How Email Open Tracking Quietly Took Over the Web

Brian Merchant, writing for Wired: There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an "email intelligence" company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email -- usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online. But lately, a surprising -- and growing -- number of tracked emails are being sent not from corporations, but acquaintances. "We have been in touch with users that were tracked by their spouses, business partners, competitors," says Florian Seroussi, the founder of OMC. "It's the wild, wild west out there." According to OMC's data, a full 19 percent of all "conversational" email is now tracked. That's one in five of the emails you get from your friends. And you probably never noticed.

"enable loading of remote content"

[v1]

just uncheck this in your email reader. done.

then if you need to see the images they embed, click the "load remote content" button in the viewing window when you open it.

I actually got a surprise recently, an email from a vendor saying "you haven't engaged with any of our recent emails, here's a 10% off coupon for your next purchase". Well, we know what they mean by "engaged", don't we? :)

Re:

[klubar]

For as much as everyone knocks Outlook as an email client, not download images has been the default since at list O2003 (and I think O'97). This may be the origin of Marketing's reported open (read) rates.

Re:

[cayenne8]

I just send and receive text emails....no html.

Re:

[VernonNemitz]

My email client is set to disallow the running of JavaScript. I'm sure that if I'm mistaken, that that prevents the active content of an email from getting acted-upon, folks here will be glad to correct me of that error.

Re:"enable loading of remote content"

[Cederic]

If someone sends you a HTML format email that includes a simple image tag referencing a server hosted image then you can be tracked unless you disable third party images.

No javascript required.

Re:

[angel'o'sphere]

Same ...

Re:

[schleimkeim]

Yeah because Outlook was a ridiculous security risk back in the days. Remember I LOVE YOU?

Re:

[TheCarp]

There is an even more sane default.... to only support text.

HTML doesn't belong in email; images should be attached to be downloaded and viewed in another application.

Simple, and has worked flawlessly for me since the 1990s. Formatting isn't content, not having it is no loss at all.

Re:

[rtb61]

Also all email should be encrypted by default. Not particular complex encryption, it doesn't need to be all that complex, just sufficiently complex that it needs to be decoded to be read. Similarly to the security of a paper envelope for snail mail, the only reason to encrypt is to tie a criminal penalty for decrypting other people's email without their permission and the penalty, why exactly the same as illegally opening other peoples letters.

Re:

[ShanghaiBill]

just uncheck this in your email reader. done.

It is possible that you don't even need to do that. Some email clients do not read remote content by default.

Gmail used to do that. But they changed their policy in 2013, around the same time they dropped their "Don't be evil" motto.

Re:

[mrbester]

Still by default for me. Unless I want to see any images, I don't see any images.

Re:"enable loading of remote content"

[anegg]

I'm not sure anyone using "gmail" as their primary e-mail service is very worried about "tracking."

Re:"enable loading of remote content"

[epine]

I'm not sure anyone using "gmail" as their primary e-mail service is very worried about "tracking."

So far I trust Google's immense appetite to keep all the cream for themselves. They might track, but they don't share (so far as I've read).

I've also never seen anything from Google that I didn't know was from Google, so as a personal privacy attack surface, it's so far been fairly conspicuous.

Google knows everything about me from my search history already (on the order of one million data points).

Not that I don't have my own e-mail service (as well), but I estimate the my added exposure from Google knowing 99% of my life (by means of my e-mail) instead of 98% of my life (through search alone) as fairly small.

Re:

[AmiMoJo]

Gmail still doesn't load remote content by default. On the web site or in the mobile app on android. Have not checked iOS.

Re:

[fahrbot-bot]

just uncheck this in your email reader. done.

then if you need to see the images they embed, click the "load remote content" button in the viewing window when you open it.

But, better yet, if using an email client, like Thunderbird, read your mail as plain text. This cuts out a LOT of crap.
[ Thunderbird: View -> Message Body As -> Plain Text ]

But your recommendation is a good default setting for those cases where the email is all HTML (sigh).

Re:

[Z00L00K]

And Thunderbird also blocks remote content by default to protect your privacy.

I wouldn't say that Thunderbird is immune to this kind of tracking, but it's at least pretty good. Unless you use command line mail clients like elm.

Re:"enable loading of remote content"

[klubar]

Gmail rewrites your img tags to point to a google server. This is done to speed up emails (the images are loaded off a google server) and to cache the images (if multiple emails download the same image, google only needs to fetch the image once). Google also claims to check the images to make sure they don't contain an malicious code.

In this case, it looks like every email is read (as the images are always downloaded). The browser string also reports as google, and the IP address of the download is also a google IP address. Not very useful for tracking.

Many corporate email systems use something like Barracuda which also downloads the images and re-writes the image tag. When you look the reader's IP address, you'll see it's one of barracuda's servers. Barracuda also check all the hyperlinks to make sure that they don't point to malicious sites. They also rewrites on the email links, so they are checked in real time when the recipient clicks on them. (The links are turned into a Barracuda link, then Barracuda checks the link at the time the user clicks on it to make sure it is still not malicious. If it's ok, the Barracuda link does a http redirect.

Open rates pretty much a bogus statistic these days, although we still talk about them. Between Barracuda- and Google-like approaches, if someone tells you they didn't read your email, they may be telling the truth.

Re:

[JoePete]

I don't think Google does this out of the goodness of their heart. This basically allows them to intercept all marketing email and then perform their own analytics on it, denying the opportunity for the original marketers to do it. Google, like Facebook, and every other absurdly valued "tech" company out there, is in the business of data collection. When it comes to invasion of privacy, they are far more the disease than the cure.

Re:

[Agripa]

Gmail rewrites your img tags to point to a google server.

Do you mean in the gmail web client? Emails that I fetch to my local client do not have rewritten image tags.

Re:

[Anonymous Coward]

I was surprised by an overdue credit card bill. I had email bill alerts enabled but when I logged in they had been inexplicably turned off. I called support and they said since I didn't read any of my alert emails they disabled them (read: I have remote content loading disabled so their trackers didn't load).

CapitalOne, they are run by pieces of HUMAN GARBAGE.

Re:

[anegg]

Exactly - don't load remote content automatically. And when you get an e-mail that is essentially blank because its all remote code/images, you just delete it. All of the "campaign" e-mail sites (e.g. MailChimp) that I am familiar with automatically embed tracking in the messages that they send, so I'm not surprised at the amount of tracking going on. Whether or not that tracking is a prime requirement of the sender (or even actually monitored), or just came along with the mailing function, is not clear

Score:-5, Pwned

[Anonymous Coward]

Witness BitZtream getting pwned! [slashdot.org]... twice [slashdot.org].....three times..... [slashdot.org] four times! [slashdot.org]

So

[BitztreamNotARealNam]

How's life in the hypocrite lane [slashdot.org]?

e-mail is not web

[arth1]

Stop using a web client to read e-mail, and it isn't a problem.

And if you're an admin, configure your SMTP servers to mark e-mail containing links to trackers as potential malware.

Re:e-mail is not web

[sims 2]

Even with web clients you have the option to not load remote images.

Re:

[Aighearach]

You seem to have it backwards; web users are more likely to be protected in this case!

To get the same level or protection on your own you need... your own server. Not much advantage to using a non-web client at that point, just a flavor issue.

Huh?

[Opportunist]

There are still mail clients that don't disable loading images by default?

And they get used?

Then I guess the people using them don't mind being tracked. Where's the story?

Re:

[gnick]

There are still mail clients that don't disable loading images by default?

Gmail defaults to loading external content and is very popular.

There are other reasons to avoid Gmail.

Re:

[mlyle]

Gmail usually preemptively loads remote content. e.g. it's not tied to whether you look at the message.

Re:

[sanf780]

I thought that Gmail, the web application and the mobile application, use a proxy for image delivery: https://gmail.googleblog.com/2... [googleblog.com] Please correct me if I am wrong.

