Mastodawn

Arvind Venkataramani Nov 10

This thread is worth reading if you are a Google docs user.

Short version: When you export a document from Google Docs, Google replaces all your hyperlinks with links that allows Google to monitor the interactions of everyone you share your document with.

This hidden link replacement can potentially be used to build a model of your professional relations, where people who interact more with your content are considered a stronger relation.

Think about the implications.
https://fosstodon.org/@Joe_0237/111145684757912952

Joe :ferris: :nixos: (@[email protected])

Today I found out that google docs infects html exports with spyware, no scripts, but links in your document are replaced with invisible google tracking redirects. I was using their software because a friend wanted me to work with him on a google doc, he is a pretty big fan of their software, but we were both somehow absolutely shocked that they would go that far.

Fosstodon

GrumpyDad 🇺🇦🇵🇸Nov 8

@randahl Time to add a few links to potentially hazardous stuff just to poison the algorithm

Rae Patterson Nov 8

@grumpydad @randahl

Poisoning the algorithm is honourable work, and don't let anyone tell you different.

Sepia Fan Nov 8

According @Joe_0237 documents are only affected when exported to html or epub:

txt - unaffected
html + AFFECTED
odt - unaffected
pdf - unaffected
epub + AFFECTED
rtf - unaffected
docx - unaffected

https://fosstodon.org/@Joe_0237/111154765203815950

Joe :ferris: :nixos: (@[email protected])

Google Docs exports automatically infected with tracking links: txt - unaffected html + AFFECTED odt - unaffected pdf - unaffected epub + AFFECTED rtf - unaffected docx - unaffected sample web html <a> tag: <a class="c4" href="https://www.google.com/url?q=https://wikimediafoundation.org/&sa=D&source=editors&ust=1696089933805520&usg=AOvVaw2ypOvslXzoEGwdryv4bFyJ">https://wikimediafoundation.org/</a> sample epub xhtml <a> tag: <a class="c5" href="https://www.google.com/url?q=https://wikimediafoundation.org/&sa=D&source=editors&ust=1696087392161966&usg=AOvVaw1v4xpIFWD9GYkMFifXd1uo">https://wikimediafoundation.org/</a>

Fosstodon

Randahl Fink Nov 8

@stekopf you are right. Thank you. I updated the post to reflect that this is export related.

@stekopf @randahl @Joe_0237 if I remember right, epub is html in a zip with some support files, so this seems specific to html then.

@stekopf @randahl @Joe_0237 Yeah... For now.

Everyone should expect that Google will do this new creepy stalking one file format at a time, until all of their file formats use this new creepy stalking.

And when people accept this new unreasonable behavior from Google without revolting, Microsoft and every other company will start doing the same creepy stalking thing with all of their programs too. What a terrible world we live in that keeps getting terribler and terribler.

@randahl I am planning to replace at least Google Photos with a self hosted FOSS solution, but last week I lost an entire day replacing a HDD that was almost dead (after years of torrenting). I prefer self hosted, I don't want to switch to other hosting, even if they have E2EE, but maintaining things can be annoying sometimes.

「ʀᴏʙᴇʀᴛ」Nov 8

@qgustavor @randahl I recently switched to Immich for a self-hosted photo backup/management solution, which works great (although I don’t have very high requirements, mostly just being able to automatically back up my iPhone photos). Not a lot of maintenance required other than running the occasional update.

https://immich.app/

Immich

Self-hosted photo and video management solution. Easily back up, organize, and manage your photos on your own server. Immich helps you browse, search and organize your photos and videos with ease, without sacrificing your privacy.

Immich

@robertklep @randahl At the moment my photos are self-hosted using some scripts I made that sync with my Android phone, but I want to switch to something more easy to use for my wife's phone. I'm planning to use Nextcloud (along with its Android app) which can also replace Syncthing for file synchronization and Google products for my personal files (my company uses Google's suite and OneDrive).

Kerr Avonsen (she/her)Nov 8

@qgustavor @robertklep @randahl I'm quite happy with SyncThing myself. I'm curious as to what you consider the drawbacks are to using it.

