Hacker News new | past | comments | ask | show | jobs | submit login
Gmail tracks the history of things you buy, and it’s hard to delete (cnbc.com)
402 points by coloneltcb on May 17, 2019 | hide | past | favorite | 221 comments

Where this gets weird is when the purchases are not yours.

I own a first.last@gmail.com address and it turns out there are a lot of people who share that name.

So when I started receiving emails for other people I just hit spam, until the day that wasn't enough. When I noticed that Google Assistant was telling me about flights and hotel bookings for other people who share my name whose email I'd long deleted.

And is it possible to delete those things? To rid yourself of the various places the intelligent data emerges? Seemingly no. I found no way to stop being told about these actions relating to other people... constantly being shown PII relating to those other people (flight booking numbers, delivery addresses for things they'd ordered).

I deleted and marked those emails as spam as much to ensure I wasn't receiving other people's PII... yet Google was "intelligently" preserving this and showing it back to me at every opportunity.

Very frustrating, and it makes me wonder if I ever enter an email incorrectly where my personal data will end up.

Edit: I couldn't even see the flights I've been prompted about recently on https://myaccount.google.com/purchases so I guess there are additional systems that have similar functionality.

This happens to me all the time. My Gmail is first name and last initial. I'm not sure if the burden here is on Google or those sites that don't verify email address before sending stuff like this, though.

The most fun so far for me was when someone used my email to sign up for Ashley Madison (the affair dating site). Of course, they were compromised a few years later and someone built a tool allowing you to search their users by email. Guess who appeared to be having an affair then? Tough one to explain to someone non technical...

There was a memorable period when one of my namesakes moved into the dorm for his freshman year of college. I was initially confused about the influx of a particular flavor of adult-oriented adverts until the textbook rental invoices started to arrive.

This wasn’t the first time this kid had used my address, and my social media reconnaissance had revealed he was quite the little jerk.

When I got those invoices with his parents contact info, there was a serious temptation to print out and mail a little care package of everything their baby boy had been up to. Alas, life was quite stressful at the time, and I never made the time to follow through.

I sure if you just keep posting stories like this you will get enough cover to show your SO or potential SO that your version of events actually happened instead of what everyone assumes.

Since we're sharing anecdotes... I also have a gmail address with a fairly common name.

1) I've received a bunch of Fw: emails from an Australian person over the years that I ignored as spam. Until he sent a very personal one, inviting me to catch up over beers since it's been so long, at which point I took pity and replied along the lines of "Hello! This is not the address of who you think it is. You're emailing the wrong person. Have a nice day." To which he replied "Lol, nice one!" Eventually the emails stopped.

2) I received a message from a major American company that if I didn't take action urgently, something or other would happen to my requested service. Ok, fine. Then within the next 5 months I've received at least half a dozen emails from them titled "FINAL WARNING: ...", stressing just how important it was for me to acknowledge it. I suspect the company is run by the people behind the Final Destination films or the Final Fantasy games.

I've been getting someone's utility bills, monthly payment reminders, and monthly payment confirmations at myname@gmail.com. I contacted the power company, said they were emailing the wrong person, and asked if they could make the emails stop. Even though I emailed from the account that was receiving the messages, they said they can't change the email preferences since I'm not the account-holder. A nice little Catch-22.

I met the same Catch-22 with PayPal.

GDPR will help you there. Less than 5 minutes and I had it solved.

I receive lots of such emails. In most cases, I just end up with one series of emails from another person who shares my first initial and last name... such as one person's credit card payment emails, another person's cable television bill, another person's sports team updates...

But for about eight years I received numerous emails for some town council member in England. At first, I replied back to explain the misdirected mail, but they kept coming. Meeting minutes. Town council activities. Pamphlet distribution arrangements. A message from a member of the British parliament.

Then one day, I'm not sure what happened, but it must have clicked with them. I received a "test" email addressed to both myself and the actual intended recipient, in which it was explained that they presumed they had the correct address all along because the mail didn't bounce.

After that, the messages stopped. I kind of miss getting them now, but I'm glad they got it all sorted out.

Apparently final fantasy 1 was the Creator's last chance to make a successful game before getting fired from squaresoft

Ive gotten delivery tracking emails to my gmail from Amazon for crap I didn't order sent to an address ive never lived at. Apparently something like this was happening.

What scares the crap out of me is in the last week I've been getting bombarded with Zyrtek (an allergy med) ads. Now, I'd never seen an allergist or been diagnosed with an allergy until 9 days ago. The only person I communicated this to electronically was my father, and over SMS. I've not been researching allergies online, my doc gave me plenty of dead tree material.

So, how do Google and other advertisers know I have an allergy? Are they harvesting SMS as well? Are carriers selling SMS data for targeted advertising? If my health care provider is selling that info, thatd be a HUGE HIPPA violation. (Yes, I'm in the US).

Edit: grammar and clarity of thought.

Maybe your phone's location history at an allergist's office was a hint that you have allergies? I've heard stories about Facebook suggesting friends of friends as "people you may know" after they crossed paths at some location.

It's spring. Everyone gets allergy meds advertised to them in spring.

I visited friends and went along while they went to the pediatrician. I do not have children but after this trip, the Google rewards app asked me if I have children several times immediately afterwards and over the next few months (it had not asked me that question prior to that) so I assume that Google was using either the routers my android phone saw or my location info to figure out where I was to target me for ads.

Android's default SMS app sends your messages to Google to activate the "Quick-reply suggestions" and "Messages for Web" features.

Just checked my pixel's settings cos I freaked out, explicitly says generated on device.

Does it explicitly say texts not sent to Google?

To be fair it does not, but I'd say the implication that it doesn't is strong, In my device menu at least.

The help section it links to omits a statement used in another section, namely the " Copy a code in a message" section note: https://support.google.com/messages/answer/6080324?p=smart_r...

Also possibly the Baader–Meinhof effect [1].

[1] https://en.m.wikipedia.org/wiki/Baader%E2%80%93Meinhof_effec...

I got ads for this. I don't have allergies. I got ads for erectile dysfunction, hair loss, maseratis, and ferraris. I'm not in any of the groups interested in these things. I think some of these are either zip targeted, untargeted, or lookalike targeted.

This happened to me. I tried fixing and contacting sites and it just gets worse and worse.

