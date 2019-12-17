from the dont-track-me-while-i'm-tracking-you dept.
wired runs this story on how 'email open' tracking is becoming more ubiquitous than someone would like
"I JUST CAME across this email," began the message, a long overdue reply. But I knew the sender was lying. He’d opened my email nearly six months ago. On a Mac. In Palo Alto. At night.
I knew this because I was running the email tracking service Streak, which notified me as soon as my message had been opened.
There are some 269 billion emails sent and received daily. That’s roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an “email intelligence” company that also builds anti-tracking tools.
The tech is pretty simple. Tracking clients embed a line of code in the body of an email—usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts.
But lately, a surprising—and growing—number of tracked emails are being sent not from corporations, but acquaintances. “We have been in touch with users that were tracked by their spouses, business partners, competitors,” says Florian Seroussi, the founder of OMC. “It's the wild, wild west out there.”
According to OMC's data, a full 19 percent of all “conversational” email is now tracked.
I STUMBLED UPON the world of email tracking last year, while working on a book about the iPhone and the notoriously secretive company that produces it. I’d reached out to Apple to request some interviews, and the PR team had initially seemed polite and receptive. We exchanged a few emails. Then they went radio silent. Months went by, and my unanswered emails piled up. I started to wonder if anyone was reading them at all.
That’s when, inspired by another journalist who’d been stonewalled by Apple, I installed the email tracker Streak. It was free, and took about 30 seconds. Then, I sent another email to my press contact. A notification popped up on my screen: My email had been opened almost immediately, inside Cupertino, on an iPhone. Then it was opened again, on an iMac, and again, and again. My messages were not only being read, but widely disseminated
I wrote Cook a lengthy email detailing the reasons he should join me for an interview. When I didn’t hear back, I drafted a brief follow-up, enabled Streak, hit send. Hours later, I got the notification: My email had been read. Yet one glaring detail looked off. According to Streak, the email had been read on a Windows Desktop computer.
IF TIM COOK is a closet Windows user (who knows! Maybe his Compaq days never fully rubbed off) or even if he outsources his email correspondence to a firm that does, then it’s a fine example of the sort of private data email tracking can dredge up even on our most powerful public figures.
"During the 2016 election, we sent a tracked email out to the US senators, and the people running for the presidency," Seroussi says. "We wanted to know, were they doing anything about tracking? Obviously, the answer was no. We typically got the location of their devices, the IP addresses; you could pinpoint almost exactly where they were, which hotels they were staying at."
Time to get back to Pine.
(Score: 1, Insightful) by Anonymous Coward on Tuesday December 19, @10:28AM
Wait … there are still people who let their email client load external images, or execute embedded JavaScript?
(Score: 3, Insightful) by Anonymous Coward on Tuesday December 19, @10:34AM
Because most people don't even know what an external image or Javascript even is.
Parent
by evk on Tuesday December 19, @10:54AM
I thought that most clients had it disabled by default.
by MostCynical on Tuesday December 19, @11:20AM
"Load all images?"
Or
"Images in this email have been blocked. Would you like to see them?"
Worse, "do not ask me again"
(Score: tau, Irrational)
(Score: 4, Interesting) by TheRaven on Tuesday December 19, @11:50AM
Apple's mail client has a load images button, but it's not very prominent in the UI so people generally only click on it if the email looks weird. The default is not to load, and if an email just contains a 1x1px image then they probably won't bother.
The more interesting thing is that you can often use these trackers to see the path of an email. A lot of mail servers will load images and so on as part of their spam filtering. A few years ago there was a story of someone tracking their CV with an embedded URL in the PDF from a recruiter to a bunch of companies' HR departments.
sudo mod me up
by Wootery on Tuesday December 19, @03:50PM
PDFs can silently download images over the Internet?
Is there anything Adobe won't add to PDF? It already supports JavaScript, so Turing completeness is already ticked off. In theory we could even run Linux on it.
by chromas on Tuesday December 19, @12:26PM
Webmail.
by All Your Lawn Are Belong To Us on Tuesday December 19, @02:56PM
Does nothing about it AFAIK. My webmail loads images by default. My Outlook (program, not exchange server) does not.
by Anonymous Coward on Tuesday December 19, @04:06PM
yeah "Webmail" had to be the most worstest answer even remotely imaginable besides just agreeing to everything and replying to the sending saying that I did not read this message and haven't replied.
why on earth would you think webmail doesn't track?
