How Email Open Tracking Quietly Took Over the Web

Brian Merchant, writing for Wired: There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an "email intelligence" company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email -- usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online. But lately, a surprising -- and growing -- number of tracked emails are being sent not from corporations, but acquaintances. "We have been in touch with users that were tracked by their spouses, business partners, competitors," says Florian Seroussi, the founder of OMC. "It's the wild, wild west out there." According to OMC's data, a full 19 percent of all "conversational" email is now tracked. That's one in five of the emails you get from your friends. And you probably never noticed.

"enable loading of remote content"

[v1]

just uncheck this in your email reader. done.

then if you need to see the images they embed, click the "load remote content" button in the viewing window when you open it.

I actually got a surprise recently, an email from a vendor saying "you haven't engaged with any of our recent emails, here's a 10% off coupon for your next purchase". Well, we know what they mean by "engaged", don't we? :)

Re:"enable loading of remote content"

[klubar]

Gmail rewrites your img tags to point to a google server. This is done to speed up emails (the images are loaded off a google server) and to cache the images (if multiple emails download the same image, google only needs to fetch the image once). Google also claims to check the images to make sure they don't contain an malicious code.

In this case, it looks like every email is read (as the images are always downloaded). The browser string also reports as google, and the IP address of the download is also a google IP address. Not very useful for tracking.

Many corporate email systems use something like Barracuda which also downloads the images and re-writes the image tag. When you look the reader's IP address, you'll see it's one of barracuda's servers. Barracuda also check all the hyperlinks to make sure that they don't point to malicious sites. They also rewrites on the email links, so they are checked in real time when the recipient clicks on them. (The links are turned into a Barracuda link, then Barracuda checks the link at the time the user clicks on it to make sure it is still not malicious. If it's ok, the Barracuda link does a http redirect.

Open rates pretty much a bogus statistic these days, although we still talk about them. Between Barracuda- and Google-like approaches, if someone tells you they didn't read your email, they may be telling the truth.

Re:"enable loading of remote content"

[Cederic]

If someone sends you a HTML format email that includes a simple image tag referencing a server hosted image then you can be tracked unless you disable third party images.

No javascript required.

And that is why browser is not an email reader

[gweihir]

I read email with Mutt, no tracking. If it is HTML-only, it gets converted by Lynx, no includes, again no tracking. The whole problem would not exist without the insanity of misusing web-browsers to display emails.