[srazzaque]

I'm pretty sure the stated intent of the redirect is to prevent phishing (that is, provide an opportunity for Google to warn users about visiting a known dodgy site). The ability to track is just an added bonus!

Microsoft does this too with Teams. Links that my colleagues and I share with one another to _internal company sites_ get link checked then redirected. Microsoft must have a treasure trove of data about external company employee browsing habits as a result.

I would have infinitely more respect for companies that are upfront about their intentions, no matter how nefarious: "we're doing this to help protect you from phishing. But also, 99% of links are probably not phishing. So this feature really enables us to collect data to track what you do, and perform analytics to improve our bottom line".

Why sugar-coat it?

[nerdjon]

I DESPISE these links from Outlook and Teams (not sure if it is specifically the teams implementation or something else).

I don't know about your company but mine has us do these phishing tests and training videos all the time and then we get rid of one of the safety features that they keep hammering us about.

I can't just look at the URL before clicking it. I once "fell victim" to one of our phishing tests because I clicked the link in the email. And its like... well we have been trained by our own email system that the only way to actually see the validity of the link is to click it.

[open-paren]

Those corporate phishing tests are often administered by KnowBe4, and KnowBe4 identifies their phishing emails with custom email headers (can't remember what it is off the top of my head). So if you view the source code of an email and look for the obvious KnowBe4 header, you can tell ahead of time.

[0xR1CK]

viewsource > ctrl+f > 'threatsim'

[isoprophlex]

lol yeah. I curled the url in a suspicious email once, to investigate what it was. YOU FAILED THE TEST. ugh...

[nerdjon]

It just frustrates me that I have brought this up multiple times, wondering why we are paying to do this training and then we can't actually do the training.

Like it would be one thing if the URL then just had the full URL in it and we could still see where it was going. But no, it is a completely obfuscated URL.

The worst part is, it isn't like it takes you to a page to verify you actually want to go to this link. It just takes you right there assuming you are on a browser that has approved that it can open links from your email.

I really really want to do know what good this does AT ALL besides likely checking some checkbox for something.

[mnw21cam]

In their defence, curl isn't completely benign in this case. You just confirmed to the person who sent you the link that your email address is valid and reaches a person.

[saalweachter]

Also, there's no reason to believe that you're curling the same redirect as you get from clicking the link.

There's this thing compromised webservers do where, if you type in www.example.com into your browser, and go straight there, you get the normal web page. If you click a link from Google, and have a google.com referrer in your request, you get a little bit of JavaScript included that that redirects you to another site to buy herbal remedies or fake watches or whatever.

If you are the business owner and go directly to your home page to see what's what, you think everything is fine; if you are a tech trying to debug it and you curl the webpage, everything looks fine [unless you curl with a referrer set]. You probably think Google has the wrong URL or something.

Likewise -- I don't know what a click-through from an email client looks like, but it wouldn't surprise me if there's an identifiable header or referrer or something. If that's the case, you could write your malicious URL shortener to redirect you to www.example.com/ if you curl it bare, or www.exam.ple.co/m/ if you have the redirect header. Curling the URL in question doesn't necessarily prove it's safe to click on.

[isoprophlex]

Christ, that's depressing. I'm not much of a web guy, didn't know you could do this. Thanks for sharing...

[salawat]

Not that depressing. Audit your current web server configurations. You can dump the in-memory representation generally. Diff it with the on disk representation, and bam. Instant canary. If you're worried about a tainted on disk version, do the integrity check against a version invisible to the outside net.

Also, redeploy configs and reload on the regular, and you essentially force an actor to get an active foothold on your system to re-exploit and persist the compromise.

It's not impossible to defend yourself against these types of things if you're vigilant. You can also script your deployment to the point where you can nuke your site from orbit with minimal impact, and reestablish it. It's all about your threat model.

But yes. Things like nginx, apache & co are remarkably comprehensive in the things you can configure them to do. I find that my most dreaded part of standing up a new service is inevitably writing the load balancer/host web server configs.

No computing is 100% fire and forget safe though.

[isoprophlex]

You're completely right of course, and I hadn't considered that.

However, there's apparently people scraping and reselling (or bribing employees, dunno) corporate directories. In my case everyone has firstname.lastname@corpo.com, so judging by the high volumes of creepy ass, targeted corporate spam I get on my work mail... this is hardly a public secret.

[Ferret7446]

Not necessarily? What's stopping an email server from probing links in all incoming emails regardless of valid recipient for malware analysis purposes?

In fact, I would be surprised if, e.g., Gmail, does not do this.

[hotnfresh]

Our tests (outlook email) motherfucking bypass user filters too. I wrote some so I’d never have to worry about these damn things, but they go right through.

