Scitech school

Rethinking privacy of email

Scitech Report

10 May, 2021 12:00 AM printer

Rethinking privacy of email

Most people are aware of the cookies that track them across the web, and the privacy-invading practices of Google search, but did you know Google’s email service, Gmail, collects large amounts of data too?

This was recently put into stark focus for iPhone users when Gmail published its app ‘privacy label’ – a self-declared breakdown of the data it collects and shares with advertisers as part of a new stipulation on the Apple App Store.

According to the label, those that grant the appropriate permission to the iOS Gmail app can expect Google to share information including their approximate location, user ID – an identifier used to anonymously track them – and data about the ads they have viewed online with advertisers. More data is used for analytics – in Google’s words, ‘to build better services’ – including purchase history, location, email address, photos and search history.

Gmail is by far the most popular email service, with more than 1.5 billion active users, compared with 400 million using Microsoft Outlook and 225 million signed up to Yahoo Mail.

Although Google stopped scanning email content to tailor ads in 2017, last year the company started showing shopping ads in Gmail. And it still scans emails to facilitate so-called smart features such as the ability to add holiday bookings or deliveries straight to your calendar, or to autocomplete suggestions.

Every way you interact with your Gmail account can be monitored, such as the dates and times you email at, who you are talking to, and topics you choose to email about, says Rowenna Fielding, founder of privacy consultancy Miss IG Geek.

 “Gmail becomes a window into your entire online life because of how wide and deep their surveillance architecture goes,” Fielding says. “Practically everything you do online will feed back to Google.”

Google claims none of the data collected from scanning emails for purchase information, delivery tracking numbers and flight bookings is used for advertising, but as Andy Yen, founder and CEO of secure email service ProtonMail says: “It remains a fact that Google keeps a record of these events and logs them regardless.”

Part of the problem is a lack of regulatory enforcement around email data collection and tracking. Most people are becoming aware of tracking as they visit websites due to regulation such as the EU’s ePrivacy Directive and the General Data Protection Regulation (GDPR).

“People are aware of cookies because of privacy and data protection law – which states that planting trackers on your device requires your consent, and you have the right to be told about what is happening to your data,” says Fielding. “In Europe, those protections cover email tracking as well, but there hasn’t been much enforcement in this area.”

Other mainstream email providers aren’t much more private. Like Gmail, Microsoft’s Outlook is embedded in the firm’s ecosystem and integrated with its other services. “Any mainstream, consumer-level account is only free in that you don’t pay it with money, but with data,” Fielding says. “Microsoft says it doesn’t look at the content of emails in Outlook to serve you ads, but it is open about collecting and using metadata about user activity across all of its services for advertising.”

Gmail is also the most hefty data collector, says Yen. He says the iOS privacy labels illustrate the “stark difference” in approach to data collection between the Gmail app and other email providers. “Outlook and Yahoo gather far more than they need, but even they don’t go as far as Gmail by collecting location data and purchase history.”

It’s often said by privacy experts that if you don’t pay for the product, you are the product, and when it comes to Google this is “undeniably the case”, says Yen. “Google’s business model is based on monetising the data it gathers from users, predominantly to sell it to Google’s real customers – advertisers… Gmail forms one part of that data-gathering infrastructure.”

Yet while it’s true that Google is absorbing your data, Jon Callas, director of technology projects at the US-based privacy advocate Electronic Frontier Foundation, says the most invasive tracking comes via email marketers, not the service providers.

These types of emails – from businesses offering products and services – can be monitored by the sender, whether you knowingly signed up or not. Data sent back to email marketers includes whether you’ve opened the email, how long for, and which links you’ve clicked on.