Slashdot Mirror
Web Bugs the New Norm For Businesses?
An anonymous reader writes "What ever happened to the good old days, when underhanded email practices were only used by shady email marketing companies and spammers? Today, it seems, the mainstream corporate world has begun to employ the same tactics as spammers to track their customers' email. Jonathan Zdziarski noted in a blog entry that AT&T is using web bugs to track email sent to customers. Could this be used for nefarious purposes?"
How long before this is used for nefarious purposes?"
FTFY
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
It doens't load web bugs until you tell it to.
Fastmail.fm does the same.
I'm not a lawyer, but I play one on the Internet. Blog
Don't most email clients block remote images in the out of the box configuration? I know Outlook and Thunderbird do. Doesn't that make this pretty much a non issue? Yes, I'm failing to account for the Outlook 97 users out there...
Since when was at&t not underhanded, shady or nefarious?
As far as i can remember... at&t have always been the biggest scumbags on the block. Or haven't you ever looked at a phonebill?
Why read mail with html turned on by default? Turn on "dont show images" if your mail client allows it.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Yet another reason I block images in Gmail.
Shiny. Let's be bad guys.
How else would they have any stats?
Airplane Photos, Airline News, Planespotting Guides
I heard about this years ago. I am still waiting on my check from Bill Gates.
Advanced Tracking and Trailing
He who knows best knows how little he knows. - Thomas Jefferson
I laughed a little bit at that characterization of spam.
Palm trees and 8
Uh duh. This is why email clients ship with the viewing of inline images turned off.
"There ought to be limits to freedom." -George W. Bush
it wants its story back
this news is very old
i read email text only. i'm not paranoid, i just prefer it. the conversion to text sometimes results in some really fugly emails, and they are always emails from businesses, usually ads. and i'm talking about valid businesses i have some sort of demographic contact with with my lame public email address (as opposed to my personal public email address, that i actually attempt to protect and actually pay attention to): starbucks, cvs, best buy, verizon, etc
i pay attention to 1% of such emails, usually for half a second, when i scan this folder maybe once a month for any valid correspondence. but the image links always stand out since they usually burst the flow of text when converted to text. they are always something like 88daeef445bb23c1.jpg. never banner.jpg or greatoffer.jpg. it's always some unique code
yes, every time you view an html email (with automatic image download), you are spied on. this should be of no surprise to anyone half awake, since this is true for i would say a decade or more as the normal status quo
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Vertical response, mail chimp, etc.. all commercial email marketing companies include a tracker. Its really not all that much different than websites tracking you, knowing that you clicked on their page at such and such time, except this time you are looking at the page from your inbox.
There's no use in complaining. It can be done, it is done. Every email client worth using has an option not to load external resources (images, etc.). Enable it, forget about web bugs. Anyone who sends emails with images should be shot^H^H^H^H sending them with the mail, not referencing external images. External resources can be changed after the mail has been sent. That alone should be reason enough to disregard them.
Every e-mail client I've used in recent times doesn't load images by default. I generally assume that I am being tracked if I choose to load the images.
Seriously - tracking bugs have been around so long now that unless you've been living under a rock for the past decade, you know about them.
Anyone who isn't blocking them by now deserves what they get. You can't claim to value privacy while freely giving it up. Your computer is the thing *requesting* the web bug. If you don't mind it doing that, then don't turn around and complain about the consequences.
Isn't this the same thing built into Salesforce.com's CRM? I've been using that for ages to see if prospects are reading the emails I send them.
We send mass mails to people who have opted in. It's mostly just ads, with a little bit of genuinely-interesting "content" which is the ostensible purpose of the mail from the receiver's point of view. From our point of view, the purpose is to show the ads. The mails are HTML. I haven't looked too hard at 'em, because I don't personally read HTML mail, and also I'm not the guy who handles this particular part of our business. But I know it has at least one "web bug."
Currently, the purpose for the web bug (for us, not sure about the third party that we use who actually delivers the mail; it's actually their web bug) is to track "open rate." What fraction of people read the mail?
Assumptions: 1) People read HTML mail. 2) When their mail reader renders the message, it will fetch externally-references resources such as images. 3) If the mail is rendered, it's because a human read the message.
As the "open rate" dips or increases, we take that as a lesson in tuning our subject line, making the mails less obnoxious / more interesting so that more people will read it next time, and so on. The open rate is a measure of success and our goal is to maximize it.