I now try to cancel or change any order I get as that ends up working best to have the real first.last@gmail.com figure it out. It’s also amazing how many sites let you do important stuff like change airline tickets without login and how many sites never confirm email.

I spent two years with Uber trying to fix someone using my email and driving. I would get password reset emails all the time, but I couldn’t use them because they had their phone as two factor. Really frustrating.

You've been changing people's airline tickets just for typing the wrong email address?? I hope that's hyperbole, otherwise that's awful.

Get enough of these, and you have to wonder just how stupid people can be if they can't even get their own email address correct.

I signed up for gmail years ago, and got my firstname.lastname@gmail.com address. I don't use it at all [1] so any email I get there is spam or a mistake. I've sent out countless "this isn't the person you thing it is" emails to car dealerships, sporting events, random strangers sending me family photos, etc. It's simply amazing how often this happens.

[1] I run my own email server on my own domain. I got gmail.com just to see how their email client worked, back when they first announced it.

Same exact problem here. I get unbelievable amounts of emails intended for other people who share my name, including once a scanned copy of a passport. There's a special place in hell for services that not only don't validate email, but also require you to login to unsubscribe.

I get some wild stuff in my relatively common firstLast@gmail.com that I’ve had since 2004.

Most memorable was an invite to a Man U friendly in Hong Kong, including a seat in a luxury box. I wrote back and was like you got the wrong guy but can I go? They wrote back and said sure if you can get to HK by Thursday. As a passport-less college student, I couldn’t swing it.

Another time, somebody with my name was some kind of assistant to a congressperson. I got an email that said, “We have something for the senator, where should we send it?” I gave them my address (in Portland, OR) and hoped I would end up in some kind of political thriller situation. Ended up being some dumb poster lol.

If you're an American, you wouldn't have needed a passport to get to Hong Kong! That doesn't solve the issue of airfare though :/

Where’d you get the idea a passport isn’t needed?


I'm currently receiving medical bills from some overseas hospital. I get a power bill from some guy in Ohio. I'm part of a family's frequent vacation emails. There's some woman named Deborah whose Verizon bill I get alerted about. On the GSuite side of things, I have a catch-all account for a domain I own that receives real estate documents every day of the year.

So many people have provided my GMail as their own that its and endless stream of missed communications and noise. Worse yet - apparently it's distorting the profile Google (and whatever other government agencies track this stuff) have built about me.

I have <common last name>@gmail.com and it's unusable. I've had it since you could only get a gmail account via invite. I've mostly stopped using it except I have a quite a few android apps purchased with the account and you can't transfer them.

I have a unique name that no one else on earth has, and I'm usually envious of people with common names, as there is no where for me to hide on the internet, but then I see stories like yours and remember that it's not all bad.

For me one of these sorts of situations, it got so bad I started cancelling flights and hotel reservations as they came in. That gave the person who had the errant email address enough incentive to actually fix it.

you should have written an article about it, it's an obvious security hole in the airlines' systems.

If that's true you're a terrible person.

Oh we were nice enough about it, we even tracked down what the person's "actual" email address was and tried to get them to change it. They not only were they unwilling to fix it with the places they had given it out they added more. So it wasn't like they felt compelled to be helpful. And of course it isn't really possible to "junk" emails from legitimate businesses to your email that you might want to do business with at some point.

Not really. Not when the amount of emails is big, and people refuse to fix things on their end.

Meanwhile, I don't have a common name, but there are at least a few of us out there.

So when I get something like that, I get to immediately go into "My credit card has been compromised mode".

I've found the same, especially having just a <firstname><number> gmail. On top of just the various receipts and booking and what have you, I've noticed my email being used for what I think are probably fake accounts setup by either the company or their marketing firm. I had Wells Fargo email me shit about some bank account for the the longest time, and I could never get rid of the emails, tried calling them saying this email doesn't have a back account with you etc etc. Turns out a few years later they got busted with creating fake accounts. I bet some hack at the company just put my first name for the email in the fake account they created, and bam, I get spam from them. Now I'm suspicious every time I get email from an account I didn't create for AT&T or some larger company, and I always wonder whats a typo, and what company is trying to pump their numbers... Or the kid who used my email for his Fortnight account. Yeah, I wiped out his account once I tried signing on for the first time, and got messages saying I never confirmed my email...

Add me to the list of people with the same problem. I actually paid for a Gmail invite when it was first launched so I could get my preferred address for my extremely common name. Oops.

It’s extremely frustrating. At least once a week there’s an attempt by someone to recover my email address as they think it’s theirs.

My SO gets these also. One of the people with the same first and last name as her is a government official and has inadvertently forwarded confidential information once or twice. My name is unusual enough that this doesn't happen with Gmail, but I do own a domain that's one letter different from an American local government domain, so I receive emails with misspelled addresses from them every few months.

Google’s automation with calendar auto-adding events from email and not correcting is so bad that I switched to macOS/iOS Calendar and started weening myself off of Google’s services.

They’ve had issues for years, and don’t seem interested in ficin

>I own a first.last@gmail.com address

Isn't this a security hole? Even if I don't know your password, just knowing your address means I know your first and last name. Now I got 3 pieces of information that can be used to social engineer my way through tech support.

This happened to me a few years ago. Due to the volume of (danish) email I would get for this other guy it became impossible to actually use in any real sense.

I had no real choice but to create a new (and more esoteric) email address

Ugh, I had something similar happen to my gmail account. My name is apparently similar enough to some Swedish venture capitalist's that my email account got added to a startup incubator's spam list. That account now gets regular elevator pitches and invitations to investment raises, and even though I tell each individual spammer to take me off their list, it's obviously still on the master list somewhere because it keeps happening. Eventually I retired that account for other reasons but it's probably still getting spammed to this day.

Wow. If they really connect transactions and people by name that would be super amateurish. It just shows that no single entity should have that much data because the bigger they get it will be more and more likely that people will do stupid things. There is no way around it.

I don’t think that’s what’s going on. I think it’s like this:

GP’s email address is john.doe@gmail.com

Lots of people are named John Doe, and some of them think their email address is john.doe@gmail.com

When those people buy something online, they (incorrectly) provide their email address as john.doe@gmail.com

Emails about the products purchased end up going to GP

Google shows GP information about products that show up in his email

meh, years ago quite a few retail stores started asking for your email after a purchase. I would wager there is a sizable subset that a) didn't want to give their real email, b) but were too polite to decline, (as the cashier would ask "what's your email", and it wouldn't sound like an option) and so c) just gave a fake/dummy email that somewhat relates to their real name.

