Did Google Purchase Me?

I'm not stupid. I knew Google could read all my mails. Yet, I got stupefied yesterday morning when Google presented my consolidated purchase history from external websites in front of me. I can't find words enough to express the shock it gives when one encounters a new proof for online tracking, snooping and secret profile creation.

Before starting, I assume that the reader knows Google collects, calculates and stores a lot of users' personal information, including their online activities, locations, and even voice commands (read a CNBC report here, but don't fall for the Google is transparent part). They have prepared a comprehensive profile of each user, and one can check this by visiting certain dashboards like https://myaccount.google.com (more here, which Google claims to be transparent).

Back to the issue. Recently I have been going through the process of deleting all my Google accounts, for I knew for years they track me. I've never had an account on any Facebook service, and I had already deleted most of my unnecessary online accounts including the ones like Amazon (some sites won't let me delete my account, and that's another issue). The only reason I kept my Google account is that, I needed time to migrate, and I thought Google wasn't as bad as Facebook. And when I opened the purchase history from my account dashboard (https://myaccount.google.com), it turned out it is.

The purchase history page listed all of my shopping history from Amazon, Flipkart, etc., which was a shock. Being a privacy advocate myself, I had searched mostly via services like Tor and DuckDuckGo, shopped using different browsers or contexts (like Private Browsing mode) where my Google cookies weren't present, and used PrivacyBadger to block tracking scripts. I had even blocked JavaScript entirely sometimes. Still, Google knows what I've bought on other sites. How? Did I fail?

Screenshot of Google Purchase History
Google Purchase History lists the items I bought on Amazon and Flipkart. The actual list is much longer.

One moment later, when I was again in a position to think, the puzzle got solved. It must be Gmail. It was a relief to learn that my privacy measures have not been compromised. They work great on other sites, and reasonably well on Google (true when I visited other areas in my dashboard, where Google had listed incorrect guesses about me).

The reason Google could still spy on me was my Gmail account, whose ID I had given on sites like Amazon.in, before I became this much privacy-concious. Whenever they sent me an email (which won't be encrypted), Google could read it. An issue long known to me, an issue which I had been trying to eliminate by changing my email ID in other websites (as of now, I've deleted most of such accounts themselves).

Screenshot of Google explaining where it got the details from
Google shows all the details regarding a purchase including the payment amounts, and explains that it got these from my mails (screenshot cropped for better view)

If I knew Google could read my mails, what's the surprise now? The element of surprise is the fact that they used their power to prepare a topic-specific report after scanning my mails, without consent, and presented it in front of me without any shame. Transparency is good, but it's not a justification for your immoral acts. Google's self-proclaimed data control dashboards only raise the question what information they actually hide from its users.

Policies that lie

Does Google admit this activity in their policy documents? If it does, that'd be a justification for them in a court (although it's still immoral). Interestingly, it doesn't, and its statements contradict.

Google's is perhaps the most clever privacy policy I've ever seen. Popular media praises the simplicity, readability and the attractive design of their privacy policy page. Although being readable is better than the policy pages of most websites which not even lawers can understand (but interpret in any way they like), I don't think Google is being honest to its users. Some of the clauses are still ambiguous, and the artwork is there just for distraction.

What does the main privacy policy page say about the extraction of purchase history from Gmail? A quick search for the word purchase yielded one result purchase activity, but it was listed under this:

We collect information about your activity in our services, which we use to do things like recommend a YouTube video that you might like. The activity information that we collect may include...

So that doesn't cover the purchase history on other websites. Under the section things that you create or provide to us, they mention the collection of mails users receive, but it can only be seen as the storage of mails by any mail hosting service. No word on scanning.

By this point, it became clear that Google's privacy policy doesn't admit it scans mails to list out purchase history (at least in a reader viewpoint). But I was curious to know what Gmail's policies have got to say.

I couldn't find an explicit privacy policy for Gmail, but in an answer posted on official Gmail Help portal, Google says:

We will not scan or read your Gmail messages to show you ads.

Which is the exact opposite of what Google says in their terms of services, under the section your content in our services:

Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.

So Google not only does an immoral thing by extracting external purchase history from users' mails, it hides this from its privacy policy, and makes contradicting statements on the terms page and the help portal. You can't call it a bug, Google.

No provision for deletion

Although Google boasts of its data control dashboards, there is no direct option to delete an entry from this purchase history. The page asks us to manage it where it came from. But the fact is, even if the source is deleted, the entry remains there (explained below).

It creates explicit index

Was Google simply displaying my Gmail messages (which I already let them do whenever I accessed my Gmail inbox), but this time applying a search filter? If that was the case, the issue would be slightly less serious. But that isn't the case. There were thousands of messages in my account, and displaying this amount of formatted purchase info after applyting a full-text search on-the-go isn't easy even for Google. Moreover, each entry in the purchase history contained details extracted and deduced from multiple mails, like shipping status. That requires crawling, processing and shopping-only index creation.

That's why I suspect that Google employs some serious mechanism to scan and index Gmail, a mechanism that is equally or more powerful than what they use for indexing the Web.

To confirm that Google has kept separate records, I visited my purchase history hours after deleting my Gmail account, and the data was still there.

Do I feel cheated?

Not by Google. You feel cheated only if you had trusted somebody. I had stopped trusting Google long ago. But I feel cheated by myself for believing Google was better than Facebook. It might be or not, but that doesn't matter anymore. Any company that collects unnecessary personal information is bad, and even if it doesn't, a single service provider for all online services is a bad idea by itself.

At the same time, I feel proud for having deleted my Google account completely, although this late. Purchase history wasn't the main reason for that, which I came across only in my last hours with Google.

If I can trash a Gmail account which I used to handle tens of thousands of mails for over a decade, if I can delete a YouTube account with a good viewership, and several other services, you can too. If you won't, please use encryption when you communicate with others through Google services, or their privacy will also be in danger. For example, when I send and receive mails to and from Gmail users, Google can still read me (hope it has no shadow profile of me left to record it in).

Anyway, the best option is to choose trustworthy services (again, not all-in-one), and to never trust them blindly.

Read more

I couldn't find more posts on this specific issue (purchase history), except this Gmail Help Forum thread, which won't load without proprietary JavaScript:

https://productforums.google.com/forum/#!msg/gmail/h3Z5xkSX4jM/bDqcxRvsBwAJ

If you happen to find any relevant link, please let me know so that I can add it here.

Read more from Nandakumar at nandakumar.org/blog/