So.. nefarious? It's all about getting people to look at ads. You make the call as to whether or not that's nefarious.
The general population has lost much privacy and many freedoms. And the encroachment continues - accelerates even.
But the fault is ours. We gave it all away for the promise of cheap baubles, entertainment and security. So many click still on the "get rich quick" eMail scams. So many happily use credit/debit cards to buy every little thing. So many willingly surrender their privacy & dignity - all for the vacuous promise of security. And deity forbid one gets in the way of TV entertainment. Use that cable box/HD/DVR. Let Time Warner/Comcast or (hey!) AT&T monitor every button press.
I suspect many here would agree. But then, many here clamor also for regulation and control over other areas, giving the beast more power and money for the "unwanted" bugaboos. Yet this results the loss of more privacy and freedom - for everyone.
Perhaps my vantage point is clouded, but it looks like the experiment failed.
Images are not loaded unless they are from someone I trust. Receipts are not sent without explicit permission either.
I remember someone being extremely confused how I replied to the email without them getting a receipt from me opening it.
Uhhh... Yes, as evidenced by the first sentence in the summary.
... what is this web thing of which you speak?
Have gnu, will travel.
For a long time now, the recommendation to users has been to disable (if it isn't the default) automatic loading of images. I would guess Goople's gmail doesn't have this disabled by default, but I believe Mac OS X Mail does.
You're kidding right? Next up: bit.ly links watch your clicks!
As someone else said above, if I choose to load images in an e-mail I *assume* I'm being tracked.
Of course they're using bugs to track us. It's been used by "legitimate" e-mail marketing as well as spammers for a long, long time. It's an easy and widely supported way to evaluate confirm receipt.
Should we start freaking out about Google Analytics next? Every page that loads it, Slashdot included, subjects their readers to cross-domain stats gathering and potential dynamic code modification. That's a lot more significant than a transparent pixel load.
Mail from Michael Steele and from the Republican National Committee uses them.
I'd be surprised if any companies haven't been using tracking images as a matter of course for all their mailouts for the last 5 years.
Having spent 6 years working for web agencies I can tell you that marketing people love to see statistics on their mailouts, even if they do nothing more than get a rough estimate on number of views.
Web bugs in emails are nothing new. For as long as there has been HTML email there have been web bugs. Every image you load could be considered a web bug because it's creating a log entry somewhere. The bugs don't need to be 1x1 transparent gifs though many tend to be just out of convenience. Almost all links now a days (and for a long time) run through some sort of click tracking tool as well, just like every search engine as well.
At least one solution is out there:
Don't use webmail or web-enabled mail clients like Outlook. Mutt and Alpine and similar mail clients that don't interpret HTML are immune to this particular form of jackassery.
You know that axiom about how security and convenience are inversely proportional? It's true. You have to set the slider where you choose to, and unless you're willing to write the perfect HTML-interpreting-except-for-web-bugs-which-are-differentiated-from-other-objects-somehow-but-is-still-Exchange-compatible mail client yourself (in which case you get rich), that's the hand you're dealt. There are some alternatives like "it should be illegal to attach tracking bugs to email content", but that assumes people would actually obey the law (ha!).
Everybody gets what the majority deserves.
I worked with this for 6 months. Learned a lot of interesting stuff about how people react to variations of emails.
Short messages that are to the point works well, but so do some marketing tricks, such as scaring people, FUD.
Since the company was never satisfied, and wanted everything I did as their exclusive property, I used mainly multiple overlapping test groups with random sampling. I would have preferred advanced modelling, which I am really good at, but did not want to loose rights to do that. I later read some scientific articles about lipid research, and was surprised that they used much simpler and quite inefficient methods compared to what I did when demotivated. What a waste of human life. When I was in the oil business, they used modelling, but with only vague understanding of it, so I improved that a lot. And in all such cases, I got sort of fired. Does not seem like companies or organizations want such improvements. But they try to sell them anyway.
Copy the bug into your own messages, and swamp their stats base with crap.
I assume that almost everyone who sends commercial email does this. It's not really news, and I don't think it's a big deal. Almost every email program (even Outlook) has an option to not download images--if you don't want to confirm that you've received the email, don't download images.
Also, as an occasional sender of commercial email just because the image has been downloaded doesn't mean it's been read. Just means the images have been downloaded.
This is why if you are sending out commercial email, make sure the key messages are visible without the images being downloaded. Tell your reader enough to make them want to a) read the rest, b) confirm that was read and c) download images.