Guess I’m going to have to configure an actual user-agent email client that won’t screw me when someone else asks it to.

[dacryn]

funny you say that. Google is upfront about their intentions, but nobody believes them that they are not data mining this for behaviour tracking.

Can't win in that scenario

[nonrandomstring]

This old problem.

It's the word "win" that bothers me in this context.

Until one sees that conflicting models can make "security" a zero sum game, in which your security is my insecurity and vice versa, there is only psychological splitting, posturing and clamour for the "moral high ground".

Indeed, even using the word "security" as a bare noun is a mark of presumptuousness. One must always ask; Security for whom? Security against whom or what? Security to what end?

Unilaterally imposing a harm (leaking of data) upon others is disdainful, but then offering "security" as your reason/excuse, is condescending, since you do not know what my security needs are and how they are prioritised.

When it comes to messing with my data or devices "for my own good" the only proper response is "I'll be the judge of that!"

Many then respond that "people are too stupid and need a firm hand", which is not a good look, and frankly cuts to the core of so many problems in technology today.

Companies like Google need a better moral, sociological and psychological map of reality before putting on their boots and marching off down the road of good intentions in the direction of Hell.

[glimshe]

They can't win as a result of their own actions. Once you lose trust, it's hard to regain it.

[srazzaque]

Interesting, I wasn't aware Google had actually stated "we don't use this data for tracking, and we only use it for link protection" (does it?).

Assuming true: you are right in that it's basically no-win. The fact that Google draws so much revenue from advertising makes it difficult to reconcile.

Nothing short of a third-party code audit of Google's code against their asserted privacy policy would appease everyone. And even then, there would be doubters.

[TeMPOraL]

If they did state that, this would probably be legally binding in the EU under GDPR.

[nerdponx]

Why would anyone believe that they aren't? Or that they won't start doing it?

[sneak]

More importantly: Google is in a jurisdiction that can mandate warrantless surveillance orders that require realtime surveillance of given selectors (i.e. IPs or users). They comply or they go to jail.

Even if the stated and official policy of Google is to never track these, and everyone at Google is 100% on board with this and will never change, they are subject to being Agent Smith'd at any time by the FBI/DHS and NSA and CIA and the rest of the US IC, critically: without probable cause or a search warrant. The US has abandoned the rule of law and the constitutional protections against unreasonable search. This applies to every single US-managed services vendor.

The decision to track or not track is simply not in their hands. If they get handed an NSL, a FISA order, or a regular old search warrant, they have to start turning over everything they have.

[salawat]

Third-Party Doctrine nips pretty much every expectation of privacy in the bud before we even get to things like special carve-outs for Law Enforcement.

As long as SCOTUS holds that business meta-records shared with a third party intermediary waive any expectation of privacy, the 4th Amendment is basically moot unless you self host everything.

Things might change for the better if everyone can get there, it'd basically ruin the raison' de etre of many of the business models currently espoused/searched for opportunities to implement here.

The Government loves when you build a platform. The Government hates when you enable everyone to set up their own platforms.

[Tijdreiziger]

I would assume anyone trying to evade state-level actors wouldn’t be using Google Docs in the first place.

[sneak]

https://en.m.wikipedia.org/wiki/Petraeus_scandal

These secrets were kept in gmail drafts.

[lern_too_spel]

> The US has abandoned the rule of law and the constitutional protections against unreasonable search

Those constitutional protections protect US citizens anywhere and noncitizens while they are in the US. Warrantless surveillance of communications affects noncitizens outside the US. The US is still very much a nation of laws.

[sneak]

Human rights to privacy do not hinge upon location or citizenship.

Indeed, the declaration (written by British crown subjects) makes it clear: “that all men are created equal, that they are endowed by their Creator with certain unalienable Rights”.

It doesn’t say “all americans”. The constitution doesn’t grant the rights, it merely recognizes the existing ones... but you already know this.

> Warrantless surveillance of communications affects noncitizens outside the US.

We have also learned, again and again, that it affects US citizens, too, in violation of the law. The IC doesn’t care that much beyond keeping up appearances that they comply with the law.

These are the same people who ran torture centers, lied to Congress, got caught, and hacked Congressional computers to delete evidence, then got caught doing that, too. Nobody went to jail or was even charged.

The laws simply do not apply to the CIA.

[lern_too_spel]

> Indeed, the declaration (written by British crown subjects) makes it clear: “that all men are created equal, that they are endowed by their Creator with certain unalienable Rights”.

Three problems:

1. The Declaration is not the law of the land, nor does it grant "constitutional protections."

2. None of the inalienable rights it lists are protection against warrantless wiretaps.

3. Some of the rights clearly don't apply to foreigners because the Constitution, which is the law of the land, provides for warmaking.