@kerravonsen @robertklep @randahl It's great for synchronization, but I would like some extra utilities which Nextcloud can provide more easily than the current solution. Like, I have a script that makes a map of every photo I took, which is great since there are photos in lots and lots of places.

@randahl so if I have links in a doc, download and save as a docx, I have to delete, save and then re insert my links? My work is in the process of moving from GSuite to Microsoft ...

@jellycrystals @randahl no, only HTML and epub exports, apparently.

@draeath @randahl Ah. Rad. Thank you

Cassandrich Nov 8

@jellycrystals @randahl Microsoft does similarly evil stuff with your docs.

@dalias @randahl Yeah, I know. It might be the lesser of 2 evils? I do what I can with the system work gives me.

Randahl Fink Nov 8

@jellycrystals you may not need to. The link replacement only occurs when you export to certain formats including HTML.

But I suppose you can easily check this inside your Microsoft product by chosing to edit the hyperlink address to check that it does not point to a Google service.

@randahl Good point. Thank you.

Wow, so Google has to keep a database of all these links online indefinitely ... that's robust. For the sarcasm-impaired: that was sarcasm.

And, they can decide which document's links to "break" when they feel like it.

Stop. Using. Google. At. All. For. Anythhing.

Randahl Fink Nov 8

@bjb “This HTML file is currently not working because of a dependency on a Google service which is currently offline”

— How far we have come.

Christopher Snowhill Nov 8

Just™️ self host your own Nextcloud, then the onus is only on you to host it reliably. And since datacenters can fail, it's better if you host it on your home connection.

Jack Yan (甄爵恩)Nov 8

RE: https://mastodon.social/@randahl/115513890753953838

I know I say this a lot, but I am glad I stuck with WordPerfect. Usual evil stuff from #Google.

VA3EKR, KK7TMS, Scott Nov 8

@randahl this is good to know!
If I share in future, I'll export a PDF that I will edit to roll-back links

Justin Fitzsimmons Nov 8

@randahl and if google ever decides (or is forced) to end this practice and shut down their servers, all those exported links are now broken.

arceuthobium Nov 8

@smn @randahl maybe also if you delete the google-hosted parent file. Hey it no longer exists so it’s not needed.

@randahl several years back, I was interacting with a client whose company was looking at using the Google environment for work. They had dug into the terms and conditions where they found that Google could essentially own anything that they wrote on their platform. At that time, the TOC basically said they could inspect any data they wanted to. While that may not be the case anymore, I would suggest anybody wanting to use an online platform take a good look at the TOC before they start.

I am in the process of de-Googling my life. Since I am pre-internet... I was pre Google..when it was a marginally better browse ...I just kept using it. 30+ years later it is BIG BROTHER.

Erik Jonker Nov 8

@randahl https://cryptpad.org/ and others offer good alternatives

CryptPad.org

End-to-end encrypted collaborative office suite

Toni Aittoniemi Nov 8

@randahl Fook! That’s not service, that’s hacking. 😧

Gumberculese 86 47 Nov 8

Good thing nobody could game a system like that....

Solarpunk Davy Nov 8

@randahl I think it was originally added as an anti-phishing matter, to avoid people thinking they're still in 'google land'.

But yeah, it's the same trick as the search engine does.

I know of a place that stores all their documents including "employee records" and host the "company website" and use Google QR codes for everything.

I've been trying to convince them that I can build a system for about $500-1,000 that would be inhoused.

They recently formed a union for the staff to "protect the vendor". These people are so corporatizesed, they just don't comprehend that they are selling homeless people's information including SSN to Google and intern, every government agencies that want to know who is homeless.

Randahl Fink Nov 8

@justbob In Denmark, I am seeing the trend going the other way. Our government has made guidelines that at least moves some public sector organisations to open source solutions.

I do not know the details, but what I have heard sounded promising.

I'm so old, I ran a BBS in the 90's. The people and colleges controlled the internet back then and you didn't worry about how your information was used. Now, everything has tracking codes like ?umb_source= and no one hardly notices.

One of things I work hard to keep out of TidySearch is those codes and I'm working on a page to open clean website pages. All the Javascript and other garbage just adds to the degradating of what you want to read.

I came across a site using AI to clean it but what is happening behind THAT?

