Web Bugs the New Norm For Businesses?

An anonymous reader writes "What ever happened to the good old days, when underhanded email practices were only used by shady email marketing companies and spammers? Today, it seems, the mainstream corporate world has begun to employ the same tactics as spammers to track their customers' email. Jonathan Zdziarski noted in a blog entry that AT&T is using web bugs to track email sent to customers. Could this be used for nefarious purposes?"

Use Thunderbird

[Compaqt]

It doens't load web bugs until you tell it to.

Fastmail.fm does the same.

Re:Use Thunderbird

[pushing-robot]

Gmail blocks images by default. Yahoo and Hotmail can be told to. Get better webmail.

Re:Use Thunderbird

[icebike]

They you were under the wrong assumptions.

Most people still use the email client that came with their machine, which equates to some form of Windows / outlook stuff, which shows images by default.

A few percent have switched to Thunderbird or other clients that do not load images by default. But its far from the norm.

Gmail's web interface blocks images sometimes. Not so much from individuals or other gmail accounts, but most of the time from commercial accounts.

You will see a yellow bar at the top of the message that offers two choices:

Display images below - Always display images from whatever@domain.com

See this page for Google's Gmail help on this issue. The default is to no show any images till you ask for them.

So even those using web interfaces need not be tracked if they don't want to be.

Once again, this practice seems aimed at Outlook users, where (correct me If I'm wrong) images are ON by default.

Email client remote image blocking

[hackersass]

Don't most email clients block remote images in the out of the box configuration? I know Outlook and Thunderbird do. Doesn't that make this pretty much a non issue? Yes, I'm failing to account for the Outlook 97 users out there...

Turn off preview.

[140Mandak262Jamuna]

Why read mail with html turned on by default? Turn on "dont show images" if your mail client allows it.

Re:Turn off preview.

[Monkeedude1212]

Both Gmail and Hotmail have images turned off by default - Yahoo might as well I don't know. So any of the regular web clients are safe enough.

AT&T now stands for

[digitaldc]

Advanced Tracking and Trailing

"Legit Email Marketer"

[betterunixthanunix]

I laughed a little bit at that characterization of spam.

Re:"Legit Email Marketer"

[radish]

There's a difference you know. I get promotional email from Amazon, quite often it actually alerts me to deals I'm interested in, so it serves it's purpose. If I change my mind I can switch it off. It's not spam, it is email-based marketing.

Fighting spam is hard enough without confusing what it actually is.

Re:How Long?

[KublaiKhan]

How long has it been -since- they started using this for nefarious purposes, you mean.

Duh...

[SeNtM]

Uh duh. This is why email clients ship with the viewing of inline images turned off.

2003 called

[circletimessquare]

it wants its story back

this news is very old

i read email text only. i'm not paranoid, i just prefer it. the conversion to text sometimes results in some really fugly emails, and they are always emails from businesses, usually ads. and i'm talking about valid businesses i have some sort of demographic contact with with my lame public email address (as opposed to my personal public email address, that i actually attempt to protect and actually pay attention to): starbucks, cvs, best buy, verizon, etc

i pay attention to 1% of such emails, usually for half a second, when i scan this folder maybe once a month for any valid correspondence. but the image links always stand out since they usually burst the flow of text when converted to text. they are always something like 88daeef445bb23c1.jpg. never banner.jpg or greatoffer.jpg. it's always some unique code

yes, every time you view an html email (with automatic image download), you are spied on. this should be of no surprise to anyone half awake, since this is true for i would say a decade or more as the normal status quo

Everyone does this

[mbuimbui]

Vertical response, mail chimp, etc.. all commercial email marketing companies include a tracker. Its really not all that much different than websites tracking you, knowing that you clicked on their page at such and such time, except this time you are looking at the page from your inbox.

Re:Everyone does this

[lemur666]

You'll also note that every URL on one of these mails is a redirect that has the ability to track which user and which email it originated from.

They then use this info to generate click-through reports on what type of user did what with which email.

I'll add this is very old news.

Don't Load Images

[StevisF]

Every e-mail client I've used in recent times doesn't load images by default. I generally assume that I am being tracked if I choose to load the images.

Re:It's Done

[Archangel+Michael]

The Web/Internet is not private, it is Public. Treat it as if you are in your front yard and your neighbors can see and hear everything you do or say. This is what I tell everyone.

Inevitably they ask about email, which I say "it is like a post card", anyone anywhere along the chain can read it, and you'll never know.

Treat the internet like it is public, not private, and you'll be safe(r).If you want to be "private" on the iNet you best be encrypting and making sure that only the person you're communicating with has the keys, AND is trustworthy. Anything else ... you're screwed.

Re:How Long?

[styrotech]

The fact that this guy discovered 1x1 pixels in email and mis-attributes them to "bugs", is so technically incompetent I would think I am reading the technology section of AOL.

