Google has been quietly keeping track of nearly every single online purchase you’ve ever made, thanks to purchase receipts sent to your personal Gmail account, according to a new report today from CNBC. Even stranger: this information is made available to you via a private web tool that’s been active for an indeterminate amount of time. You can go view it here.

Because I made my Gmail account nearly a decade ago, my purchase history stretches back as far as 2010, including purchases I made while I was a college student and those through Apple’s App Store, which has been linked to my Gmail account since its inception. It also includes some real-world transactions made using my credit card, thanks to point-of-sale software providers like Square and others that link your credit card number and name to an associated email account to deliver receipts, offer rewards programs, and, in some cases, collect valuable purchase data.

“To help you easily view and keep track of your purchases, bookings and subscriptions in one place, we’ve created a private destination that can only be seen by you,” Google told The Verge in a statement. “You can delete this information at any time. We don’t use any information from your Gmail messages to serve you ads, and that includes the email receipts and confirmations shown on the Purchase page.” Google did not say how long this tool has been active.

Google knows pretty much everything you’ve bought that was linked to your Gmail

According to CNBC, the company says it does not use this information for personalized ad tracking; Google said back in 2017 that it would stop using data collected from Gmail messages to personalize ads. You can also delete the information from the Purchases webpage, but you must do so individually for each recorded transaction.

Google, like Facebook, knows an immense amount of information about you, your personal habits, and, yes, what you buy on the internet. And like the social network it dominates the online advertising industry alongside, Google gets this information mostly through background data collection using methods and tools its users may not be fully aware of, like Gmail purchase receipts. This is true of web tools like Gmail and smart assistants, which are increasingly coming under scrutiny for the ways the data that software collects is observed by human employees during the artificial intelligence training process.

This particular tool is not outright nefarious in an obvious way, but it does highlight Google’s struggle to transparently communicate its privacy policies and ad-tracking methods as Silicon Valley at large grapples with a more sensitive atmosphere around data privacy and security. The idea that this tool, and the technology to collect and present the data it provides, has existed quietly without a majority of Gmail users aware it exists echoes similar issues Google has faced over the last few years.

google claims this difficult to find, hard to delete itemization of my entire purchasing history is to "help me keep track of all my shopping habits in one place"



total BS. it's to help google keep track of all my shopping habits in one place. https://t.co/w7g1ka98wb pic.twitter.com/c9SWNBr5AK — rat king (@MikeIsaac) May 17, 2019

Those include a controversy over third-party app developers pulling data from the contents of Gmail messages, an auto-login feature for Chrome that would sync web browsing with your Gmail account, and reports that Google supplemented its ad-targeting tools with Mastercard purchase history data to provide advertisers a link between online ad impressions and real-world purchases. All of these situations contribute to a common theme: Google offers users a compromise that involves trading products and web services in exchange for data that the company will collect through a variety of means you may not know about and have little to no control over. That data is then used to help Google target ads, a division of its business that’s largely responsible for it becoming one of the most valuable corporations on Earth.

The existence of such purchase history tool that knows a scary amount of your offline and online behavior stretching back years, even if it is private, does not square nicely with Google CEO Sundar Pichai’s op-ed in The New York Times last week. Timed to the company’s I/O developer conference, Pichai wrote that “privacy cannot be a luxury good,” a subtle swipe at Apple and a pledge to remake Google’s image as one concerned with broad, inclusionary access to privacy tools that give you more control and provides more transparency.

Someone asked me today why Google gets less privacy flak than Facebook despite collecting more (+ more intimate) data.



My theory is that Google takes ppl's data in exchange for useful things (maps! docs! mail!) while FB exchanges data for things that make them sad and angry. — Kevin Roose (@kevinroose) May 8, 2019

Google is improving on this front, and it’s making an effort to make sure users are aware of what is being collected, how it’s collected, and what ways it can be deleted. As part of its I/O announcements, Google announced a new privacy policy for its smart home devices, given they contain microphones and cameras and are designed to be plugged in inside your home.

It also announced new tools for users to better control ad tracking in Chrome and Incognito mode options for both Google Maps and Google search, following an extension of the Chrome browsing Incognito feature to YouTube last year. One cornerstone of the upcoming Android Q operating system update is better and more transparent privacy and data deletion tools. Google also said earlier this month that it would soon let users auto-delete location, web, and app data collected across its products and services either after three or 18 months on a rolling basis.

Yet Google will only continue to face scrutiny for tools that, while benign in nature, reveal the true extent of the company’s depth of knowledge that it has stored on its users. Fixing its image will require more than a Pichai op-ed or the pledges of executive onstage at a developer conference. In an interview with CNET ahead of I/O last week, Google ad chief Prabhakar Raghavan resisted the notion that the company should turn its more significant privacy tools on by default, saying the approach would be “ham-handed.”