someone responds that Gmail scans mail
for advertising several google employees show up to fall all over themselves
to deny it. But if you mention retention you get silence.

I wouldn't be too shocked if no single human actually knows what the real
retention behavior is for gmail.

~~~
SquareWheel
>It's interesting to me that whenever someone responds that Gmail scans mail
for advertising several google employees show up to fall all over themselves
to deny it. But if you mention retention you get silence.

You're not looking hard enough.

[https://news.ycombinator.com/item?id=19863438](https://news.ycombinator.com/item?id=19863438)

~~~
crispinb
Good find, though I do tend to doubt mere company employee claims (lying is
endemic to every corporation I've known from inside). In any case the user
making the claim you link to came from a throwaway login.

~~~
SquareWheel
I'm skeptical of company claims on Hacker News as well. But it met the
condition described by the parent poster, and really has no more or less
veracity than any other anonymous comment.

~~~
crispinb
True enough

------
zwaps
Wow, that never showed up in any privacy setting. Google is so evil.

Is there any way other than deleting the account from stopping this?

It says I have to delete the mails to delete the data, but I have already
deleted the mails (as I usually do) and the data is still there! Including
information like flights and purchases.