Ummm... "web bug" is the actual term for them.

http://en.wikipedia.org/wiki/Web_bug

I would've thought someone ranting about technical incompetence would've known that.

Re:Oh boo-hoo a tracking gif

[dhammond]

Exactly. Since when did this start being considered "underhanded"? If this is underhanded, then it is also underhanded to track any of the activity of any logged-in user on a website. Legitimate businesses use that tracking information to better serve their customers. Let's not get confused. Spam is wrong, but it's not necessarily wrong to use a method that is also used by spammers.

Is this news?

[klubar]

I assume that almost everyone who sends commercial email does this. It's not really news, and I don't think it's a big deal. Almost every email program (even Outlook) has an option to not download images--if you don't want to confirm that you've received the email, don't download images.

Also, as an occasional sender of commercial email just because the image has been downloaded doesn't mean it's been read. Just means the images have been downloaded.

This is why if you are sending out commercial email, make sure the key messages are visible without the images being downloaded. Tell your reader enough to make them want to a) read the rest, b) confirm that was read and c) download images.

This topic isn't news.

Re:Is this news?

[igb]

Unfortunately, the reason why you might want to not load images isn't stated in the preferences pane in question, so users at large probably don't realise that images are here being used for another purpose.

This is standard in all email marketing (not spam)

[illogic]

People who send email newsletters (not spam) that people have signed up to receive, want to have analytics data on who reads their messages. Perfectly normal, not dastardly companies that offer email marketing platforms like Constant Contact, MailChimp, CampaignMonitor, etc. all include such recipient tracking by default. Not only by noticing whether or not somebody downloads an image in an HTML email, but also by rewriting all URLs linked in the message so that individual clicks can be registered. These are all recorded uniquely to each subscriber so the sender can tell who is interested in what content. Anyone who is surprised about this is out of the loop. This kind of information is very useful for the nonprofit I work for to understand which of our opt-in subscribers are interested in what content and how we can make our emails more useful for their work.

http://www.mailchimp.com/features/reports

Re:How Long?

[beakerMeep]

You're sarcasm aside, that term seems to me to be a mis-representation by laymen and marketing folk; just like "beacon" and all the others. Look at one of the image tags for the article -- Soulskill mis-tagged it with the bug picture. The reality is, it's a tracking pixel.

Still, you're right, mea culpa. I didn't know that term, even having worked in online advertising and publishing for many years. But it's hard to know all the names marketing folk come up with.

However, I don't think this changes the fact that this is stupid blog-spam about an almost universally used, 10 year old technique that the article seems to think is something new. This has been around and used as long as HTML email has been around. They could call it a blue penguin if they wanted but it wouldn't change anything. Imagine an article worrying about the fact that websites might be tracking visitors using "logs" or that newfangled "javascript."

Re:How Long?

[stretch0611]

This looks like a web bug to me. If you want to use an image for rendering purposes, you would link to an image with a static name like http://image.att.com/spacer.gif .

The article specifically shows the image name as http://click.wireless.att.com:8080/31198108.178649.1159326048.-3 If you think that is not passing information back to at&t you would probably believe that IE is the most secure and standards compliant browser.

Re:How Long?

[camperslo]

The fact that this guy discovered 1x1 pixels in email and mis-attributes them to "bugs", is so technically incompetent I would think I am reading the technology section of AOL.

It certainly is something to discuss here, but the suggestion that it is a "New Norm" is absurd.

What makes you think the guy was wrong?? They've admitted to using them. What other 1x1 graphics do you expect? A period would typically take four, not that it makes much sense to use a graphic for a period.
What possible legitimate use are you expecting?

The privacy statement with AT&T/Yahoo (web) mail says they use them, but they call them "web beacons".

http://help.yahoo.com/l/us/yahoo/privacy/communicate/privacy-02.html
http://info.yahoo.com/privacy/us/yahoo/webbeacons/

Note that any offers to opt-out are worthless as that depends on cookies.

NoScript has a bug filter, but the default setting is off and it looks like even then it may only work on untrusted sites. I'd think it ought to block those by default and everywhere?
Someone should look at the source and confirm exactly what it can do.
Not loading anything from other domains should help.

It is old technology, and it isn't just web pages. Even MS Office docs can have net elements present that are loaded upon opening. Those would convey when a doc is opened, and an IP.

Re:It's Done

It's not Public, it's You Get Spied On Every Time You Connect.

There's a big difference between the classical model of Public and today's surveillance-driven Orwellian nightmare. In your front yard, your neighbors can see what you're doing ... if they happen to be looking in your direction while you're doing it.

On the web, everything you do is watched, tracked, and analyzed by a legion of machines bent on calculating ways to extract money from you ... or worse, whether men with guns ought to be sent to arrest or kill you (in the case of suspected terrorists).

Re:How Long?

[budgenator]

he was refering to bug as in a bugged telephone not faulty software