It's not like most local SMTP clients are capable of doing the same things that mobile based email reading and browser based email reading will happily sell you out and use your own CPU resources to do it with.
run a local client and turn off the 'display messages as web pages' or other html based features.
don't display pictures, don't render the 'page'. JUST DISPLAY TEXT
If you don't like how it looks or life becomes unusable, I can't help you. this message content doesn't have any of the feature's i'm asking you to disable, so your ability to communicate should be ok.
you can even copy and paste it to notepad and see that I didnt hide any 1x1 pixel links. rendering your emails to plaintext will always show everything they are trying to do to you, althought you might need to actually download javascript to open it up and look--plaintext won't retrieve it for you.
by nobu_the_bard on Tuesday December 19, @12:57PM
There's people still running Outlook 2003, the ancient Microsoft Mail under unpatched XP, and old versions of Lotus Notes, among other strange things. I know this because I track what mailers people use (when such can be determined) as mail passes through my systems. A small number of these are fake at least, but I have seen enough to be sure they're still seeing real use.
On top of this I have a few users that wanted external resources to download automatically in their mail clients. I explained why this was a bad idea, but they still wanted it, so I had them sign a document they couldn't hold me responsible for the results. I thought the document would scare them off, but not one of them changed their mind.
by canopic jug on Tuesday December 19, @10:36AM
Time to get back to Pine.
In all seriousness, Pine/Alpine is still ahead of M$ Outlook on features and usability, if one compares just the e-mail functions and not the kitchen-sink mentality.
The downside to Pine/Alpine is that GMail has a broken IMAPS implementation which makes it impossible to undelete messages once they are marked for deletion.
Money is not free speech. Elections should not be auctions.
(Score: 4, Insightful) by Anonymous Coward on Tuesday December 19, @10:48AM
That's not a downside of Pine/Alpine, but a downside of GMail.
(Score: 1, Insightful) by Anonymous Coward on Tuesday December 19, @12:16PM
I don't like the label 'M$', I think it's childish.
That said, at work we had to switch for Google Apps for business (I forget the formal name) to Office 365 and... damn does Outlook suck. I think it's the best advertisement for GMail that anyone could invent.
Consumers are weird, they prefer kitchen sinks that work.
by Anonymous Coward on Tuesday December 19, @03:25PM
Funny, because no child today remembers back when Microsoft was loved for their BASIC, even though it limited variable names to two characters and everyone used one character most of the time, with an extra character at the end indicating the type: % for integer, $ for string or nothing for float.
If you started with A$ and went B$, C$... your 13th variable would be M$.
This was in the "good old days" of Commodore, before Microsoft became hated for killing any company that had a better product than them, and BASIC was loved by every kid who used their home computer for more than gaming. Though many of us never heard of Microsoft, because BASIC was licensed to the computer manufacturers without any requirements to show the Microsoft name.
The M$ abbreviation for Microsoft has nothing to do with dollars, as people too young to know history often think. To criticize Microsofts business strategies, MSFT is the abbreviation to use.
SYS 64738
by Anonymous Coward on Tuesday December 19, @03:40PM
Everything you said is correct, except for the statement about M$ not being about dollars. Your memory is apparently getting faulty if you don't recall that coming into effect to denigrate Microsoft for their monopolistic and anti-competitive practices.
by Anonymous Coward on Tuesday December 19, @02:10PM
Alpine and Claws Mail are the two mail programs I use when not at work. (At work, I need the capability to compose HTML mail.) I also run my own mail server (postfix) so adherence to standards isn't a problem.
Would it be possible for somebody with a GMail inbox they use frequently to simply forward all mail to a server they control? I understand the need to have an address that has all sorts of redundancies, and having an address at a large provider helps with making sure one's mail isn't being marked as spam by recipients. Not the way it should be, but just the way it is.
Email is a fundamentally decentralized system. It saddens me that we all must then go and centralize it in practice, letting Google, Apple, and Microsoft (hotmail) read all our mail and ultimately control the implementation of RFC2822, RFC3501, et al in the wild.
The future of the free internet will always be decentralized systems that elude the Eyes.
by Anonymous Coward on Tuesday December 19, @03:43PM
I'm not sure, but I can try asking Clinton or Kushner for you.
(Score: 4, Insightful) by c0lo on Tuesday December 19, @11:28AM
The news is not that "For various reasons, it is possible to do it" - the news is "1 in 5 private persons actually does it to other private persons!!!"**
If the private persons can't abstain from shitting on the idea of respecting the privacy of the others, how can we blame the soulless corporate persons for doing it?
----
(to be exact, 1 in 5 emails between private persons contains a tracker. The extrapolation to "1 in 5 persons does it" involves a number of implicit assumptions which may or may not be true)
(Score: 4, Informative) by Runaway1956 on Tuesday December 19, @12:55PM
Visited the site. They offer to install an addon - except, it only installs in Chrome/Chromium/Iron/other flavors of Chrome.
