Gmail images

Google today announced that it is (for better or worse) finally going to get rid of that annoying "show images" button in Gmail

The gist is that embedded images will be routed through Google's severs and then transcoded, ensuring you won't get hit with any malware. If you're worried about bandwidth — or just don't want to fix something that's not broken for you in the first place — you'll be able to keep the status quo in the settings.

The web version of Gmail is up first, and the mobile apps will see this feature early next year.

Source: Gmail Blog


Reader comments

Gmail will automatically show images in e-mails


This is a cool change for most, but I get emails from everyone concerning everything. I can't take the risk of opening an email and nudes pop out and I'm at work or something haha. I'll opt out.

Posted via my Nexii 4 using the Android Central App

Well played

My phone can beat up your phone. It's bigger, badder and has more moves. If worse comes to worse, it also comes with a sword.

I'm guessing work is the only place most people use the web interface to gmail.

With every mainstream email package able to handle Gmail via Imap, there is no reason to suffer the web interface.

Now how long before the native Email app gets this as well? Hopefully not too long. It's one of those features everyone else has that Android doesn't.

I can't say I am completely happy about this. I hope its something you can turn off. Only because if you are at work its nice to have images off.

Four letters... do you really expect me to read all that?!!??!?!!!?!????!!!!!!?!?!??!

Yes, I know someone will say the same about this comment... :P

About time...I keep telling to always show messages from senders (including Google stuff) and every time I open a new email I still have to click on show images which is rather annoying so I'm glad to see this coming.

I can. Automatically showing an image loaded from a server in an email is a convenient way for a spammer to verify that he's spamming an active email address. Other than that, a welcome change.

Posted via Android Central App

Exactly what I was going to comment. Google's newest feature: Auto address validation to spammers. So, what was wrong with white listing addresses for future e-mail with a click, and people in your address book being white listed?

Finally, lol. This was getting so annoying because sometimes you would click the damn thing and then they next time u got an email from the same person it would still ask you again for whatever odd reason

Posted via Android Central App

Finally... this was getting tiring. Especially for Rom installers, it's no fun going through enabling for everything all over.

The reason the hiding of images was implemented by Google was to prevent spammers from using image retrieval to confirm that an email address was valid. They could embed your email address in the call to the image and they would know that the email address is valid when you retrieved it.

It looks like Google has solved this by becoming the middle-Man between you and the image, probably stripping out the portions of the address that identify the source the outbound request.

The blog post doesn't mention anything about removing identifiable information from the image http request. All it says is that it proxies them and scans for viruses and malware. Besides, it may not be obvious how the image URL is encoding your email address. It could be hashed to anything. I think the spammer confirmation risk is still there.

Unless Google strips out those Unique Identifying images from the email source all the tracking capabilities are still there.

Almost every email with images has some tracking images embedded with Unique Ids.
Often these are single pixel images. Some of these are under a HTTPS url, so Google can't realistically proxy them.

There are companies that provide this as a service: Google emltrk and take the first hit. There is an image from that company in every american express email as well as hundreds of other companies. Look for that in the source of you emails. It is always a link to a one pixel image with a unique name.

Showing the pictures is self serving, protecting google's interests (advertising). They aren't doing you any favors here. They are helping themselves out.

This is really going to come down to how Google implements this feature.

The tracking pixel is going to keep count of how many times you open the email, and cookies are probably used to see if you clicked through or were a prior visitor.

The cookies probably break no matter what-- unless Google's going to violate a very basic tenant of the HTTP protocol, they aren't allowed to read cookies set by another domain. That means that when they proxy the request, that data won't be sent, and any cookie sent back won't be set.

Google could easily break that, particularly in the app, but I think they'd get too much heat if it was discovered that they were sending other company's cookie data back to their own servers; they've had too much history of hanging onto data they weren't supposed to.

The count will depend on how Google implements this.

If they simply proxy every request, then things should be fine.

However, there's an argument to be made that rather than proxying every time, they would cache the result so they don't have to deal with all those requests and transcoding. In that case, it wouldn't ever look like you opened a message more than once. There are a lot of reasons NOT to do this, such as missing out that an image changed on the remote server, but it's not outside the realm of possibility that Google might roll the dice and try to save themselves some bandwidth.

Further, Google might look at preemptively caching the images-- if a newsletter's going to 1M people, why not grab all those graphics as soon as the first message arrives, rather than waiting for someone to open it? Better to take the server hit once at 2AM than deal with it at 9AM when everyone gets to work.

In that situation, the tracking pixel is going to record that EVERYONE opened the email, because Google went and snagged a copy.

HTTPS really doesn't change anything-- Google can't IMPERSONATE being the remote server, but they can proxy it without issue. Your email is almost certainly going to be rewritten so that all the image links now go to the proxy instead of the original location, so as far as you know, you're just trying to get all your images from Google.

Wait, this has nothing to do with coolies. You'r totally on the wrong track here.

These things embed a unique URL for this image in your mail and then they simply watch their web logs in real time to see if it was fetched when the mail was opened.

They don't need cookies. Your browser fetched the image, therefore they know the email address they sent it to is valid, and you saw the email. That's all they wanted.

And google is now going to hand that to them, by fetching them when you use the web interface.

If google fetches these for you in the background even before you open the gmail webpage, (i.e. without your permission), the trackers STILL win, because they know your email address is valid. I don't think Gmail will do this because it just helps the spammers.

The only way you can avoid helping the trackers is use gmail via IMAP clients (Thunderbird, K-9) or turn this feature of Gmail-Web off. They don't fetch the images at all unless you ask/set them to.

Ars explained this in a lot more detail... Basically, Google sees the same image listed in many emails and downloads it to their cache, then rewrites all of the related emails and strips out the image call with all of its embedded UID info and replaces it to a link to the image in Google's cache. This will piss off the marketers, but it makes Gmail much more private for users who don't want to announce to marketers that they have opened an email. See

Posted via Android Central App

I think all these images will significantly add to our phone storage. I haven't found an easy way to selectively purge old image data.


I think it would have been nice to have to click from a sender one time to enable and then have that remembered on google's servers accross devices so that you never have to click it again if you don't want regardless of device or chronic rom flashing. It could be one of the sync options, sort of like remembering tabs or syncing passwords or bookmarks. Yes, for me it was annoying everytime I would flash a rom or buy a new device or whatever I'd have to enable them all over again but if google just remembered your selection on their servers it would solve that part of it and sort of be a middle ground vs either all on or all off.

I don't mean to bitch, but that first sentence is horribly constructed. Because you've chosen a passive construction, it reads awkwardly. Today didn't do the announcing, Google did; therefore, "Today Google announced..." would have been the proper way to construct the sentence.

Interesting. This will make impacts in the marketing industry. Last I checked, COs were still serving up php mime-type image for php files and measuring card viewings that way.