Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Email Open Tracking Quietly Took Over the Web (wired.com)

Posted by msmash on from the what's-happening dept.

Brian Merchant, writing for Wired: There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an "email intelligence" company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email -- usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online. But lately, a surprising -- and growing -- number of tracked emails are being sent not from corporations, but acquaintances. "We have been in touch with users that were tracked by their spouses, business partners, competitors," says Florian Seroussi, the founder of OMC. "It's the wild, wild west out there." According to OMC's data, a full 19 percent of all "conversational" email is now tracked. That's one in five of the emails you get from your friends. And you probably never noticed.

18 of 116 comments (clear)

  1. "enable loading of remote content" by v1 · · Score: 4, Informative

    just uncheck this in your email reader. done.

    then if you need to see the images they embed, click the "load remote content" button in the viewing window when you open it.

    I actually got a surprise recently, an email from a vendor saying "you haven't engaged with any of our recent emails, here's a 10% off coupon for your next purchase". Well, we know what they mean by "engaged", don't we? :)

    --
    I work for the Department of Redundancy Department.
    1. Re:"enable loading of remote content" by fahrbot-bot · · Score: 2

      just uncheck this in your email reader. done.

      then if you need to see the images they embed, click the "load remote content" button in the viewing window when you open it.

      But, better yet, if using an email client, like Thunderbird, read your mail as plain text. This cuts out a LOT of crap.
      [ Thunderbird: View -> Message Body As -> Plain Text ]

      But your recommendation is a good default setting for those cases where the email is all HTML (sigh).

      --
      It must have been something you assimilated. . . .
    2. Re:"enable loading of remote content" by Z00L00K · · Score: 2

      And Thunderbird also blocks remote content by default to protect your privacy.

      I wouldn't say that Thunderbird is immune to this kind of tracking, but it's at least pretty good. Unless you use command line mail clients like elm.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    3. Re:"enable loading of remote content" by klubar · · Score: 4, Informative

      Gmail rewrites your img tags to point to a google server. This is done to speed up emails (the images are loaded off a google server) and to cache the images (if multiple emails download the same image, google only needs to fetch the image once). Google also claims to check the images to make sure they don't contain an malicious code.

      In this case, it looks like every email is read (as the images are always downloaded). The browser string also reports as google, and the IP address of the download is also a google IP address. Not very useful for tracking.

      Many corporate email systems use something like Barracuda which also downloads the images and re-writes the image tag. When you look the reader's IP address, you'll see it's one of barracuda's servers. Barracuda also check all the hyperlinks to make sure that they don't point to malicious sites. They also rewrites on the email links, so they are checked in real time when the recipient clicks on them. (The links are turned into a Barracuda link, then Barracuda checks the link at the time the user clicks on it to make sure it is still not malicious. If it's ok, the Barracuda link does a http redirect.

      Open rates pretty much a bogus statistic these days, although we still talk about them. Between Barracuda- and Google-like approaches, if someone tells you they didn't read your email, they may be telling the truth.

    4. Re:"enable loading of remote content" by Anonymous Coward · · Score: 2, Interesting

      I was surprised by an overdue credit card bill. I had email bill alerts enabled but when I logged in they had been inexplicably turned off. I called support and they said since I didn't read any of my alert emails they disabled them (read: I have remote content loading disabled so their trackers didn't load).

      CapitalOne, they are run by pieces of HUMAN GARBAGE.

    5. Re:"enable loading of remote content" by Cederic · · Score: 4, Informative

      If someone sends you a HTML format email that includes a simple image tag referencing a server hosted image then you can be tracked unless you disable third party images.

      No javascript required.

    6. Re:"enable loading of remote content" by anegg · · Score: 3, Funny

      I'm not sure anyone using "gmail" as their primary e-mail service is very worried about "tracking."

    7. Re:"enable loading of remote content" by epine · · Score: 3, Interesting

      I'm not sure anyone using "gmail" as their primary e-mail service is very worried about "tracking."

      So far I trust Google's immense appetite to keep all the cream for themselves. They might track, but they don't share (so far as I've read).

      I've also never seen anything from Google that I didn't know was from Google, so as a personal privacy attack surface, it's so far been fairly conspicuous.

      Google knows everything about me from my search history already (on the order of one million data points).

      Not that I don't have my own e-mail service (as well), but I estimate the my added exposure from Google knowing 99% of my life (by means of my e-mail) instead of 98% of my life (through search alone) as fairly small.

  2. e-mail is not web by arth1 · · Score: 3, Interesting

    Stop using a web client to read e-mail, and it isn't a problem.

    And if you're an admin, configure your SMTP servers to mark e-mail containing links to trackers as potential malware.

    1. Re:e-mail is not web by sims+2 · · Score: 3

      Even with web clients you have the option to not load remote images.

      --
      Minimum threshold fixed. Thanks!
  3. Huh? by Opportunist · · Score: 2

    There are still mail clients that don't disable loading images by default?

    And they get used?

    Then I guess the people using them don't mind being tracked. Where's the story?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Huh? by sanf780 · · Score: 2
      I thought that Gmail, the web application and the mobile application, use a proxy for image delivery: https://gmail.googleblog.com/2... Please correct me if I am wrong.

      From the twenty seconds I spent researching this, it looks like companies that do e-mail tracking tell that Apple devices are the ones getting like 45% of the e-mails - just check https://emailclientmarketshare... . I find this number a little bit too high and probably biased, so let us forget about these companies. Anyhow, there are better ways to track your future ex. Like breaching into Facebook, using WhatsApp or diving into Google location history.

  4. What? This is really old news by nctritech · · Score: 4, Interesting

    Email clients have been set to not load remote content by default for over 15 years. Gmail caches remote content to its own servers making tracking bugs in emails mostly useless unless you click an outbound link with tracking data in the URL. Unless you've changed the default setting from "DON'T load remote stuff by default" then you've not been trackable for a really long time. Who needs anti-tracking services? All I have to do is not click on any links. This is an old story. I wonder if the Wired article is "sponsored content;" they are, after all, one of the companies that has complained a lot about ad blockers, so I know they're pretty hard up for dollarydoos.

  5. Not always... by QuietLagoon · · Score: 2

    ... When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device ...

    My email client is configured to not allow remote connections when I read an email. Some emails are not readable without allowing the tracking stuff, so I don't read them. It is as simple as that. So far, not one important email has been unreadable with remote access disabled.

  6. Re:What Is This Site Called? by Rakarra · · Score: 2

    I think the difference here is the rise of email tracking used by people you know. Companies have always tried to track us.

  7. And that is why browser is not an email reader by gweihir · · Score: 4, Informative

    I read email with Mutt, no tracking. If it is HTML-only, it gets converted by Lynx, no includes, again no tracking. The whole problem would not exist without the insanity of misusing web-browsers to display emails.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:And that is why browser is not an email reader by stabiesoft · · Score: 2

      I use alpine. It cracks me up how big an email can be with just "Hello World". A few KBytes for like 12 bytes if info,

  8. So by BitztreamNotARealNam · · Score: 2

    How's life in the hypocrite lane?