From the twenty seconds I spent researching this, it looks like companies that do e-mail tracking tell that Apple devices are the ones getting like 45% of the e-mails - just check https://emailclientmarketshare... [emailclien...tshare.com] . I find this number a little bit too high and probably biased, so let us forget about these companies. Anyhow, there are better

Re:

[CronoCloud]

Gmail defaults to loading external content and is very popular.

"Gmail" as a service doesn't actually do that... you are speaking of the web interface to it which you do not have to use. In fact, I always recommend using a proper e-mail client with gmail over IMAP on both desktop and mobile.

Amongst the advantages are:

1. No remote content unless you specifically want it.
2. No ads
3. The ability to use GPG or S/MIME.

Re:

[Excelcia]

Gmail retrieves all remote content whether the email is opened or not, and then caches the resultant images (which isn't hard since they are all the same image with different filenames). When you open the email you are only seeing the cached image. Since all images are retrieved at the time Google's servers receive the email, there is no information the sender can get from that image retrieval.

Re:

[JoePete]

Google proxies images including tracking ones/web beacons in HTML email. In short, they scan the HTML, any images they fetch via their proxy servers and then when you open your email, it gets loaded from Google, not the originally intended server. Hence, if you send email to a Gmail account and include a tracking image, it will always show as opened (because Google retrieved the image) regardless of whether you opened it. However only Google will know whether you really opened it. Thus, privacy is a relativ

What Is This Site Called?

[Anonymous Coward]

And you probably never noticed.

This is Slashdot: News for Nerds, Stuff that Matters. We noticed. Hell it was probably one of us that first thought up the idea of using web bugs to track HTML formatted mail. We have all had it disabled in our mail readers since before you were born.

Wake the fuck up M'Smash and understand who your audience is.

Re:

[Rakarra]

I think the difference here is the rise of email tracking used by people you know. Companies have always tried to track us.

They're right

[jittles]

They are definitely right. I haven't noticed the tracking. I don't open images in email, so I wouldn't notice that a 1x1 image was missing from an email. But then again, if my client reported unopened images and I didn't see a spot where an image ought to load, I would probably realize that whoever sent the email is attempting to track me.

What? This is really old news

[Jody Bruchon]

Email clients have been set to not load remote content by default for over 15 years. Gmail caches remote content to its own servers making tracking bugs in emails mostly useless unless you click an outbound link with tracking data in the URL. Unless you've changed the default setting from "DON'T load remote stuff by default" then you've not been trackable for a really long time. Who needs anti-tracking services? All I have to do is not click on any links. This is an old story. I wonder if the Wired article is "sponsored content;" they are, after all, one of the companies that has complained a lot about ad blockers, so I know they're pretty hard up for dollarydoos.

Re:

[JoePete]

Exactly. Folks, Google didn't do this out of the goodness of their heart. They started doing this because it know allows them to all the HTML-based tracking info. If you want to market to a Gmail user, you have to play/pay by Gmail's rules. The real answer if you want privacy and to be a good netizen, plain-text only and stay away Gmail, Hotmail, Yahoo, etc.

Re:

[EndlessNameless]

A lot of corporate employees are stuck with Outlook. It's pretty much a default application since everyone "needs" Office.

Still, Outlook can be configured to display text-only emails. The option is there, but I'd bet most organizations don't have the will to turn it off in spite of any objections---or whining, whatever you'd like to call it.

Not always...

[QuietLagoon]

... When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device ...

My email client is configured to not allow remote connections when I read an email. Some emails are not readable without allowing the tracking stuff, so I don't read them. It is as simple as that. So far, not one important email has been unreadable with remote access disabled.

1990's want their headline back

[avandesande]

EOM

Yep

[JohnFen]

This is precisely why I don't allow my email reader to load any external resources (like images), and half of the reason why I don't allow my email to be interpreted through an HTML parser.

Or you

[cmaurand]

Could use a mail client that doesn't automatically load images and break the trackers. The article makes the assumption that all of this email is using some sort of service that does mail tracking (Constant Contact, Mail Chimp, etc.). I don't use mail clients that do tracking.