So, install, and the first thing it does is to open your gmail account. Your account settings pop up, asking if you want to permit Streak to access all your emails, Gdrive, account details, and more. Click the cancel button. Go into settings and UNinstall streakCRM. Popup window? WTF? I'll have to double check security settings, I don't see popups on my Mozilla Gorilla browsers. Anyway, the popup wants to know why I'm uninstalling. I'm feeling generous - I tell them clearely that I don't like the idea of allowing their software access to my Gmail. It's hard enough to maintain my cover as a spy/secret agent/terrorist/undercover cop/whatever without their company getting the true story. How do I know the app doesn't phone home regularly.
If all I want to do is to track when my email was opened, can't I just put an embedded pixel in my email, all by myself? I can host that pixel on my own server, and learn all that I might want to learn WITHOUT relying on some unknown corporation.
#Hillarygropedme
by Anonymous Coward on Tuesday December 19, @04:09PM
No, because cloud. dont you corporate your captialism?
running a server at home is like admitting you find communism sexy and that bernie sanders is your bromate
only liberal pansies try to be private
(Score: 5, Informative) by nobu_the_bard on Tuesday December 19, @01:15PM
It's not a bad article but it doesn't really get into the technical aspects of how tracking works. Maybe it's just because this is something I know a fair bit about already that it seems to be lacking.
Typically it works by giving each of the pictures (or other external resources, external links, etc) in your email a unique URL. For example, if there's a picture at http://www.domain.com/pix/dog.gif, [domain.com] the server may be set up to load that picture for any starting with query http://www.domain.com/pix/dog. [domain.com] Your email will link http://www.domain.com/pix/dog_1234567890.gif, [domain.com] which the server knows is the number associated with the email that went to you, and will note that the picture was loaded at such-n-such date, the query was from such-n-such IP address (potentially useful for estimating your location), using a browser with such-n-such agent string (from which OS might be guessable). They know email 1234567890 was opened by this specific user with all of that information. Your mail client doesn't want to open external resources automatically to protect this information from leaking; not that I've ever seen one properly explain this to the user.
When you understand this, it is less magical or mysterious, and you can see many things that can go awry or provide misleading results. Everything else that this kind of tracking can do is an extension or adjustment of this basic idea though.
There's more to it but that's the gist of it.
by inertnet on Tuesday December 19, @02:02PM
One could get creative with this and fool the trackers. For instance by accessing a number of 'adjacent' links but not the ones in the email you received. Just for fun of course.
by nobu_the_bard on Tuesday December 19, @03:29PM
It might be a fun exercise but wouldn't have much impact. The better implementations will note that someone is scanning the various URLs, and that is also a data point in of itself. They don't necessarily simply record the first GET on that URL either, but each usually.
"Black hat" ones might use this to make you a target for more spam or retaliation; actual "legitimate" marketing ones will probably just carve you from the results they feed clients and perhaps block you if it starts getting to DoS levels. Not really great results either way.
Also the URLs could be hashes rather than sequential, though I guess it wouldn't matter if you're just pinging whatever.
(Score: -1, Troll) by Anonymous Coward on Tuesday December 19, @02:50PM
What is the use of images on the web? Is it so we can enjoy works of art? Or is it so teenagers can jerk off to images of nekkid ladies?
And what about jewscript? Why allow code written by your enemies run on your hardware?
by Anonymous Coward on Tuesday December 19, @03:46PM
Uh, that's right: teenagers . . .
by Anonymous Coward on Tuesday December 19, @02:59PM
'I' often open emails without reading them because of a shitty webmail client, "mark unread" is among my most used features.
The interfaces between UI metaphors and reality are too subtle to interpret in ignorance of the implementation, and trying is only going to cause suffering. Imagine if this person, who is apparently foolish enough to think the email being opened means it was read, took action based on that.
by jmorris on Tuesday December 19, @03:19PM
HTML in email could have been a useful concept. If there had been an early RFC mandating inline images, no Javascript and other basic limitations to maintain security and privacy. As is I just turn off HTML rendering and manually ask to see the full message on the one or two that pass through in a day that lack a plain text version and might contain something I give a damn about. Once you do that all the tracking bugs are dead and all that is left is the old email header requesting notification and mail clients generally let you set them up to ask.
As for gmail, what do you expect from a free service? Remember kids, if you aren't paying it is because YOU are the product. And "the cloud" is marketing speak for "someone else's computer" so again you can't complain.
by Anonymous Coward on Tuesday December 19, @04:11PM
yeah there were attempts to prevent abuse, but capitalism won over the honor system.
it is too hard to add regulation to an already entrenched system, and the designers were too idealistic to imagine the harms that the quest for shareholder values can bring upon their creations.
besides i would not have thought you'd encourage regulation like that. it seem against your character, but I do realize that people are complex.
by Anonymous Coward on Tuesday December 19, @03:28PM
Even Outlook blocks this, FFS, and has for years.
If your e-mail client downloads tracking images, it's time to take it out behind the barn and finish it off.
