Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security

How Email Open Tracking Quietly Took Over the Web (wired.com) 116

Brian Merchant, writing for Wired: There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an "email intelligence" company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email -- usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online. But lately, a surprising -- and growing -- number of tracked emails are being sent not from corporations, but acquaintances. "We have been in touch with users that were tracked by their spouses, business partners, competitors," says Florian Seroussi, the founder of OMC. "It's the wild, wild west out there." According to OMC's data, a full 19 percent of all "conversational" email is now tracked. That's one in five of the emails you get from your friends. And you probably never noticed.
This discussion has been archived. No new comments can be posted.

How Email Open Tracking Quietly Took Over the Web

Comments Filter:
  • by v1 ( 525388 ) on Monday December 11, 2017 @02:22PM (#55718153) Homepage Journal

    just uncheck this in your email reader. done.

    then if you need to see the images they embed, click the "load remote content" button in the viewing window when you open it.

    I actually got a surprise recently, an email from a vendor saying "you haven't engaged with any of our recent emails, here's a 10% off coupon for your next purchase". Well, we know what they mean by "engaged", don't we? :)

    • just uncheck this in your email reader. done.

      It is possible that you don't even need to do that. Some email clients do not read remote content by default.

      Gmail used to do that. But they changed their policy in 2013, around the same time they dropped their "Don't be evil" motto.

      • Still by default for me. Unless I want to see any images, I don't see any images.

      • by anegg ( 1390659 ) on Monday December 11, 2017 @07:53PM (#55720835)

        I'm not sure anyone using "gmail" as their primary e-mail service is very worried about "tracking."

        • by epine ( 68316 ) on Monday December 11, 2017 @08:03PM (#55720919)

          I'm not sure anyone using "gmail" as their primary e-mail service is very worried about "tracking."

          So far I trust Google's immense appetite to keep all the cream for themselves. They might track, but they don't share (so far as I've read).

          I've also never seen anything from Google that I didn't know was from Google, so as a personal privacy attack surface, it's so far been fairly conspicuous.

          Google knows everything about me from my search history already (on the order of one million data points).

          Not that I don't have my own e-mail service (as well), but I estimate the my added exposure from Google knowing 99% of my life (by means of my e-mail) instead of 98% of my life (through search alone) as fairly small.

      • by AmiMoJo ( 196126 )

        Gmail still doesn't load remote content by default. On the web site or in the mobile app on android. Have not checked iOS.

    • just uncheck this in your email reader. done.

      then if you need to see the images they embed, click the "load remote content" button in the viewing window when you open it.

      But, better yet, if using an email client, like Thunderbird, read your mail as plain text. This cuts out a LOT of crap.
      [ Thunderbird: View -> Message Body As -> Plain Text ]

      But your recommendation is a good default setting for those cases where the email is all HTML (sigh).

      • by Z00L00K ( 682162 )

        And Thunderbird also blocks remote content by default to protect your privacy.

        I wouldn't say that Thunderbird is immune to this kind of tracking, but it's at least pretty good. Unless you use command line mail clients like elm.

    • by klubar ( 591384 ) on Monday December 11, 2017 @03:28PM (#55718693) Homepage

      Gmail rewrites your img tags to point to a google server. This is done to speed up emails (the images are loaded off a google server) and to cache the images (if multiple emails download the same image, google only needs to fetch the image once). Google also claims to check the images to make sure they don't contain an malicious code.

      In this case, it looks like every email is read (as the images are always downloaded). The browser string also reports as google, and the IP address of the download is also a google IP address. Not very useful for tracking.

      Many corporate email systems use something like Barracuda which also downloads the images and re-writes the image tag. When you look the reader's IP address, you'll see it's one of barracuda's servers. Barracuda also check all the hyperlinks to make sure that they don't point to malicious sites. They also rewrites on the email links, so they are checked in real time when the recipient clicks on them. (The links are turned into a Barracuda link, then Barracuda checks the link at the time the user clicks on it to make sure it is still not malicious. If it's ok, the Barracuda link does a http redirect.

      Open rates pretty much a bogus statistic these days, although we still talk about them. Between Barracuda- and Google-like approaches, if someone tells you they didn't read your email, they may be telling the truth.