Ok. I misread. So people are basically mistyping their own E-mail?

There must be some psychological treat that many people just enter <name>.<surname>@gmail.com from laziness, carelessness, or treating the address as a black hole? This happens too often all around the world.

For anyone thinking in leaving gmail, I recommend to get your own domain. For example: firstnamelastname.com This gives the flexibility of email provider.

I did that 2 years ago and decided to go with Fastmail. And then I slowly updated my accounts/contacts to my new email: mail@firstnamelastname.com

Nowdays I never get new emails on my gmail account and last weekend I decided to finally remove gmail from my phone (but configured to automatically forward just in case).

When you have your own domain, I suggest enabling a catch-all email. You can then make up a new email for every account ("hackernews@firstnamelastname.com"), enabling you to track where spam comes from, disabling certain emails, etc.

migadu.com even offers reg-ex based catch-alls, pretty nifty.


I want to elaborate a little further because I thought this might be unclear if you don't really know what a catch-all adress is:

A catch-all adress is an adress where all emails of your domain that you didn't explicictly make a email adress for will land.

So if you own foobar.eu and you made catchall@foobar.eu your catch-all adress, you could just make up arbitray email adresses on the spot (e.g. shady-online-service-x@foobar.com) and all mails that are sent to that adress will land in your catch-all adress.

There are multiple cool things about this: - you can just block that adress if it annoys you - if you ever get spam and it is adressed to shady-online-service-x@foobar.com you know exactly who fucked with your data - you don't have to disclose your primary email adress to stranges, you can just make something up.

thanks for adding that clarity. much helpful !

I do this with FastMail and find it indispensable. However, most email applications don't seem to support sending via wildcard email addresses (i.e., if I receive an email at hackernews@mydomain.com, I want to be able to respond as hackernews@mydomain.com, not my personal email address).

FastMail's web interface lets me do this (as does its iOS client), but has anyone found any other (preferably macOS/iOS) apps that support this natively? I generally prefer native apps over web-based, and FastMail's iOS app leaves something to be desired.

Thunderbird will allow you to "Customize From address", where you type something into the "From" field and it attempts to send the message using your normal log in credentials. Works like a charm for me on Ubuntu, and I imagine it is available with the same features on Mac.

I recommend checking out add-on Virtual Identity for Thunderbird. It will use "To" address as "From" by default when writing reply, allows editing "From" directly in new mails and will remember what address to use with any recipient and.

Unfortunately, some mail providers (like Migadu.com) block sending mails with "From" anything other than primary user address, even through they "support" catch-all. I was especially disappointed as that stopped me from using IDN mail address. I successfully created mail account using Punycode and I was able to receive mails with national characters, but their filter stopped me from sending.

I know IDN mail address is risky, but it's something I wanted to test. My surname contains non-ASCII character.

They indicated in January that they are working on allowing customization "From" filter customization, but it is still now available and contact with them is very difficult (they are not replying to mails unless you repeat question a couple of times). To be fair, I'm not paying yet (I wanted to test IDN works and it did not, so I'm not very interested in paying when they offer free account anyway).

Thanks! I tried Thunderbird a couple of months ago and abandoned it because its UX seemed to not have really progressed in a number of years -- I hadn't used it since the Netscape Communicator days but it seemed... somewhat the same.

Although I realize these days a number of modern clients store copies of your email on their own servers for push notifications (or more nefarious) purposes, so maybe Thunderbird really still is the best option out there. Regardless, thanks for taking the time!

How has Migadu been for you? I've contacted the team a few times, but never received any responses or seen any action taken. I like the pricing since it would work out very well for personal emails where you need a bunch of mailboxes (not just aliases) but not getting even an auto reply or a ticket for mails is big cause for worry. As I mentioned in another comment here, it looks as if Migadu is run by two or three people who have day jobs and other things to take care of and that Migadu is just a hobby project.

Runbox is also probably a small team, but their responsiveness to mails is very good (usually a few hours or maybe a day or two at the most).

I don't like Fastmail and other providers who charge a lot per mailbox (a lower storage limit is not a big deal for me) when one needs many mailboxes with separate credentials (not aliases).

I've been doing this for years. At one point my first email provider removed the catch-all feature. Despite pleading with them, all they could suggest was adding each address as a real account or alias account. There's no way I'd remember them all! So I had to switch providers.

Does leaving Gmail matter if all you're doing is switching one third party with another? At least when Google is doing something wrong, it makes the news; with others you might never find out. (And for the people repeating the "if you're not paying, you're the product" - it's quite possible to pay Google, too.)

The only sure way would be to self-host but that has its own considerable headaches.

A key part of OP's advice was to get email at your own domain. Then you can switch email providers if it comes to light that the provider you're using is doing creepy shit with your email.

And speaking of Fastmail: I sincerely doubt they're reading your emails. They make money solely by providing email services to (for the most part) businesses. If it came out that they were reading emails A) it would probably be a violation of their contractual obligation to their customers, and B) their reputation would be permanently destroyed.

You can pay Google and still be the product (you’re certainly not their primary customer). And it’s quite possible for Google to do things which I don’t like (“something wrong”) and to simply not tell anyone.

This said, I personally used gmail for years (and still do for work), but these days I just want that business model out of my personal life.

If you are paying for your email service there is a much better chance of you being the customer instead of the product.

That’s similar to my setup. Migrating out of Gmail took good couple of months as their service is so bloody good and intuitive and for free. Over decade of categorized email history and incoming email filters...

Relevant HN discussion about this behavior 7 months ago: https://news.ycombinator.com/item?id=18090590

(I don't think this article is a dupe; current events have recontextualized the debate)

I find this curious because I have been repeatedly told by Google people on HN that Google stopped reading GMail years ago.

Yeah... it was maybe one and a half years ago I think?

But they stopped reading it for showing contextual ads.

They're still reading it to show you useful information across Google properties, like in Google Maps the location of the theater you bought tickets to see a play to tonight. Removing that would be removing a useful features that people liked (unlike the ads).

