Google Reads Your Gmail to Track Your Purchases and Financial Information

by Meghan Graham edited by O Society July 6, 2019

Google uses Gmail to track a history of things you buy — and it’s hard to delete

  • Google saves years of information on purchases you’ve made, even outside Google, and pulls this information from Gmail.
  • It’s complicated to delete this private information, and options to turn it off are hidden in privacy settings.
  • Google says it doesn’t use this information to sell you ads.
GP: Google CEO Sundar Pichai Testifies 181211
Sundar Pichai, chief executive officer of Google, is sworn in during a House Judiciary Committee hearing in Washington, D.C., U.S., on Tuesday, Dec. 11, 2018.
Andrew Harrer | Bloomberg | Getty Images

Google tracks a lot of what you buy, even if you purchased it elsewhere, like in a store or from Amazon.

Last week, CEO Sundar Pichai wrote a New York Times op-edthat said “privacy cannot be a luxury good.” But behind the scenes, Google is still collecting a lot of personal information from the services you use, such as Gmail, and some of it can’t be easily deleted.

A page called “Purchases ” shows an accurate list of many — though not all — of the things I’ve bought dating back to at least 2012. I made these purchases using online services or apps such as Amazon, DoorDash or Seamless, or in stores such as Macy’s, but never directly through Google.

But because the digital receipts went to my Gmail account, Google has a list of info about my buying habits.

Google even knows about things I long forgot I’d purchased, like dress shoes I bought inside a Macy’s store on Sept. 14, 2015. It also knows:

  • I ordered a Philly cheesesteak on a hoagie roll with Cheez Whiz and banana peppers on Jan. 14, 2016.
  • I reloaded my Starbucks card in November 2014.
  • I bought a new Kindle on Dec. 18, 2013, from Amazon.
  • I bought “Solo: A Star Wars Story” from iTunes on Sept. 14, 2018.

And so on.

Take a look at this sample, which covers some things I bought within the last week:

CNBC Tech: Google Purchases
A list of my purchases Google pulled in from Gmail.
Todd Haselton | CNBC

Go here to see your own:http://myaccount.google.com/purchases.

“To help you easily view and keep track of your purchases, bookings and subscriptions in one place, we’ve created a private destination that can only be seen by you,” a Google spokesperson told CNBC. “You can delete this information at any time. We don’t use any information from your Gmail messages to serve you ads, and that includes the email receipts and confirmations shown on the Purchase page.”

But there isn’t an easy way to remove all of this. You can delete all the receipts in your Gmail inbox and archived messages. But, if you’re like me, you might save receipts in Gmail in case you need them later for returns. There is no way to delete them from Purchases without also deleting them from Gmail — when you click on the “Delete” option in Purchases, it simply guides you back to the Gmail message.

CNBC Tech: Google purchases 1
You need to delete each purchase manually rom Gmail to get rid of it.
Todd Haselton | CNBC

Google’s privacy page says that only you can view your purchases. But it says “Information about your orders may also be saved with your activity in other Google services ” and that you can see and delete this information on a separate “My Activity” page.

Except you can’t. Google’s activity controls page doesn’t give you any ability to manage the data it stores on Purchases.

Google told CNBC you can turn off the tracking entirely, but you have to go to another page for search setting preferences. However, when CNBC tried this, it didn’t work — there was no such option to fully turn off the tracking. It’s weird this isn’t front and center on Google’s new privacy pages or even in Google’s privacy checkup feature.

Google says it doesn’t use your Gmail to show you ads and promises it “does not sell your personal information, which includes your Gmail and Google Account information,” and does “not share your personal information with advertisers, unless you have asked us to.”

But, for reasons that still aren’t clear, it’s pulling that information out of your Gmail and dumping it into a “Purchases” page most people don’t seem to know exists. Even if it’s not being used for ads, there’s no clear reason why Google would need to track years of purchases and make it hard to delete that information. Google says it’s looking into simplifying its settings to make them easier to control, however.

Google’s Gmail scans, parses, analyzes and catalogs your email

by Mark Jeftovic edited by O Society July 6, 2019

Recently I came across this story  by Todd Haselton that describes how the author located an obscure “purchases” page in his Google account settings and there found a methodical list of his online purchasing history, from third-party outside vendors, going back to 2o12.

The upshot of the story was that:

  • Google saves years of information on purchases you’ve made, even outside Google, and pulls this information from Gmail.
  • It’s complicated to delete this private information, and options to turn it off are hidden in privacy settings.
  • Google says it doesn’t use this information to sell you ads.

Naturally, I flagged this story for the next edition of our #AxisOfEasy newsletter.  Haselton reports that it isn’t easy to locate and delete this information, nor is there a straight-forward path to find it in your privacy settings to disable this behaviour.

This can’t be true (can it?)

The more I thought about this the more I thought “this can’t be true”. I apologize for doubting Haselton, but I thought he had to have it wrong, that maybe he had a stored credit card in his browser that he had forgotten or something, because the ramifications if true, are dire.

First, it means that in order to isolate and parse purchases, Google must then be scanningevery email, otherwise, how would they know what’s a purchase and what isn’t?