> The constitution doesn’t grant the rights, it merely recognizes the existing ones... but you already know this.

The Constitution says how the government works. A society can decide to require court orders for surveillance or not. The US government requires them, while the British government does not.

> We have also learned, again and again, that it affects US citizens, too, in violation of the law. The IC doesn’t care that much beyond keeping up appearances that they comply with the law.

We've learned exactly the opposite from both recent leaks and from oversight reports. They try to follow the law closely.

[yafbum]

You could say f-ck it, if nobody believes us anyways, let's just track the sh-t out of everything then

[ladzoppelin]

That's because they straight up lie about some things and use half truths for other things all while thinking they are being clever.

[JKCalhoun]

Since U.S. public school districts and students under the age of 18 use Google Docs pretty much exclusively these days, this seems like a privacy lawsuit waiting to happen.

[callalex]

I’m sure they can just print out a little pamphlet to shove in the Chromebook box that says “by being in the same room as this computer you agree to blah blah blah”. US consumer protection laws are worthless.

[hnburnsy]

Safelinks in Teams is a policy that your administrators can manage...

https://learn.microsoft.com/en-us/microsoft-365/security/off...

[userbinator]

I encounter similar annoyances with things like "link previews" (impossible for an internal site, or one which requires authentication), and as a result have come to slightly "obfuscate" all links I send through such software. Sometimes I just don't send any links at all --- something like "HN item 37776492" suffices.

[jabroni_salad]

Where I work the onboarding sheet instructs you to make a custom search engine for servicenow because it's way faster to bang in the record number than to use a link in Teams.

[diogenes4]

Why is this added to exported documents tho? It should only add the redirect in the browser.

[hackideiomat]

And there it is not needed. You could implement this in JS.

[tmpX7dMeXU]

How does the fact that most links aren’t phishing links play into anything? Maybe we don’t need AV because most files aren’t viruses? You had enough of a point without this.

[TeMPOraL]

> Maybe we don’t need AV because most files aren’t viruses?

Since you used that example...

How would you feel if everyone in their neighborhood got assigned a private security officer that sits in their apartment doorway all day and notes who comes and goes? The company argues that it's to protect from the thieves and fraudsters, and indeed there are always some break-ins or grandparents scammed somewhere. Oh, and everyone gets an officer free of charge - it's paid for by the ads they wear on their vests and that play regularly on their walkie-talkies. Would you trust the security company that all the notes, taken by a person in the privileged position of observing everything in your home, will only be used to prevent crime and nothing else, ever?

Back to your example - AV companies are quite shady these days, and their products not all that useful relative to costs/damage and snooping they do.

[gretch]

This is a weird example you posed because it's a real thing. It's called a doorman and it's very popular in new york (it's considered a luxury to have one)

[salawat]

Indeed. Except in that poster's example, imagine the doorman isn't merely looking over the building. Every door in the building has a doorman. The doorman to the building is more palatable because it's beyond their capacity to monitor all activity and movement through the building.

The League of Meticulously Documenting Doormen on the other hand is a much greater threat to privacy. We're increasingly in jeopardy with regards to implementing that. The more we don't push back against unnecessary logging, the bigger the problem we're building socio-technically.

[srazzaque]

I see your point, but comparing this with an off-line AV scanner with a regularly updated internal database (assuming that's what you meant) is not an apt comparison.

The analog would be an AV scanner that sends a list of your files/hashes to a centralised server somewhere, so that the company can target ads related to your file contents (or sell your data...), in addition to warning you about viruses.

Agreed that % true positive is not a factor in whether or not to have a given security feature. But it is merely convenient that the vast majority of the usage of this "link protection" feature would benefit Google/MS and not the customer/user (assuming that Google/MS are data mining, which is yet unproven in this use case).

[autoexec]

> The analog would be an AV scanner that sends a list of your files/hashes to a centralised server somewhere, so that the company can target ads related to your file contents (or sell your data...), in addition to warning you about viruses.

Is there an antivirus program that doesn't do this? I've been assuming for a very long time that windows defender does, Norton/McAfee/Avast too. I'd be shocked if they didn't

[freedomben]

I largely agree with you, but GP didn't specify they are talking about an off-line AV scanner. In fact Google itself has an online AV scanner that scans attachments in gmail, files downloaded in Drive, etc.

[agluszak]

> I'm pretty sure the stated intent of the redirect is to prevent phishing (that is, provide an opportunity for Google to warn users about visiting a known dodgy site). The ability to track is just an added bonus!

How do you know it's not the other way round?