This topic isn't news.
I bought some train tickets from GNER, as they were then, and got signed up to their "newsletter". Since I'm hardly ever on that side of the country, I had no reason to even bother reading the thing. I never got round to unsubscribing from it, just deleted it unread.
A few months back, I got an email from their successor, along the lines of, "We noticed you haven't read the newsletter in quite a while. Click here to stay subscribed, otherwise it'll stop coming." I thought that was pretty good; I always assume these things track me somehow, but it's the first time a company's ever volunteered to unsubscribe me based (presumably) on that information. Of course, I use Gmail and the images are blocked by default, so they couldn't have known if I *was* reading...
What *really* annoys me is news"letters" with no text, where you *have to* download the images if you want to see the content.
This was a standard feature for reputable (as in double-opt-in) bulk email services at least as far back as 2003, when I worked in email marketing for nonprofits. It's how you tell whether your campaigns are effective. Well, it was -- back then all email clients loaded remote images by default. Nowadays it's probably most effective at determining who liked your email enough to actually load the images.
People who send email newsletters (not spam) that people have signed up to receive, want to have analytics data on who reads their messages. Perfectly normal, not dastardly companies that offer email marketing platforms like Constant Contact, MailChimp, CampaignMonitor, etc. all include such recipient tracking by default. Not only by noticing whether or not somebody downloads an image in an HTML email, but also by rewriting all URLs linked in the message so that individual clicks can be registered. These are all recorded uniquely to each subscriber so the sender can tell who is interested in what content. Anyone who is surprised about this is out of the loop. This kind of information is very useful for the nonprofit I work for to understand which of our opt-in subscribers are interested in what content and how we can make our emails more useful for their work.
http://www.mailchimp.com/features/reports
Hammers can apparently be found in many residences. Can they be used for nefarious purposes?
It's called split testing or multivariate testing and it's a perfectly legitimate marketing tool. If you don't trust a specific company, unsubscribe from its damn mailing list
right...
I have a friend who works for a big realty company and they do this. using whatever bug it is in gmail to track their addresses, and then send them "market relevant" pitches based on what they were searching for. scum of the earth IMO.
I hate it too, but yes it is now considered socially-acceptable to harvest info from your readers via "bugged" images.
About a year ago I was talking to a local party official about this, after I discovered the local party was doing this with its email list. He's a nice guy, but everyone who works there including himself is a volunteer, and none of them are particularly computer-saavy.
I tried to explain to him that that kind of harvesting is a Bad Thing, but I don't think I had much success. Email is about all of the internet he's ever been exposed to, so if he spends a lot of (scarce) local party money on a software tool based on all the nifty stuff the salescritters tell him he can do with it, and all his peers are using it or packages just like it, its going to take a lot more than one yahoo off the street to convince him there's an ethical problem with that.
Most folks don't have a clue about this kind of thing, and frankly there are more marketeers telling them its OK than there are knowledgable geeks telling them it isn't. I'm afraid we are going to lose this one. Harvesting info via embedded pictures has become standard operating procedure.
Just read your email the way email was intended to be read, in plain text, in a plain text email reader.
Voila, no bugs.
Have a look at salesforce.com, they sell this as a service and they do it well !
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
I receive all my mails using RoundCube webmail these days. It warns that an HTML e-mail contains images, and will only display them if you want to. If an e-mail demands a read receipt, you are prompted whether or not you wish to send that.
The bottom line is that web bugs are not possible without the cooperation of dumb client software.
Receive an e-mail with smileys from a Hotmail user and your decent e-mail program will warn that the message contains images. If you choose not to display them, the e-mail is devoid of all emoticons.
Idiots.
Four years ago (that means 2006) I found a web bug in a newsletter sent by a small to medium sized bookstore. The owner did anything from hiding it with several techniques up to their lawyer sending me a cease-and-desist letter. They even lied to the authorities, told rubbish to the public. "No, we don't do that, it would be illegal."
I manage a mailing list for a client - it's completely opt-in, either in the retail stores or via the website signup forms.
To keep current with what other companies are doing, I've signed up for dozens of email newsletters. I would say that at least 3/4 are using the equivalent of web bugs to track email open rates - it's not 100% accurate, but it's far better than nothing. It's a checkbox feature by EVERY major 3rd party email service provider.
Actually, I've also examine a lot of SPAM - they do NOT do web bugs anymore. At least not the ones that I've examined.