Is Google Photos THAT bad for privacy?

I don’t have that much money right now so I’m trying to cancel unnecessary subscriptions and I have an old Pixel XL with unlimited Google Photos storage that I could use.

afaik, Google doesn’t use your photos for AI training (unless you give them permission to do so) and aren’t used for any sort of ad targeting.

I kinda expect the type of answers that I’ll get but I had to ask anyways, just in case. Most threads I found talking about this (on Reddit mainly) were pretty old, so maybe the situation had changed over the years.

We don’t sell your personal information to anyone or use the content you store in Photos for ads purposes.

A quick search finds this page which claims they don’t use it for ads, but no statement on AI training.
Even if this is true (and not just “technically true”), there’s nothing that stops them from using your photos for those purposes in the future since it’s not zero-access encrypted.

It’s ultimately up to you if you want to take that risk.

It depends on your threat model.

They don’t offer E2EE so it’s all up to if you trust them not to misuse your photos. I think Google has a decent security track record so it’s not likely they’ll be exposed in a security breach.

I believe they require a warrant for law enforcement to access it so if you don’t expect to be investigated by law enforcement, it should be ok.

I am a bit buffled, these privacy claims are still taken seriously.

OP asked a data privacy-related question concerning Google, not about specific security aspects, if I understand correctly.

This guy got his google account nuked because google auto scan marked his son pic that are sent to his doctor for seeking advice as csam. Even after the police are involved and cleared the guy from any wrongdoing, google wouldn’t budge and the guy still lost his whole digital life overnight.

Your mileage may vary, but i don’t trust any google product for any critical things. Even if theres no other choice for gphotos, I’d only use it with local encryption via whatever encryption tools out there, no yolo let it upload cleartext.

Which is why I specified “Even if this is true.”

@fria Could you elaborate, why you think, “it should be ok” to use Google Photos, “if you don’t expect to be investigated by law enforcement” - given OP clearly asked for a honest opinion about this product from privacy perspective?

if someone is asking generally, if Google (any of its products) is “bad for privacy”, the answer in a privacy-focused forum - esp. from one of its team members - should be yes.

Security aspects certainly play a role - like breaches leading to uncontrolled data efflux. And you are right, Google products are reasonably secure. But very cynically formulated, it’s like one is communicating with their stalker over a secure channel. You always pay with the data. Google doesn’t make $402.8 billion / year by selling subscription based photo services. Their lawyer section certainly is big enough to make up for irrefutable, non-provable and privacy washing statements like “We don’t sell your personal information” or “ads purposes” (what does that even mean).

Google photos is mass surveillance.

He later found out that Google had flagged another video he had on his phone and that the San Francisco police department opened an investigation into him.

Google scanned his private photos and then called the police on him. I would not trust my photos with a non-e2ee storage solution.

Even IF you are deciding to trust Google’s privacy practices as they are written today (a questionable decision in my view, but everyone is free to build their own threat model), you are ALSO trusting that this data will never be compromised - hack, rogue employee, future data sharing agreement, updates to privacy policy, etc

The only way to mitigate these potential future threats is zero-knowledge encryption at rest, which I do not believe Google Photos provides

I was going through the common threats that you’d expect from a cloud provider, the main one being the provider itself accessing your photos, which is why I said you need to trust Google not to misuse your photos.

Security breaches are another possible threat, which are mitigated by E2EE, but it’s something that I wouldn’t be too worried about since Google has good security in its cloud infrastructure.

Access by law enforcement is another major threat that non-E2EE services are vulnerable to, so I elaborated their policy of requiring a warrant, assuming you trust Google. The “it should be ok” was specifically in reference to this point not as a whole.

I was trying to have a nuanced rundown of the major threats people are generally worried about and what I think the likelihood of having to deal with them is. Obviously it’s best to have an E2EE provider, and that would mitigate all of these.

As others brought up, they do scan your photos which is a concern, if one of your photos wrongly triggers their system then that’s going to be a big problem.

I think the answer is in your thread title “THAT bad”; it’s subjective based on your needs and values.

People who need stricter privacy and can afford it avoid Google — a company that provides many services in exchange for personal data — at all costs. People who need the services, they trust that the providers will follow what they say they are going to do with the data.

If a provider doesn’t follow through, they can be sued and fined, but that’s often just a cost they can “budget” for. Economic needs sometimes override privacy values; that’s true for people everywhere.

As others have pointed out, its that bad

But I do understand where you’re coming from, you want to take advantage of a still existing loophole to get unlimited google photo storage (Until google finally shuts the light on that)

I would say its fine ON THE CONDITION you watch what you upload to google photos

if its honestly say photos of landscape and stuff and doesn’t involve a person or people being in it and you strip metadata, I’d say it can be a pretty safe bet but that’s what I’d limit it to, I’d otherwise rather use something like Ente instead or Immich even if its not unlimited

Oracle free VPS comes with 200 GB of storage. Could host ente photos on there.

Downsides are it’s KYC, if 200 is enough for you, backups, and setup.

Yes

…umm, and the encryption….?

For a VPS, you can host any client-side encryption software you want to, including Ente.

Ente Photos is e2ee so you don’t need to trust the server.

No, you certainly need to trust the server implementation to not to be malicious when establishing a connection to it, just like any other server.

You essentially have three options.

  1. Cough up money and subscribe to Ente.
  2. Use Google Photos and trust that they’ll not use your data for training.
  3. Self-host via Immich/Ente and be done with it.

Beyond that, it’s not worth fretting over. You either trust google, or you don’t. Ente is expensive, but that’s the only “real” private and secure solution out there short of self-hosting stuff yourself; which has its own shortcomings and headaches.