Friday, September 22, 2006

Gmail careless with privacy -- again

When you click on a link in your web browser to go to a new page, your browser sends information to the web server which includes the page you were coming from. This information is called the "referer" [sic] and is normal behaviour in web browsers. However, Gmail goes beyond the normal amount of information in the referer, and leaks enough information to sometimes identify the originator.

Marc from O'Reilly Books writes:

When I get referers from GMail messages on my new blog, they often contain a query string parameter labeled 'cat' with a cleartext, meaningful value in it. I've often been able to determine, from the 'cat' value, exactly who is talking about my site in email, and in one case, exactly what they thought of what we're doing!

It isn't clear to me whether it is the person who emails the link via Gmail, or the person who clicks on the link in Gmail, who can be identified, but either way, this is a worrying privacy breach from Google -- especially when their privacy policy specifically states that they use a cut-down version of the referer to help protect the user's privacy.

Now, I'm not going to say Liar liar pants on fire!, but it seems that Gmail's claim about the steps they take to protect the user's privacy is rather different from the actual steps they take to spray users' fingerprints all over the Internet.

No comments: