Privacy concerns

Given the emphasis Google places on security and privacy, you'd be forgiven for thinking that their products would be built with that in mind. But apparently not when it comes to Google Groups (and Chat - but that's a whole 'nother can of worms!)

Let's take this a step at a time.

Step 1 - Group Creation

I created a group - privacytestgroup - with the settings shown.

There are five members:
- Manager
- 2 members using std gmail addresses
- 2 members using a private domain-based email address

Note especially 'Who can view the members' email addresses is set to Group Managers.

So you might think that only Group Managers would ever be able to see any Group Member's email address.

Sure enough if I look at the member list from either of the member accounts, I don't see the members' email addresses.

But let's see what happens if Member Gmail1 sends an email to the group.

Step 2 - Member 1 posts to group

Gmail1 sends an email to the group email address. If Member Gmail2 looks at the conversations using the WebUI, sure enough, they don't see Gmail1's email address

But if Member Gmail2 examines the email notification (using the gmail client) they have received of the post from the group, they see the email address of member Member Gmail1 in the 'from:' part of the email

Let's see what happens if Gmail1 uses the web UI to post a message rather than sending an email.

Once again, Gmail1's email address is exposed in the email notification sent to Gmail2

So far, so bad.

What about if Domain Member 1 posts to the group?

Exactly the same thing happens if a post is made via the Web UI

Step 3 - Domain Member1 posts to the group

There's a slight difference here. The 'from:' part of the email header now shows 'Perjury PE via privacytestgroup'. No email address. But the email address is still shown in the 'reply-to:' field.

nb. The domain of member2 has a DMARC policy of 'p=reject'.

Apparently, if an email is sent to a Google Group from a domain that has 'p=quarantine' or 'p=reject' policy as its DMARC policy you'll see "'Sender Name' via Group-Name" <YourGroup@Yourdomain.com> (the recipient's group) as the sender.

Step 4 - Change Who can reply privately to authors setting

After I ran the tests above, I noticed that the 'Who can reply privately to authors? ' setting was set to allow members to reply privately.
Maybe this was allowing the reply-to email address to be populated. So I changed it to only Owners.

But no. The reply-to field is still populated with Domain Member1 email address whether the post is made by email or by the web UI (tests 5 & 6)

Then I noticed this setting

Maybe if I changed it to...

Step 5 - Change 'Send replies to group posts to'

Bingo!

Looking at the
From:
to: and
reply-to:

fields, no email addresses are exposed.

But......

If you examine the email headers in more detail (use the 'Show Original' option in the Gmail client), it is still possible to see the originator's email address.

Not good!

Backtracking to Gmail

So with these settings, what happens if I post to the group with a standard gmail address?

As you can see, the email address is exposed in the From: field.

I presume this is because Gmail does NOT have a DMARC policy of 'p=quarantine' or 'p=reject'

Step 6 - Turn off email posting

So then I wondered what would happen if I turned off the option to allow posting by email to the group.

The images shown here are what is seen in the email notification received after posts on the Web UI by both the domain account and the gmail account I have been using.

The email address of the gmail account is clearly exposed but and the domain account email address is discoverable by examining the email headers.

The results after switching off 'post by email' were exactly the same. The email addresses are exposed.

Conclusions and Recommendations

a) Users of Google groups should be aware that if they post to a Google Group, their email address will be shared with ALL the other members of the Group.

b) Why does Google not make it more explicit the effect these settings have on group user's privacy?

c) Are there any other tweaks that can be applied so the members' email addresses are fully redacted?

d) At the moment, if anyone wants to be fully GDPR compliant and never expose group members' email addresses, they should probably avoid using Google Groups entirely

e) To minimise exposure, I recommend the following settings are used:

i) 'Who can reply privately to authors?' to owners/manager
ii) 'Send replies to group posts to' to 'All group members'

f) People using Google Groups who are concerned about their privacy should use an email address that has a DMARC policy of 'p=quarantine' or 'p=reject' (which Gmail does NOT appear to have).

If others can do it...

I am subscribed by email to threads in Github and they don't expose the email addresses of people posting. So if they can do it, how come Google can't?

Page updated

Google Sites

Report abuse