Bill Gates owes me money

[dysmal]

I got an email from him back in 1997 stating that he was testing his email tracking software and I was selected to help him test it if i forwarded on the message.

Where's my money Bill? Where?!?!?!

Re:

[PPH]

Also make sure you disable automatic reply receipts.

Unless, of course...

[Chris Mattern]

...your email client doesn't automatically download external links. Which is the default behavior of most clients these days.

Re:

[JohnFen]

People complain if you use plain text because the font hurts their eyes. They complain if you don't send them a screen shot or highlight/underline/bold what's important.

You need a better set of coworkers. I never send HTML email in business settings, and I've never once had anyone complain about it. BTW, you can still send screenshots (as well as any other attachments) with plain text email.

Re:

[JohnFen]

Listen, if you send HTML email, you are doing the equivalent of sneezing in your friends face.

This is exactly right. Unfortunately, people don't seem to care about the well-being of their friends and neighbors anymore. Look how many are willing to sell them out by mentioning them to and in Facebook.

And that is why browser is not an email reader

[gweihir]

I read email with Mutt, no tracking. If it is HTML-only, it gets converted by Lynx, no includes, again no tracking. The whole problem would not exist without the insanity of misusing web-browsers to display emails.

Re:

[stabiesoft]

I use alpine. It cracks me up how big an email can be with just "Hello World". A few KBytes for like 12 bytes if info,

Re:

[ben_kelley]

Mutt with a uid that low? Fancy! I still use elm.

"Person selling solution tells you about problem"

[eepok]

We all know about the issues with users being tracked along with profiles being made and identities sold, but I can't be the only one who automatically distrusts someone who sells a product tells me how dangerous the world is without their product. It reads too much like paid advertising. (https://www.smithsonianmag.com/smart-news/marketing-campaign-invented-halitosis-180954082/)

Simple Issue

[JoePete]

On the issue of plain-text vs HTML email, it is not a debate, it is a litmus test. If you send HTML email or insist or reading in that format, you simply don't know enough about email to use it responsibly. Sorry, I know that is harsh, but there is no good reason to send or read HTML email. Meanwhile, in addition to privacy issues, you have spam ones (tracking pixels let the spammers know you are a live email), the phishing ones (HTML obfuscates the true target of links or origin of images), and malware one

Don't use an email client that supports that

[Miser]

Pretty simple. Don't use an email client that supports that bullshit, problem solved. :)

Getting too much!

[duke_cheetah2003]

There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day.

I'm getting way more than my fair share, then. Because I receive upwards of 500-1000 spam emails every single day.

Re:

[shanen]

There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day.

I'm getting way more than my fair share, then. Because I receive upwards of 500-1000 spam emails every single day.

I wish I could thank you for taking care of part of my share, but I think I'm getting at least that many per day, too. It's getting hard to tell unless you actually look for the false positives. These days I only check my primary email address for them.

Much worse is the false negative problem that allows the spammers to confirm an email address using this same technique as long as they can get one of their spams to slip past the filters. Also annoying are the Facebook- and Google-linked spams, where the ann

Use text only e-mail, bitches

[sandbagger]

Eventually most adults figure this out when they get that one add that's waaaaay too close to creepy after searching for something like Preparation H or morning after pill. As for the rest, guess what, that third of the adult population actually wants those ads. They find those ads economically important and, more power to them. You will not change their minds.

I didn't notice. I use alpine, a plain text MUA.

[Anonymous Coward]

My editor and I use alpine - and we work reporting music. Yet, we have to open attached files only infrequently. Plain text works just fine virtually all the time, while eliminating many risks.

Case for text mailer

[manu0601]

Security experts should now recomand using text mailers such as mutt, pine or ELM. Or at least GUI-based mailer that do not support HTML.

Unfortunately, I suspect I will not see that coming.

Fockers

[Artem S. Tashkinov]

Luckily my thunderbird defaults to text and even when I enable HTML images aren't loaded automatically.

Huh?

[Agripa]

When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device.

Huh? I open hundreds of emails a day and my email client does not fetch embedded objects unless I specifically ask it to.