For the longest time the going claim was that Google had automated systems that used parsed data on your email only to serve ads on demand (in relation to the email(s) -- not following your around the net). That nothing was being logged/crawled, nothing was being ingested, etc. That seemed fairly innocuous and seems like a reasonable return.

But we learned over time that they're doing massive data trawling, in this case every purchase made. And as always there's a theoretical advantage...maybe in the future Google will identify when you can get something for less, etc. But the reward (much like the location of a theatre) is so tiny and abstract that if people had the choice most would say no thanks. Just as I don't need Google to tell me about my flights, I have much better alternatives for that. In each case the advantage is 99% for Google, 1% for the consumer, but it's coached in a "your advantage" pitch much like a Payday Loan company commercial that talks about how much they just want to help people out.

Google Maps on iOS a while back was seemingly irritated that I had its permission set to only see location while I have the app open. "But if you allow background logging we can tell you where you parked!" it whined. In return for giving Google the wholesale access to my location I would get this minuscule possible advantage. No thanks.

there's always a catch with these guys.

They also read emails to catch spam and phishing attempts.

true, but you don't have to read 100% of them to train the spam and phishing catchers. But you do need to read 100% of the emails, i.e. no sampling, if you want get a comprehensive purchase history of each gmail user--which they seem to have.

You have to read the incoming emails to filter them.

There's no way to know if the email you were sent is spam without looking at it, in some sense.

They also read emails to index them for search.

Ah, I misinterpreted this comment. At first I thought you meant "Search" as in the product. Of course you actually just meant searching your Gmail.

I downed you before but can't undo it now it seems. My apologies.

Even though email search can't find anything. Ridiculous coming from Google.

Really? I don't have a problem usually with gmail

I support the parent's comment.

I've had e-mail messages open in the GMail web interface that when I search for the words I can actually see on my screen come up with nothing.

What do you mean by "reading" here? How did you think, as an IT person, things like those nice flight displays in Inbox worked? The assistant delivery notifications? Some script had to read those, didn't it? Not to mention do spam classification?

Or did "reading" in your post mean that you think people actually read and manually type in those lists?

There were suggestions from Gmail that they had stopped attempting to parse the contents of emails a while ago.

Misleading suggestions, as they had stopped parsing them to attempt to generate adverts from the data they could gather there, but continued parsing for other purposes.

Maybe it's about ads targeting, but not for other purposes. How can it filter out spams without reading your mails?

Exactly what I wanted to write.

Just recently someone here said that mails are not screened/indexed for this purpose when I said: "If you are not paying for it, you are the product." They are not giving anything for free.

Since I was the person who said that, What I said, very specifically, is that they aren't screened for advertising. Which is true. As another user mentions, there's basically no mail service that doesn't "screen" your email. Spam classification is a form of screening.

The data used to show you upcoming flights and purchase info isn't used to advertise for you, its used to show (hopefully) useful reminders.

Maybe they were talking about GMail offered through GSuite?

You're confusing Gmail scanning incoming mail for generating relevant ads versus providing services on top (eg. spam filtering). They stopped the former, not the latter.

These stories have turned into click baits.

The data in question here is nothing compared to what your credit card company, bank, Amazon or TurboTax has.

Unlike many folks here I find value in this and can't see it harming my privacy. In fact I think Gmail is still dumb compared to what Google or maybe a startup could potentially provide.

I'd love to be able to ask a query such as "show me the receipt for that red flower pot I bought last year" or "show me all my dentist appointments this year".

The difference is that I know that the credit card company or Amazon is collecting my information because I'm directly involving them in the transaction.

I thought I had all my Google privacy settings at "paranoid", but I did not know this was even occurring.

Exactly how are you not involving Gmail when you set your transaction receipt email address to be your @gmail.com?

While I do understand the point that /purchases looks creepy, your comparison is dishonest.

I'm not involving gmail in the transaction because I didn't ask them to read the mail.

If gmail (and email in general) is going to make use of the "mail" analogy, that comes with the expectation that they do not open your mail.

Also how does an expectation of privacy from a communications platform amount to a "dishonest" comparison?

I think google has more context than Amex. They get the receipts, order summary emails, username/profile at the e-commerce site. Amex only gets a merchant, total and purchase date, and geo coordinates for physical swipes.

Amex might be still dumb compared to google, but they have very rich user profiles obtained via DMPS. Infact credit rating companies have vast amounts of data which they provide to these companies for free. The data includes your credit card payment, rating, payment history, credit score, loan/debt history, current debt, pending EMIs, defaulting list and so on.

Google is still trying to figure out exactly how much you earn. DMPs like Adobe's and Oracle's know the exact number and can help companies target people basis salary.

I agree. Unfortunately we are heading in the other direction with less and less useful stuff being possible because “data”

You're missing the point, and I would downvote you if I could.

Google is accumulating data coming from purchases on 3rd party services, without having asked you to do so. You may be fine with that, some people are not, and on top of that, disabling that behavior and deleting the already accumulated data is difficult, or impossible. That's what the article is about.

The ones I mentioned (cc card, bank, TurboTax, etc.) are all data on third party services too.

I don't know how banks in the US work. Do they give you "helpful messages" about what you can do with the stuff you bought at $shop?

Also, banks and credit card companies are highly regulated. Google is not. I guess it should be.

Just pay for Fastmail, I finally did it and its so nice. Easily worth the money.

A month ago I finally switched away from G Suite to FastMail and have been very happy. I also transferred my domains over to Gandi so I am basically Google free from a services perspective (with the exception of a Google account for YouTube subscriptions).

I have to say FastMail works really well on my Apple devices. iOS and macOS have worked perfectly so far for mail, calendar and contacts.

The only pain point was 'losing' my custom domain Google Account when I cancelled G Suite. Migrating mail, etc. wasn't an issue as FastMail has a pretty solid import tool. However one area that caught me out was export/import of my 800+ YouTube subscriptions (that number shocked me aswell).

Turns out YouTube has no such functionality so I ended up having to hack a semi-automated solution but even that wasn't straight forward as YouTube has limits on how many new subscriptions you can make in a ~6 hour window.

I wish Google had some kind of "convert my G Suite account into a consumer Google Account" function instead the moment you cancel the G Suite plan any accounts simply vanish and you then have to sign up again for a consumer Google Account. Quite the pain in the ass.

