DAV EY WINDER
How secure is Gmail? Davey details the practical steps you should take, before explaining how to block email marketing trackers
How secure is Gmail? Davey details the practical steps you should take, before explaining how to block email marketing trackers.
This month I’m concentrating on one of the many pieces of reader feedback that reach me across multiple platforms. One of those platforms, ironically, being Gmail.
I say ironically as the reader in question wanted to know my opinion on just how secure the service was for personal use. Addressing that security question is easy: it’s as secure as the steps you take to secure your Google account, and your awareness of incoming risk, allow. The secondary question, which was how private it is, is somewhat more complicated and I’ll come to that momentarily.
For most people, Google account security comes down to two things. First, ensure you have a unique and strong password. As I always say at this point, a password manager is your friend here, both in creating that password and when required to use it. Second, switch two-factor authentication (2FA) on. I’d like to think that this was a given, but I’d be wrong. Very wrong.
I know it’s not Google, but Twitter recently published a transparency report ( pcpro.link/325twit) that revealed only 2.3% of active accounts have 2FA enabled, and of those users the vast majority were employing SMS-based 2FA. That’s the least secure option, but still better than nothing for most people most of the time. Hardly anyone, 0.5%, was using a hardware security key, while under a third (30.9%) of responders used an authenticator app.
Back to Google, which also offers multiple types of secondary verification factors. You can find them in your Google account under security… well, duh. The first is by voice or text message, which I don’t recommend as it’s the easiest option for a threat actor to overcome thanks to the relative simplicity of a SIMswap attack on your smartphone account. Again, I stress it’s better than nothing and most people won’t enter the threat radar where such an attack is likely anyway.
Better, though, are options two and three. Google prompts that are sent to another device you’re signed in on, so your phone if using a laptop, a tablet if using your phone. This avoids the SIM-swap vulnerability by requiring an attacker to be in possession of, and have access to, that device. And, of course, the use of authentication codes churned out by an app such as Google Authenticator, or my preferred option of Authy.
I recommend using both: one as your default and the other for those times when that option isn’t available to you for whatever reason. You will also get a set of ten-digit single-use codes that you can store somewhere safe as another backup for signing into your account in an emergency.
The final option is the most secure, but can be expensive and more intrusive on the user experience: a security key. These keys are either of the hardware variety, such as a YubiKey (starting from around £25) or Google’s own Titan key (£30), but can also come built into your smartphone. The use of a security key is mandatory if you are enrolled in the Advanced Protection program at Google, for accounts that are at a greater risk of targeted attack.
Google also announced in the spring of this year that it was going to start rolling out automatic 2FA enrolment to all users. The initial rollout, I was told by Google’s director of product management, Mark Risher, will only be for those whose accounts already have the appropriate configuration in terms of account recovery information, so as to not lock anyone out accidentally. This won’t be mandatory, there will be an opt-out option, but it’s another good security move in my opinion.
Consider how the Google ecosystem wraps multiple aspects of your online life – email, web, personal assistants, the list goes on – and that means access to your core account is a highly prized target for cybercriminals. Access to your
Google account gives access to Gmail, which gives access to password resets, which gives access to, well, almost everything these days.
It’s a good idea to perform a security check-up regularly, and Google makes that easy. Just visit the security section under manage your account: myaccount.google.com/ security-checkup. This lets you remove account access from nonessential apps. You should also, for completeness, always keep your OS, browsers, and apps up to date and remove any browser extensions and apps you no longer use.
“Switch 2FA on. I’d like to think that this was a given, but I’d be wrong. Very wrong”
The privacy issue
Insecurity can, then, be mitigated by getting the security basics right. But what about the privacy issue? There’s
a reason that Gmail is the biggest email service, with an estimated 1.5 billion users that eclipses the likes of Microsoft Outlook. That reason isn’t the expectation of absolute privacy. Rather, people appreciate the ease of use and the value that the whole Google ecosystem delivers in terms of functionality, particularly the highly personalised and cross-application functionality.
Let’s be clear: I’m talking about the consumer side of the fence and not business suite users. Consumers want what Google delivers, and appreciate the delivery of those features free of charge. Apart from that adage about when a service is free, you’re no longer the customer but the product.
