This is an automated archive made by the Lemmit Bot.

The original was posted on /r/protonmail by /u/smiley_mcfrown on 2023-09-24 10:55:12.

TLDR; Basically, the title except I’m specifically interested in what they get from the URL even if you don’t sign in.

I wondered if I could get the 1GB upgrade despite not wanting to forward Gmail, and I noticed other account logins got marked just by clicking to visit the site. I tried the same with Gmail, but I noticed the URL going to gmail has a ClientID among other things, so I closed the window.

Here is the URL with some redacted.

h t t p s : //accounts.google.com/v3/signin/identifier?opparams=%253F&dsh= ** &access_type=offline&client_id= **** .apps.googleusercontent.com&o2v=2&prompt=consent&redirect_uri=https%3A%2F%2Fmail.proton.me%2Foauth%2Fcallback&response_type=code&scope=email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.readonly&service=lso&state=proton-web- ** &theme=glif&flowName=GeneralOAuthFlow&continue=https%3A%2F%2Faccounts.google.com%2Fsignin%2Foauth%2Fconsent%3Fauthuser%3Dunknown%26part%3 ** %26as%3D**%%26client_id%****.apps.googleusercontent.com%26theme%3Dglif%23&app_domain=https%3A%2F%2Fmail.proton.me&rart=

I’m concerned that, despite using a VPN, Google could match this connection with a Gmail account I had open on the same computer in a different Firefox window and container (Proton was in a private window).

Part of me says it’s unlikely Google have connected the two due to the amount of connections coming from a VPN, but the other part of me says I have no idea how advanced Google’s tracking is, and with browser signatures and the like it is possible.

Since I was trying to keep this email separate from me completely, am I going to have to kill this address and start again?

On a related note, /u/ProtonMail, I find it a bit strange and disappointing that for a privacy-focused company, you are forcing users to forward their Gmail (and therefore giving information to Google about their actions) to get extra storage.