Anyway it is nice to be free from Google's core services and I am very impressed with how smooth migrating to FastMail has been. If anyone is thinking of doing the same and wants to know anything specific feel free to drop me an email, info in HN profile.

I'd be happy to switch away from https://domains.google but I'm loving the free, full Whois privacy protection. According to Gandi's Whois Privacy¹: "excluding your state, country, ... and the name of the company..." from the Whois privacy feature. I need full Whois privacy.

Do you have any other registrar suggestions?

¹: https://docs.gandi.net/en/domain_names/common_operations/who...

Namecheap recently started offering free whois privacy, I'm not sure 100% certain if it's full however. I believe it is

I have it! It sets the country to Panama and a generated e-mail which I guess just redirects stuff to my real address? I haven't bothered to check that. It's using whoisguard.com for the garbled email.

The domain is "thelittleshits.net" (I'm absolutely serious, I needed a domain for testing a deployment and couldn't come up with anything)

I admit I don't really pay much attention to my whois privacy outside of my name and direct contact details. I don't have issue with my country being listed for example so I don't have any other suggestions for you sorry.

I switched to AWS Route 53. At least for .com addresses it’s $3 more than google domains but gets (I believe) full Whois privacy.

Not all TLDs allow that anyway.

Cloudflare has full Whois and at-cost domains with their registrar.

Cloudflare is still to open up its registration service for new domain registrations. It allows (and has allowed) only transferring domains from another registrar since it launched nearly eight months ago. New registrations elsewhere also have a lock-in period before they can be transferred (usually 90 days I guess).

Namesilo has free whois privacy

I currently have an old G Suite account with my own domain, the problem you mentioned is the only thing holding me back. All my things (Docs, YouTube, Cloud, Analytics) are currently linked to that domain, if I were to delete it, I would lose everything from the past 5+ years.

Interesting anecdote about FastMail, I was previously C++ dev lead at a company with a large (1~2 mloc) legacy code base. Most of the C++ code was layers of mess but there was also a very well engineered core. One name consistently appeared in comments on these well engineered sections. Out of curiosity one day I decided to search LinkedIn and see if I could find the guy behind this shining light of engineering competence. Turns out he went on to found (/cofound -- not particularly sure of the details) Fastmail.

I find it very satisfying that a good engineer went on to succeed and would definitely trust the engineering competence of Fastmail.

email addresses need to be transferable like phone numbers, it was a mistake to tie them to a domain I think. Too big of a hassle to move email addresses.

Have you considered getting your own domain?

I have my own domain, but doing your own email is too hard. Can I use my domain email address with fastmail? Is it just a matter of setting up mx records? Will I be able to send/receive mail like normal without getting blocked by the big players?

Fastmail not only supports custom domains, they will handle your DNS as well, and they will automatically configure the MX records if you do that. Here are their docs about that: https://www.fastmail.com/help/receive/domains.html

In my experience: yes, yes, yes.

FWIW, it's not that big of a hassle: just set up email forwarding & have everything sent to your old gmail account sent to your new email, done.

Doesn't forwarding require going through the original provider? Can they still read the email? What if they shut down?

Sure, but you don't hand out your old email anymore, and really important things you can migrate as you see fit over time. I used to have a gmail address, and basically nobody uses it anymore (and if they do, it does get forwarded).

FastMail is an Australian company. With their encryption laws, I'd stay clear until they move all their staff and systems outside of Australia.

I want a service that can handle all my domain's traffic on a per domain per month basis instead of per user. PurelyMail is the only one like this that I've found but it's still in beta and the owner has been having some problems getting past Microsoft's spam filters.

Is there any service that will host my email with as many users as I want for a flat (or bandwidth/storage-based) fee?

If the owner is having trouble getting a hold of a human at Microsoft, feel free to point them my way and I'll help get this onto the Outlook team's desk. Details in my profile.

Migadu prices like this; all the mailboxes you want and just pay by daily sending limit. ($4/mo paid annually to send 100 mails a day, for example.) https://www.migadu.com/en/pricing.html

Or if you want to pay for one mailbox somewhere and then have customized forwarding, I found this thing called Forward Email in another thread that looks interesting and I want to try setting it up self-hosted: https://forwardemail.net/#/

Oh, neat: https://www.migadu.com/en/drawbacks.html

Huge props to any service that has an honest list of reasons not to use them. I'm a little concerned that one of those things is "no SLA", though; yes, mail delivery is resilient, but if I can't access email all the time I'm gonna be grumpy.

Unlisted disadvantages are that they do not allow sending with "From" other than primary mail address (which limits usage of catch-all domains) and I had to contact them multiple times to get responses.


Beware, Migadu's biggest drawback, which is not listed, is that customer service is non-existent. You contact them about some questions and wouldn't see any responses, not even an auto reply or a ticket. It looks as if it's run by two or three people who have day jobs and other things to take care of and that Migadu is just a hobby project. Email is way too important for me (and I believe for most people), since it's the key to many online services, to let it be served by someone who's not into it full time.

Look at https://mxroute.com/

They've come in handy for a couple of my colleagues.

I took a look at it and liked it (though it doesn't seem to expand much on privacy), but the service being situated and hosted in the U.S. is something I do not prefer at this point. I wish there were services like this outside the five eyes, nine eyes and fourteen eyes countries (I know Migadu the company is in Switzerland but has its servers in France, but it doesn't seem to have adequate staff or the intention to respond to people).

Additionally, mxroute does not seem to provide any trials. Its policies say that payment issues from the customer have to be resolved within 24 hours, but that refunds to the customer may take 72 hours. That seems unfriendly to me.

I second this! I've been with them for 2 years and they've been perfect.

+1 for Fastmail, great service.

I'd love to move over to FastMail, but I'm not sure that 100% of all my outgoing mails will land in people's primary inbox. I've heard Gmail sometimes marks non gmail (and even @google.com) emails as spam and its imperative for my emails send. Does anyone know if Fastmail is reliable?

If that is true and I've never noticed it as a problem with my gmail, it would be another reason to switch providers because you are missing emails from other people.

(Assuming that you are not talking about spam but actual important messages).

EDIT: Oh and as an anecdote I also have a FastMail account and as far as I can tell all my emails "land" on gmail accounts.

In that case, I'll probably switch over. Currently, I use ImprovMX with Gmail integration so I can send emails from my domain through gmail and have a catch all when receiving emails. Works well for free.

