Fosstodon @fosstodon

Recent searches

Search options

Only available when logged in.

**Joe** @Joe_0237 · Sep 29, 2023

Sep 29, 2023

Today I found out that google docs infects html exports with spyware, no scripts, but links in your document are replaced with invisible google tracking redirects. I was using their software because a friend wanted me to work with him on a google doc, he is a pretty big fan of their software, but we were both somehow absolutely shocked that they would go that far.

**Joe** @Joe_0237 · Sep 30, 2023

Sep 30, 2023

Joe @Joe_0237

Google Docs exports automatically infected with tracking links:

txt - unaffected
html + AFFECTED
odt - unaffected
pdf - unaffected
epub + AFFECTED
rtf - unaffected
docx - unaffected

sample web html <a> tag:
<a class="c4" href="https://www.google.com/url?q=https://wikimediafoundation.org/&sa=D&source=editors&ust=1696089933805520&usg=AOvVaw2ypOvslXzoEGwdryv4bFyJ">https://wikimediafoundation.org/</a>

sample epub xhtml <a> tag:
<a class="c5" href="https://www.google.com/url?q=https://wikimediafoundation.org/&sa=D&source=editors&ust=1696087392161966&usg=AOvVaw1v4xpIFWD9GYkMFifXd1uo">https://wikimediafoundation.org/</a>

www.google.comAvertissement de redirection

Joe @Joe_0237@fosstodon.org

For those unfamiliar with html: the href section, everything between href=" and "> is the real link, and the section between > and </a> is the display text

This html feature is useful so that a link can display as smething like "Read more", "Profile", "Wiki" etc, but in this case it is misused.

Google tracks people that are not using any of their products by adding hidden tracking links to exports without designer knowledge or end user consent.

Sep 30, 2023, 03:27 PM·

39boosts·68favorites

**lil5** @lil5 · Sep 30, 2023 *

Sep 30, 2023 *

lil5 @lil5

@Joe_0237 how #google manages to do this under the #gdpr is beyond me,… do you get to see a cookie banner before the redirect (in a private window)?

Nope (see picture), if they are collecting data from these redirect links it’s totally against the gdpr:

Redirect Notice

The page you were on is trying to send you to https://wikimediafoundation.org/.

If you do not want to visit that page, you can return to the previous page.

**Joe** @Joe_0237 · Sep 30, 2023

Sep 30, 2023

Joe @Joe_0237

@lil5 Interesting find. Perhaps they only officially track the google user who made the doc, so users unwittingly help the google collect stats on the author and their site, or only those that are signed with in google are tracked, and almost every person with a computer is usually signed into an account. But even so, this tactic shows that there no trust, so why shouldn't they track everyone, its not like they have to share the code they say only tracks legally.

**ADG** @adg@mastodon.gamedev.place · Oct 4, 2023

Oct 4, 2023

ADG @adg@mastodon.gamedev.place

@Joe_0237 @lil5 without a logged in account, the google domain gets the same data any other site would have. If they're not setting a cookie, and the link is taking you where it is intended, I don't see what they're doing wrong.

I'm up for being educated on this topic, as it affects my field of work. Thanks

**Joe** @Joe_0237 · Oct 5, 2023

Oct 5, 2023

Joe @Joe_0237

@adg @lil5 I have not investigated that very deeply, but I don't think that the fact that any company can track makes it moral.

I don't know if they set a cookie or if not if they use a fingerprinter, but beyond any doubt they have your IP address and user agent which unless you are on a VPN or at a coffee shop or or share a network with your apartment building is probably enough to identify you.

But ...

**Joe** @Joe_0237 · Oct 5, 2023

Oct 5, 2023

Joe @Joe_0237

@adg @lil5 ... even if they are not tracking the follower of the link, they are surely at least tracking link traffic on someone else's website or ebook, they know the source page because of the referer http header, they know the destination, and they know the document the link belongs to with the ID numbers the in the "ust" and "usg" url parameters.

**JanC** @janc · Oct 6, 2023

Oct 6, 2023

JanC @janc

@adg @Joe_0237 @lil5 They are changing a link in a standalone document without your permission to go through their servers on the google.com domain, which obvously allows them to track you...?

**lil5** @lil5 · Oct 6, 2023

Oct 6, 2023

lil5 @lil5

@janc @adg @Joe_0237

In Google’s defense: the person clicking export already accepted the TOS

My concern is to any other person who hasn’t logged in, and hasn’t accepted Google’s TOS

I’d need to do some extra digging to what data is being collected and if it matters how much you have consent to.

**JanC** @janc · Oct 6, 2023

Oct 6, 2023

JanC @janc

@lil5 @adg @Joe_0237 It's impossible to know how much data they collect, and what other data they link it to (or what they will aggregate it with in the future).

**ADG** @adg@mastodon.gamedev.place · Oct 8, 2023 *

Oct 8, 2023 *

ADG @adg@mastodon.gamedev.place

@janc @Joe_0237 @lil5 I get that what they're doing isn't obvious to the exporter, but every website you access is being sent your IP (unless running through a VPN or other forwarding mechanism). Unless you can prove that they're storing the IP address there is nothing breaking GDPR right?

**JanC** @janc · Oct 9, 2023

Oct 9, 2023

JanC @janc

@adg @Joe_0237 @lil5 In this case it's sending the IP address of e.g an ebook's reader to a third party. That's not something that person expects or agreed with.

Also, breaking the GDPR doesn't require that we have proof, we only need that to convict somebody, and just like most other criminals big data companies will try to hide their crimes.

(And Google got caught violating laws many times before, so I'm definitely not going to trust them...)

**Alan** @ln@hachyderm.io · Oct 8, 2023

Oct 8, 2023

Alan @ln@hachyderm.io

@adg @Joe_0237 @lil5 The GDPR isn't about cookies, it's about personally identifiable information. An IP address and time stamp is sufficiently personally identifiable. This is why privacy-conscious access logs mask IP addresses.

Note that the EU ePrivacy directive also exists and it covers cookies more explicitly but the GDPR is the baseline.

**ADG** @adg@mastodon.gamedev.place · Oct 8, 2023

Oct 8, 2023

ADG @adg@mastodon.gamedev.place

@ln @Joe_0237 @lil5 thanks, I'm aware it covers more than just cookies but there's no way to prove that they are storing the IP unmasked. The url has a query parameter to the destination, anything else is pure speculation.

**Alan** @ln@hachyderm.io · Oct 8, 2023

Oct 8, 2023

Alan @ln@hachyderm.io

@adg @Joe_0237 @lil5 There's no need to prove anything, they need to declare any data they process and store in their privacy policy, which must be linked from every page including this "redirect". We don't have to guess, they have to tell.

**Steve** @Steve98052@universeodon.com · Oct 6, 2023

Oct 6, 2023

Steve @Steve98052@universeodon.com

@Joe_0237 For people who have too much stuff on Google Docs to migrate easily, it would be nice to distribute a one-liner script that strips the evil redirects from downloads. Maybe a maker of an unzip utility could even add an option to strip the redirects while unzipping the dirty HTML or Epub.

**Joe** @Joe_0237 · Oct 7, 2023

Oct 7, 2023

Joe @Joe_0237

@Steve98052 it would be a little tricky in a single line. How about ten lines (probs more than 30 for someone as verbose as me) and the right to import an HTML or XML parser, a URL parser, and a module for dealing with zip archives.

(both ebup and web use a kind of HTML, web exports from google are zipped, and an epub file is zipped XHTML + more)

Drag & drop to upload

Recent searches

Search options

Administered by:

Server stats:

Recent searches

Search options

Administered by:

Server stats:

Back