Further, if they were scanning every email for purchases, what else where they scanning for? Either now, or in the future? The important mechanism, the infrastructure and methodology to scan and parse every inbound email is clearly in place and operational now, adding additional criterion is just a matter of tweaking the parameters.

Then, there is the matter that Google is doing this without informing their users. We can probably wager that there is buried down the rabbit hole of the ToS some clause that alludes to the possibility that Google reserves the right from time to time (including all the time) to do something or another with your email that may or may not involve machine reading it and dissecting it for your behavioural patterns; none of us have ever read it.

More importantly, it didn’t require an explicit opt-in to fire it up.

[ As a belated aside – everybody in tech already knew that the point of Gmail was it was free, and they would scan the contents to target ads. At some point I think they may have announced that they stopped doing that, I can’t remember. But the vast majority of normies (defined as people who don’t dream in XML), don’t realize this, or haven’t given it much thought. However this, parsing out financial transaction data specifically, takes it to a new level.]

I’ve personally verified this is happening

As I said, I initially thought that Haselton had perhaps stored credit cards in his Chrome browser and his purchase history was being populated from that. I still couldn’t believe that Google was in essence reading your email and cataloging your purchases on it’s own.

My Google purchases page existed, but was empty. To test it, I configured my gmail account (which I barely use, for anything other than Google news alerts) to receive any email from my Amazon account.  None of my web browsers have any credit cards stored. Then I went and picked up a new audiobook.

Sure enough…within seconds, my heretofore empty purchases page, suddenly had an entry:

Hovering over the “info” icon anticipates the question, how did this get here?

And so we click to find out…

We get it from Google’s mouth:

“This purchase was found in your Gmail” (emphasis added, because properly rendered it should read “We found this financial transaction sifting through your email”).

Why this is problematic

Before this revelation, I was already habitually remarking how it simply astounded me whenever I came across a law firm, or an investment fund, or medical professional, or financial services firm, or any outfit that routinely carries out propriety or confidential communications (you know them by the typical disclaimer they append to every single email they send):

“This email and any accompanying attachments contain confidential information intended only for the individual or entity named above. Any dissemination or action taken in reliance on this email or attachments by anyone other than the intended recipient is strictly prohibited.”

…and find they’re using Gmail? Yikes. Those disclaimers should be modified to read:

This firm’s email and all accompanying attachments and any of your replies to us will be scanned, parsed and analyzed by our email provider. Hope you’re cool with that.”.

Because that’s what’s actually happening. Here’s the shortlist of problems with this:

  1. We don’t know what else they are scanning for, what else they are parsing out, where they are storing it and what they are doing with it.
  2. Google says they are not using this info to target ads, as if that settles matters. Then what are they doing with it or why else would they even bother? Further, Google says a lot of things, some of them turn out to be disingenuous. Google once testified before the US Congress that they don’t manually intervene in search results,it was later revealed that they …manually intervene in search results.
  3. Whatever data mining and collation and cataloging systems and resources are in place could be abused by Google staff. There are ample cases of tech giant employees abusing their positions and their visibility into user data.
  4. These same systems could be abused or exploited by partners, as has beenreported in #AxisOfEasy in previous instances.
  5. These systems could be used (or are being used) under a larger umbrella of State surveillance, which we all know is happening – thanks to the likes of Edward Snowden (see his recent talk to Dalhousie University here). Google’s startupfinancing came in part from the US intelligence apparatus and, as is frequently observed here and elsewhere, now a major contractor to world governments and the US military.
  6. [ Added – later] As pointed out by a reader, it may also violate data privacy laws of various locales, regardless of what’s actually in the ToS.

Objections and Rationalizations

There will no doubt be people who read this and object to this being a problem on three grounds:

  1. “Everybody does it”, in the sense that any email provider who is running virus or spam filters at their edge are in essence scanning every inbound email. This is true, but only in the sense that they are actively seeking to separate noise, which costs everybody, including the recipient, from signal – stuff the recipient wants to receive. They are not parsing non-infected, purportedly non-spam email. Let’s call it “real email”.  They aren’t parsing, and cataloging your real email based on its contents.
  2. It’s free so shut up. For most gmail users, this is true. But they should also realize that if they don’t want to shut up about this, then the correct response is to move one’s email away from Gmail and pay a provider you trust not to inspect and datamine your private and business correspondence.Remember the old adage: “If you’re not paying for the product, you are the product”.
  3. If you have nothing to hide you have nothing to fear. Often quipped by people who have never read a history book. There isn’t much to say about these unfortunates other than, go read a few.

I frequently recommend the biography of Joseph Fouché, the man who ran Napoleon’s secret police, who also cast the deciding vote to behead King Louis XVI. He is credited therein with having invented the modern police state as we know it. If you want to see a long trail of people who had nothing to hide become separated from their wealth, their liberty and their heads… start there.

What to do about it

Maybe you know all this and you really don’t care, and that’s fine. As long as your cultural choices and your political beliefs and your lifestyle match the accepted norms of a rapidly shrinking Overton Window of what constitutes “acceptable,” then you shouldn’t have to worry about anything. Really.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s