I really love Fastmail, just wish the search was better

(FastMail dev here) What problems do you find with the search? We have pretty comprehensive support for more or less everything Gmail search offers and more (https://www.fastmail.com/help/receive/search.html), but if we're falling short for your use case we'd love to know how, to help guide improvements for the future.

If you have 40 bucks and some time, try using fastmail with Postman. You're now locked to your mac, but search is amazing

I think you mean Postbox? The only Postman app I see is the API development tool.

Ok, but don't you get the same problem but now on Fastmail?

No, because 1) FastMail doesn't make money through advertising so they have no incentive to read your mail and 2) if you pay for an account with your own domain, you are not locked in, so if they start doing something you don't like, you can migrate away without telling all of your contacts to use some new address.

These benefits are broadly true of most paid-for private email hosting providers.

they have no incentive to read your mail

I'm sure they could sell that data (maybe even to Google) even if they don't sell ads themselves.

(I'm not saying they do read emails, but "more money" is a big incentive)

One thing though, customers like me use FastMail specifically because they aren't in the Privacy Farming business like Google.

If they ever do start privacy farming then I'll be incentivised to move my domain to a separate supplier.

If I didn't care about that I'd just be using Google's "free" service already. So FastMail are incentivised to protect their business and to not compete head on with Google.

They don't offer a free service, they offer a paid service, you are indeed the customer. They also don't have another service that even could pull the data from FM.

Ok, good point.

But then my flights don't automatically show up on my calendar, and my android phone can't notify me when a package is delivered.

Why would I pay for something that gives me an inferior experience?

Don't most email clients make it pretty easy to create calendar events based on the content of emails?

You have to do that yourself but personally I prefer being in control of that anyway.

How long does it take you to add a flight to your calendar manually? A few seconds? Is your privacy worth those few seconds?

I took 140 flights last year. I made a larger number than that of online purchases. Adding / tracking all that stuff manually is a pure waste of time.

Use TripIt then. Looks like you’re nitpicking on small reasons.

Okay, so share my email with another company (fastmail + tripit now), and use a separate calendar (unless it integrates with google calendar?)

I trust gmail's security more than tripit, thanks. I think I'd be more worried about the world learning of my trip history if I used tripit than if I used gmail for that.

And also, the average user does not care. They don't want to think about it even to the point of researching a service, they get used to their phone telling them they have a flight the next day, and they want that to keep happening. They don't think about how it works and if they did, "oh no my privacy" is not something they'd think afterward.

What loss of privacy? In both cases the contents of your email and stored on a disk and read into memory for processing.

I like fastmail and I take full advantage of it all- including the webhosting.

That's stupid. Fastmail still has your purchase data. It just doesn't tell you when purchases are arriving.

Please don't call people or their statements stupid.

It's not "stupid". Caring that your data is not being used to make opaque decisions in other products that you have no visibility or control over is something that people are allowed to care about.

When it's just an email can be deleted and when it is you don't have to wonder if it's purged from 10 other systems. That it's not showing you is what some people want, regardless of whether you do or not.

> Caring that your data is not being used to make opaque decisions in other products that you have no visibility or control over is something that people are allowed to care about.

Whether a product shows that data or not, it can still make those decisions if it has that data. Both Fastmail and Google have that data. It is certainly naive (if not stupid) to conflate data use with privacy and get suckered into spending money on that confusion. Data collection is what matters for privacy.

Are you advocating that every one take on the operational burden of running an email server after everyone takes on the mental burden of learning how to set up and configure a mail server and all the fiddly DNS bits theirselves?

No. I'm advocating that people understand that there is no difference in privacy between providing your email data to one company or another. They can then make their own decisions from there.

Can someone explain what the point of deleting a purchase is? The email is still there, the data is still there... how is this affecting what Google does with your data?

From a privacy point of view, there is no point at all in deleting the data. Assuming it was created from email, it can be re-created from email.

Google has said they do not use the info in advertising or sell it to anyone else. Either you think they're telling the truth or you don't.

If you think they're being truthful, there is no problem to solve here.

If you think they are lying, then you'd be stupid to assume they won't recompute the data secretly without telling you.

Either way, deleting the copy of the data that you can view accomplishes nothing.

If there is no point then why does Google allow you to do it?

Reduce clutter? Maybe you want to only remove some but not others?

Let me turn the tables on you -- why doesn't Google have a button to delete all of them at once?

A guess: They build a model of you as a customer. If you delete some information step by step then you possibly start with what bothers you most. So you do the data cleaning for them and train their algorithms. Not to mention that deletion is most likely just "hide this".

You can easily delete purchases here:


However, I have a feeling that removing your Google history doesn't actually remove it, just prevents you from seeing it.

Just for the fun of it, I figured I'd try to log in and see if Google has any info on stuff I've purchased.

I'm over VPN so they insist this device isn't recognized (even though I've signed in from this exact machine, over this exact VPN connection, last week). Google helpfully offers to send me a security code over the phone.

Even better, though, it has a "Can't use your phone?" option. You know what happens if you click that option?

It takes you to a screen that says "You're trying to sign in on a device Google doesn't recognize. For your security, use your phone to show it's you signing in and not a hacker." and the only option on that screen is "Go back & use phone."

I think there's a joke about how to understand recursion here but I can't quite put my finger on it yet.

I'd recommend removing your phone from here, and setting up 2-Step verification instead:


Now imagine you are one of those Googlers with a PhD hoping to change the world for the better and your PM asks you to work on those screens you mentioned...

You can delete them one by one, but is there any way to delete them all, or turn off this tracking?

It doesn't let me delete them without deleting the emails.

Google has gotten to the point where it creeps me out. I've switched away from Chrome. I don't use their search engine unless I can't find the results on Bing or DuckDuckGo.

I don't know if it's going to get to the point where it hurts their business (I'm just one person), but I'm to the point that targeted advertising is a really good way to make me not want to buy a product.

I second this. Try DuckDuckGo + FastMail and (Safari + Wipr extension for an advertisement free WWW)

I too switched away after being a lifetime Google Advocate: Android, Chromebook, GCP, Linux + Chrome and many, many of their products. Honestly, I don't care about privacy that much I'm just sick and tired of how good Google became at distracting me! Never mind the ads and how I had to use incognito search for anything because if I searched something (e.g. buying a monitor) google keeps suggesting similar stuff to get my attention or suggesting articles on the homepage of Chrome (mostly android).