Nicole Parsons Nov 8

Money isn't neutral. The source & provenance of investment money matters.
https://www.businessinsider.com/tim-cook-peter-thiel-rupert-murdoch-met-with-bin-salman-2020-1

https://www.cnbc.com/2018/04/07/heres-a-look-at-who.html

https://www.bloomberg.com/news/articles/2018-04-06/google-thiel-stand-out-in-saudi-prince-s-silicon-valley-tour

Google got enormous injections of cash from the worst petrostate despots on the planet.

https://www.bbc.com/news/technology-47454598

https://www.npr.org/2019/02/12/693994447/apple-google-criticized-for-carrying-app-that-lets-saudi-men-track-their-wives

These are the same despots who want to track women & are funding international state surveillance platforms with Elon Musk, Peter Thiel, and Larry Ellison of CIA fame.

https://www.businessinsider.com/microsoft-google-hand-dissident-data-to-saudi-arabia-activists-say-2023-7

The Saudi crown prince accused of hacking Jeff Bezos' phone met with more than a dozen tech execs and celebs during the same US trip. From Tim Cook to Oprah, here's everyone Mohammed bin Salman met with.

Tim Cook, Michael Bloomberg, and Oprah met with Mohammed bin Salman on the same trip in which he connected with Jeff Bezos.

Business Insider

Weekend Editor Nov 8

In the US, aren’t there likely some legal liabilities with HIPAA, if any healthcare info is treated this way?

@randahl This is bullshit intrusive, but am I surprised? Hardly… 🤔

cognitively accessible math Nov 8

@randahl Thank you. I've got one I share a lot about developmental math research. I was thinking today about how to stick that kind of thing on my website (sigh and how to keep my website since my friend who took over paying for it died.... I did manage to convince them tolet me give them the money...)

Djembro, RO, supports 🇺🇦🇬🇪Nov 8

@randahl
It’s gotten to the point that if there’s an event I want to attend and it requires registration via Google Doc, I just don’t go to that event. On occasion I have the opportunity to suggest alternatives. @CryptPad is great. I want to try other alternatives too. #degoogle #theFutureIsFedi

John Faithfull 🌍🇪🇺🏴󠁧󠁢󠁳󠁣󠁴󠁿🧡✊🏻✊🏿Nov 8

@randahl 🤬😡

@randahl
It is clear that we need to dump apps from Google, META, X, Microsoft, Adobe... Or get offline altogether? The enshittification is complete. I read some people are going back to private Discord groups. Not sure of their privacy protections. AI can even scrape Mastodon because it's public. I'll stay online until the midterms in the US, then reassess. I just saw a post about how every image and message in Instagram is being scraped. ☠️ No way to opt out.

JWM (Joe No Se)Nov 8

@randahl - Tested this on both paid and free GDrive, with the same behavior.

I've found that Google often inserts tracking links in their docs. Super frustrating.

扫射恋母癖的时候钻进我母的裙底逃过一劫🪼Nov 8

@randahl omg… what else app can i use… i do rely on google docs and it’s simple to use. uhhh cyber insecurity…

@Gudfinna @randahl
Try @CryptPad (self host, or pick an instance).

max oakland Nov 8

@randahl holy crap this is insidious

@randahl
That thread is from 2023. CryptPad has moved to @CryptPad since then.

🥑 Yours Truly! Unruly 🇨🇦🇪🇺🇺🇦🌻Nov 9

The implication for me is wean myself off google forever. Buh bye google and good riddance.

Allan Engelhardt Nov 9

@randahl They can track not only your clients (when they click on a link) but also their internal organization and their partners, suppliers, etc.

This is #EvilByDesign and must violate ever single data protection law in existence.

Professor Plum Nov 10

@randahl I saw the same thing in enterprise gmail: links being replaced with a Google url that redirects to the original. (I don’t work there anymore so I can’t test it.)

Krijn Soeteman 🎙 🏳️‍🌈Nov 11

@randahl funny, i responded to the toot 2 years ago, it felt somewhat familiar already ;-)

craignicol Nov 11

@randahl don't Microsoft do the same thing for their anti-phishing service for every link in an email or Teams message?

@randahl this is malicious behaviour by #Google and needs to have #consequences beyond the #GDPR violation fines.