      • I don't think Google does this out of the goodness of their heart. This basically allows them to intercept all marketing email and then perform their own analytics on it, denying the opportunity for the original marketers to do it. Google, like Facebook, and every other absurdly valued "tech" company out there, is in the business of data collection. When it comes to invasion of privacy, they are far more the disease than the cure.
      • by Agripa ( 139780 )

        Gmail rewrites your img tags to point to a google server.

        Do you mean in the gmail web client? Emails that I fetch to my local client do not have rewritten image tags.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I was surprised by an overdue credit card bill. I had email bill alerts enabled but when I logged in they had been inexplicably turned off. I called support and they said since I didn't read any of my alert emails they disabled them (read: I have remote content loading disabled so their trackers didn't load).

      CapitalOne, they are run by pieces of HUMAN GARBAGE.

    • by anegg ( 1390659 )

      Exactly - don't load remote content automatically. And when you get an e-mail that is essentially blank because its all remote code/images, you just delete it. All of the "campaign" e-mail sites (e.g. MailChimp) that I am familiar with automatically embed tracking in the messages that they send, so I'm not surprised at the amount of tracking going on. Whether or not that tracking is a prime requirement of the sender (or even actually monitored), or just came along with the mailing function, is not clear

  • e-mail is not web (Score:4, Interesting)

    by arth1 ( 260657 ) on Monday December 11, 2017 @02:24PM (#55718159) Homepage Journal

    Stop using a web client to read e-mail, and it isn't a problem.

    And if you're an admin, configure your SMTP servers to mark e-mail containing links to trackers as potential malware.

  • by Opportunist ( 166417 ) on Monday December 11, 2017 @02:26PM (#55718187)

    There are still mail clients that don't disable loading images by default?

    And they get used?

    Then I guess the people using them don't mind being tracked. Where's the story?

    • by gnick ( 1211984 )

      There are still mail clients that don't disable loading images by default?

      Gmail defaults to loading external content and is very popular.

      There are other reasons to avoid Gmail.

      • by mlyle ( 148697 )

        Gmail usually preemptively loads remote content. e.g. it's not tied to whether you look at the message.

      • I thought that Gmail, the web application and the mobile application, use a proxy for image delivery: https://gmail.googleblog.com/2... [googleblog.com] Please correct me if I am wrong.

        From the twenty seconds I spent researching this, it looks like companies that do e-mail tracking tell that Apple devices are the ones getting like 45% of the e-mails - just check https://emailclientmarketshare... [emailclien...tshare.com] . I find this number a little bit too high and probably biased, so let us forget about these companies. Anyhow, there are better

      • Gmail defaults to loading external content and is very popular.

        "Gmail" as a service doesn't actually do that... you are speaking of the web interface to it which you do not have to use. In fact, I always recommend using a proper e-mail client with gmail over IMAP on both desktop and mobile.

        Amongst the advantages are:

        1. No remote content unless you specifically want it.
        2. No ads
        3. The ability to use GPG or S/MIME.

      • Gmail retrieves all remote content whether the email is opened or not, and then caches the resultant images (which isn't hard since they are all the same image with different filenames). When you open the email you are only seeing the cached image. Since all images are retrieved at the time Google's servers receive the email, there is no information the sender can get from that image retrieval.

    • Google proxies images including tracking ones/web beacons in HTML email. In short, they scan the HTML, any images they fetch via their proxy servers and then when you open your email, it gets loaded from Google, not the originally intended server. Hence, if you send email to a Gmail account and include a tracking image, it will always show as opened (because Google retrieved the image) regardless of whether you opened it. However only Google will know whether you really opened it. Thus, privacy is a relativ
  • by Anonymous Coward

    And you probably never noticed.

    This is Slashdot: News for Nerds, Stuff that Matters. We noticed. Hell it was probably one of us that first thought up the idea of using web bugs to track HTML formatted mail. We have all had it disabled in our mail readers since before you were born.

    Wake the fuck up M'Smash and understand who your audience is.

    • by Rakarra ( 112805 )

      I think the difference here is the rise of email tracking used by people you know. Companies have always tried to track us.