What was once a simple beautiful tool to find answers, fast. became part of every aspect of my life, trying to get more and more of my attention/time.

Time is gold. Google lost respect for my time and I lost respect for Google.

Agreed, and a quick shout to migadu.com for email. I’m a long time happy Fastmail customer but Migadu’s offering is interesting and different enough to have a look at.

I’ve been hiding my time with Gmail. Planning my exit.

Fastmail is a leading contender, but thanks for posting Migadu. It does sound interesting.

They offer a lot for a low price, but I wonder how?

I’m intrigued!

> They offer a lot for a low price, but I wonder how?

They don't respond to queries or requests. I presume that's how. To avoid repeating my comments too many times, let me suggest looking at my other comments on this post.

Couldn't disagree more. I've mailed them twice and had a personal response within a few hours.

That’s good to hear. But I haven’t had the luck to hear back from them. So my guess is still that it’s a tiny team with many other priorities than this platform, and so misses responding or acting many a times.

> I don't use their search engine unless I can't find the results on Bing or DuckDuckGo.

Yeah but you still click the link to go to those sites in the search result, right?

I would love to leave gmail but two things hold me back:

1. Archive export. This is the main thing, I've got a 15 year record of emails and now and then being able to search back to something that happened 5-10 years ago is a life-saver. Is there even a way to export your gmail archive?

2. What to replace it with? I've heard FastMail is a good alternative, and some people really like ProtonMail, but I've had a hard time evaluating services because it's not a trivial thing to set up and use an alternative email account, and I'm not sure what other than real daily use would be a valid test run.

1. For export, takeout.google.com lets you export your emails in mbox format. https://support.google.com/accounts/answer/3024190

Third-party email services may also have flows for importing email from GMail, for example Microsoft Office 365:


> Is there even a way to export your gmail archive?

1. Use Google Takeout to download your emails as MBOX

2. Download your emails over SMTP or POP using an email client and import them into another email account. I believe Thunderbird can do this.

3. If you're switching to FastMail they have a import tool based on SMTP.

I switched to Fastmail in January and it's been a good experience.

It even has a link in the setup that imports your existing messages from GMail.

I still have a couple of GMail accounts, and am surprised to report that in the last month, GMail has been getting more spam than Fastmail.

Fastmail also has far fewer false positives.

I recommend trying it. You can always switch bad.

I'm surprised that you're the only one talking about ProtonMail, given its inclusion on https://privacyheroes.io/.

This information is also scraped and sold by unscrupulous companies that you give access to your email.

If you’ve ever let a service scrape your inbox for travel itineraries they probably read all your email ever and sold that information. Surprise!

I use all my mail through G Suite on a domain I own through a third party registrar.

I logged into the link provided in the article and got a message “You don't have any purchases”.

Maybe this feature isn’t available to me since I’m a G Suite user rather than a gmail user? I actually wouldn’t mind having this feature available, although I do keep google’s location history disabled.

I think this is because Google just doesn't do a lot of the data scraping in G Suite accounts that it does in gmail accounts. So I think it just doesn't have any stored "purchases" to show, rather the fact that the purchase interface doesn't work.

I say this based on information I've read in the past about how G Suite / Google Apps accounts are treated. I hope this is the case, but am certainly not sure about it.

It looks like it's just not very good at scraping my mail for purchases (which would be surprising) or it's just not showing me all of them.

I have a junk Gmail account that I sign up for everything with - retail store loyalty programs, accounts on various retail websites, etc etc. I have had the address for 6+ years and it thinks I've only bought 7 things - some concert tickets, a pair of gloves, and a pair of shoes.

I can confirm it's not enabled (at least by default) for G Suite. I have email pass through a g suite account into a personal email account (so both accounts will see it) and the g suite account has no purchases history while the personal account has full history accurate up until yesterday.

I have both a G Suite email and regular @gmail.com address. I noted the same behavior you did. My custom domain no purchase history. Under gmail.com purchase history. Not sure if it can be enabled.

Sometimes Google seems totally unaware of why people might find this stuff discomforting.

They are absolutely aware. They banned my dev play account because few competitors reported as similar app and there is no human to view my case.

They just stopped giving a shit. Funny, how all the senators talk about breaking up Facebook when Google is 100x bigger and 100x monopolistic.

Break up Google. And unban my account in the process ;)

It's always amusing how people are shocked when stuff like are discovered, although Gmail is designed to serve those kind of things. This is a free service, and as a free service they have to make money with something. I don't see any problem with that. If you don't want this, don't use Gmail, there are lots of available alternatives.

Just setup your own mail server using mailcow for example. Pretty easy and awesome for privacy. I did it too: https://jlelse.blog/thoughts/2019/mail-server/

Same thing for your flights/hotel reservations btw via myaccount.google.com/reservations

They own up to this practice--albeit not the top link, at least for me.


I wish it was just the things I buy. All my Ebay sales and purchases get confirmation to my Google email, all bank reports come via email, and my doctor too uses a service to send my prescriptions to my gmail address. Recently someone at that service changed the way they operate so now I receive a link where I have to put my equivalent of SSN to download the prescriptions, so data theft while absolutely possible, in this case has to be deliberate. Still, the amount of personal information available for mining to Google and others is plain scary: I've seen with these eyes lawyers sending photos of sensitive documentation via Facebook or Whatsapp; that's even beyond stupid.

I don't understand why people don't have a problem trusting Google with all their information (as is the case if you use Gmail).

Even if you ignore the privacy implications and the fact that it's a company whose business is to target ads, there is still incompetence. Case in point: my YouTube history regularly gets mixed with somebody else's. I get videos watched by a child that likes Masha and the Bear and Peppa the Pig. Reported to YouTube a number of times, they seemingly ignored it and don't care.

I turned off my history, but I still get recommendations for Masha and the Bear.

Now, that purchase history of yours, who else gets to see it?

Look at the difference between the emails you get from amazon today when you make a purchase, and several years ago.

Today, this is what shows up: https://imgur.com/UF2YBVa

5-6 years ago, here's what it looked like: https://imgur.com/lBWWkin

Honestly, amazon has so much information about what I buy and why I buy it, I'm a little upset that I can't get these data from any retailer I shop at and import it into some software where I can actually look at what the trends are.