Which brings me back to the original reader question, because they genuinely seemed somewhat surprised by the privacy label detail published by Google for the Gmail app on the iOS platform. And not pleasantly surprised, I should add. “Why does Gmail need to share my location, approximate or not?” they asked, adding “and what about sharing my user ID?” in those iPhone app privacy declarations. These IDs “may be” used for third-party advertising, analytics and functionality. The list is far more extensive than that, especially when it comes to analytic use, including purchase history, device ID, user data (product interaction) and, of most concern to our reader, user content including photos, videos, audio, customer support and a somewhat catch-all category of “other” content.
I suspect that this will come as a surprise to many users, given that there was a quite high-profile hoo-ha a few years back when it was discovered that Gmail content was being scanned to personalise advertising. That scanning was stopped in 2017. Yet scanning does continue to deliver the smart functionality that is one of the big draws for users. Magic spells are used when adding delivery confirmation email data to Google Calendar after all.
So, how worried should you be? That depends on your aversion to the collection of such data and the importance of the functionality it enables. Google will say, rightly, that what it collects is mostly metadata more than anything. What’s more, Google will also assure users that, for example, the data found from those automated email scans isn’t used for advertising purposes. According to a June 2020 blog post ( pcpro.link/325sundar) from Google CEO, Sundar Pichai, “we don’t sell your information to anyone, and we don’t use information in apps where you primarily store personal content –such as Gmail, Drive, Calendar and Photos – for advertising purposes, period”.
Moving to another email provider may not be the answer you’re looking for either, as metadata collection and user activity data are employed by the likes of other highly integrated options such as Microsoft. Sure, there are niche providers that will be privacy-focused, but you lose the type of crossapplication functionality and seamless ease of use that drove you towards Gmail in the first place.
Email beacons
I’m going to stick my neck out, which could be painful, not just courtesy of the spinal surgery I’m recovering from but also as it isn’t a popular opinion: Google isn’t necessarily the privacy pantomime baddie here when it comes to email privacy and tracking. I’m more concerned with the “hidden” surveillance, the highly intrusive tracking, that goes on in most any email client, because it’s there in the emails themselves and perpetrated by the sender not the host provider.
Email marketing is a big business, and not just from the commercially corrupt spamming side of the fence. Legitimate senders, businesses whose newsletters you subscribe to, will often include hidden tracking beacons. Beacons that can inform the sender if and when you’ve opened the email, for example.
I’ve heard many talk about these beacons also giving away your location, or at least a general idea of it, through your IP address. But, quite apart from IPs often just revealing an ISP nowhere near you, or obfuscated by use of a VPN, Google has been serving all email images using its own proxies for years now, so I’m not convinced there’s anything to see here for most people.
But it doesn’t stop at beacons: you must throw in the equally commonly used link-tracking tactic, which will also report back to the sender. While this data may seem irrelevant to many folks, it’s data that you likely aren’t knowingly providing to someone who may use it for targeted advertising.
So, what can you do about it? I’m going to stick with Gmail specifically, seeing as that’s what kicked this whole privacy ball off, but the same or similar approaches will be available for other email clients. Dealing with this kind of tracking varies depending on how it is being achieved, and more often than not that’s going to be the use of a single-pixel beacon that’s loaded as a remote image. That pixel will be, for all intents and purposes, invisible to the recipient.
The simplest way of blocking these trackers is to head into your Gmail account settings and scroll down until
“Google isn’t necessarily the pantomime baddie when it comes to email privacy”
you hit the images options. Ensure you have “ask before displaying external images” toggled on and those single-pixel beacons won’t load. Nor will any other remote image, which means emails may look a tad sparse.
That said, you can display those images on an email-by-email basis as you’ll see an option at the top of the email message to either display the images, just for this email or for all emails from that sender. At least this way you’re in control of where you place your trust. That’s more than can be said for some email alternatives whose clients, such as when accessing email via the browser, provide no such option to disable all external images like this.
There’s a new option coming later in the year, from DuckDuckGo, which is launching an email protection service that will strip emails of these trackers before you get them. I’m on the waiting list for when the service starts rolling out, but it requires a new @duck.com email address to work; that could be enough to prevent bulk take-up, as people are averse to changing address. As an iOS user, you could simply use Apple Mail to read your Gmail, as this also provides such tracking protection.
What neither will help with, as far as I can determine, is the link-clicking tracking problem. For that, the advice is to never click on links in email in the first place, which covers the security angle as well. Other than that, you’ll need to use a privacy extension for your web browser. I’d be happy to hear from readers of solutions to click-tracking for mobile users that have been tried and tested, but for my desktop browser I use uBlock Origin. In the extension settings, head for the privacy section and tick the “disable hyperlink auditing” option.