  • They are definitely right. I haven't noticed the tracking. I don't open images in email, so I wouldn't notice that a 1x1 image was missing from an email. But then again, if my client reported unopened images and I didn't see a spot where an image ought to load, I would probably realize that whoever sent the email is attempting to track me.
  • by Jody Bruchon ( 3404363 ) on Monday December 11, 2017 @02:36PM (#55718279)
    Email clients have been set to not load remote content by default for over 15 years. Gmail caches remote content to its own servers making tracking bugs in emails mostly useless unless you click an outbound link with tracking data in the URL. Unless you've changed the default setting from "DON'T load remote stuff by default" then you've not been trackable for a really long time. Who needs anti-tracking services? All I have to do is not click on any links. This is an old story. I wonder if the Wired article is "sponsored content;" they are, after all, one of the companies that has complained a lot about ad blockers, so I know they're pretty hard up for dollarydoos.
  • by QuietLagoon ( 813062 ) on Monday December 11, 2017 @02:38PM (#55718293)

    ... When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device ...

    My email client is configured to not allow remote connections when I read an email. Some emails are not readable without allowing the tracking stuff, so I don't read them. It is as simple as that. So far, not one important email has been unreadable with remote access disabled.

  • This is precisely why I don't allow my email reader to load any external resources (like images), and half of the reason why I don't allow my email to be interpreted through an HTML parser.

  • Could use a mail client that doesn't automatically load images and break the trackers. The article makes the assumption that all of this email is using some sort of service that does mail tracking (Constant Contact, Mail Chimp, etc.). I don't use mail clients that do tracking.
  • I got an email from him back in 1997 stating that he was testing his email tracking software and I was selected to help him test it if i forwarded on the message.

    Where's my money Bill? Where?!?!?!

  • ...your email client doesn't automatically download external links. Which is the default behavior of most clients these days.

  • by gweihir ( 88907 ) on Monday December 11, 2017 @03:23PM (#55718645)

    I read email with Mutt, no tracking. If it is HTML-only, it gets converted by Lynx, no includes, again no tracking. The whole problem would not exist without the insanity of misusing web-browsers to display emails.

  • We all know about the issues with users being tracked along with profiles being made and identities sold, but I can't be the only one who automatically distrusts someone who sells a product tells me how dangerous the world is without their product. It reads too much like paid advertising. (https://www.smithsonianmag.com/smart-news/marketing-campaign-invented-halitosis-180954082/)
  • On the issue of plain-text vs HTML email, it is not a debate, it is a litmus test. If you send HTML email or insist or reading in that format, you simply don't know enough about email to use it responsibly. Sorry, I know that is harsh, but there is no good reason to send or read HTML email. Meanwhile, in addition to privacy issues, you have spam ones (tracking pixels let the spammers know you are a live email), the phishing ones (HTML obfuscates the true target of links or origin of images), and malware one
  • Pretty simple. Don't use an email client that supports that bullshit, problem solved. :)

  • There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day.

    I'm getting way more than my fair share, then. Because I receive upwards of 500-1000 spam emails every single day.

    • by shanen ( 462549 )

      There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day.

      I'm getting way more than my fair share, then. Because I receive upwards of 500-1000 spam emails every single day.

      I wish I could thank you for taking care of part of my share, but I think I'm getting at least that many per day, too. It's getting hard to tell unless you actually look for the false positives. These days I only check my primary email address for them.

      Much worse is the false negative problem that allows the spammers to confirm an email address using this same technique as long as they can get one of their spams to slip past the filters. Also annoying are the Facebook- and Google-linked spams, where the ann

  • Eventually most adults figure this out when they get that one add that's waaaaay too close to creepy after searching for something like Preparation H or morning after pill. As for the rest, guess what, that third of the adult population actually wants those ads. They find those ads economically important and, more power to them. You will not change their minds.

  • My editor and I use alpine - and we work reporting music. Yet, we have to open attached files only infrequently. Plain text works just fine virtually all the time, while eliminating many risks.

  • Security experts should now recomand using text mailers such as mutt, pine or ELM. Or at least GUI-based mailer that do not support HTML.

    Unfortunately, I suspect I will not see that coming.

  • Luckily my thunderbird defaults to text and even when I enable HTML images aren't loaded automatically.
  • by Agripa ( 139780 )

    When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device.

    Huh? I open hundreds of emails a day and my email client does not fetch embedded objects unless I specifically ask it to.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...