I routinely revise my Google privacy settings across a bunch of different pages and I was totally unaware they tracked purchases by scanning email in Gmail. I don't see the value this offers to customers but I see why harvesting rich e-commerce data makes sense to Google.

I can see some value for those who want someone to automatically track what they buy. That may be useful for records, or reorders, or whatever.

Seems likely to be useful for Google too in the way you describe, although it isn't clear to me how Google uses it.

Sure, maybe it could be useful. But why is it hidden where no one knows it's there to be used?

well I went and looked at it and realized I don't really buy very much online at all, but I was thinking - what about the invoices I send out - they should have that organized somewhere too.

I smell a new service for backing up and then deleting the emails for you

Does Google really delete the full emails when you delete them? For example, if they used the content of an email to generate a profile to show you ads, do they reverse the process when you delete that email?

At least part of your Google ad profile is editable:


Gmail was never used to serve ads outside of gmail. The use of email to serve ads was stopped in 2017. https://www.nytimes.com/2017/06/23/technology/gmail-ads.html

I'd be interested to know if that is the case, perhaps someone can test it somehow.

Even following the steps in the article, provided by Google, it is impossible to delete purchase history.

The only way to do it is to go to each individual email that Purchases uses as a source and delete them from Gmail. I did it as part of moving all of that to FastMail, personally.

Is there a list or mind map anywhere of all of the nefarious things google does? Most people reading this forum can spend the next three days talking about all the evil shit google does and Not even run out of things to say.

They host your emails that is where this data comes from, if you don't like that then delete said emails.

The media's modus operandi is to try and implicate tech companies with supposed violations whether it's justified or not, they will gain clicks and tarnish the reputation of a hated competitor, there are no drawbacks, they also keep perpetuating the notion that utility and invention must be sacrificed on the privacy altar.

They host your emails that is where this data comes from, if you don't like that then delete said emails.

Deleting emails is no solution - Google has already scanned the email by the time it shows up in your mailbox.

Why do people care about this :)?

Wow next you're going to say my bank and credit card company tracks my purchases, too? Scary!

It's worth asking "why" companies would do these things.

A credit card company can legitimately use fraud detection as a reason for looking at purchases. They can upsell budgeting software as another legit option people would accept.

Why would Google be tracking this information? What use is it for them if they truely not doing it for ads?

I was oddly reminded of the Selfish Ledger video that was leaked from Google... https://www.theverge.com/2018/5/17/17344250/google-x-selfish...

From PBS Frontline's "United States Of Secrets" (part 2)[1]:

    LIZ FIGUEROA, (D) State Senator, CA, 1998-06: We walk into this room, and it’s myself
    and two of my staff— my chief of staff and one of my attorneys. And across from us
    was Larry, Sergey, and their attorney.

    All of a sudden, Sergey started talking to me. He said, “Senator, how would you feel
    if a robot went into your home and read your diary and read your financial records,
    read your love letters, read everything, but before leaving the house, it imploded?”
    And he said, “That’s not violating privacy.”

    I immediately said, “Of course it is. Yes, it is.” And he said, “No, it isn’t.
    Nothing’s kept. Nobody knows about it.” I said, “That robot has read everything.
    Does that robot know if I’m sad or if I’m feeling fear, or what’s happening?”
    And he looked at me and he said, “Oh, no. That robot knows a lot more than that.”
If the robot really imploded without any benefit to Google, why were they paying to manufacture use it?

If Google truly doesn't use the purchasing data to sell ads, why did they pay their expensive engineers to develop the tools to extract the data from email receipts?

[1] https://www.pbs.org/wgbh/frontline/film/united-states-of-sec...

Simple: if you use the Google assistant, you get notifications about packages and flights. Flights get added to your calendar automatically, and other such niceties (for example, I get notified when I have a credit card payment due). A lot of people find this useful.

An ecosystem with useful features leads to profitability without any sort of malice, like people buying Android (or pixel) phones, or google homes, or whatever.

Consider this, Google is focused on maximizing profitability and most features people don't pay for. How does that work? Who are the paying customers, how does Google maximize income from them, and how does it impact the non-paying users?

Wow, you're saying I the customer may have opinions regarding my chosen vendor's policies, and may choose to stop using that vendor based on new information that I learn? Crazy!

Next I might consider leaving my bank if I don't like their customer service or finding a new credit card company if I dislike their rates. Sounds crazy I know!

Sometimes people even use this 'Internet' thing to share information and opinions regarding various companies' policies- and buyers in a free market may make new purchase or signup decisions based on this free exchange of information, which is exactly what the author has done here. Yowza!

Legitimately cannot understand this argument of 'how dare you have opinions and share information on the Internet about a company'. Is Google supposed to be above reproach or something? What is your argument? Because of Google's privacy policies I have chosen to stop using Gmail. I don't think they're evil and I'm not anti-capitalist, I just disagree with the inherent privacy tradeoff- the market at work. (And if they track me even when I'm not a user, then I think regulation should address that)

If you delete your history from Google, it only means that you aren't able to see it anymore in your account... Google keeps everything.

Do you have a source for that?

It's interesting to me that whenever someone responds that Gmail scans mail for advertising several google employees show up to fall all over themselves to deny it. But if you mention retention you get silence.

I wouldn't be too shocked if no single human actually knows what the real retention behavior is for gmail.

>It's interesting to me that whenever someone responds that Gmail scans mail for advertising several google employees show up to fall all over themselves to deny it. But if you mention retention you get silence.

You're not looking hard enough.


Good find, though I do tend to doubt mere company employee claims (lying is endemic to every corporation I've known from inside). In any case the user making the claim you link to came from a throwaway login.

I'm skeptical of company claims on Hacker News as well. But it met the condition described by the parent poster, and really has no more or less veracity than any other anonymous comment.

True enough

Agree. And, yes, secrecy breeds suspicion. We should be suspicious of secretive organisations. But statements of fact go beyond suspicion, and surely require a basis in evidence.

Wow, that never showed up in any privacy setting. Google is so evil.

Is there any way other than deleting the account from stopping this?

It says I have to delete the mails to delete the data, but I have already deleted the mails (as I usually do) and the data is still there! Including information like flights and purchases.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact