Arthur T Knackerbracket has processed the following story:
The use of "invisible" tracking tech in emails is now "endemic", according to a messaging service that analysed its traffic at the BBC's request.
Hey's review indicated that two-thirds of emails sent to its users' personal accounts contained a "spy pixel", even after excluding for spam.
Its makers said that many of the largest brands used email pixels, with the exception of the "big tech" firms.
Defenders of the trackers say they are a commonplace marketing tactic.
And several of the companies involved noted their use of such tech was mentioned within their wider privacy policies.
Emails pixels can be used to log:
- if and when an email is opened
- how many times it is opened
- what device or devices are involved
- the user's rough physical location, deduced from their internet protocol (IP) address - in some cases making it possible to see the street the recipient is on
This information can then be used to determine the impact of a specific email campaign, as well as to feed into more detailed customer profiles.
Hey's co-founder David Heinemeier Hansson says they amount to a "grotesque invasion of privacy".
(Score: 5, Insightful) by bradley13 on Thursday February 18 2021, @08:13AM (10 children)
This is why I have Thunderbird set to not download any images without permission.
If I can't tell what someone wants from the text in an email, I surely don't need to see the pics they sent. Or the spy-pixels.
Everyone is somebody else's weirdo.
(Score: 4, Insightful) by dltaylor on Thursday February 18 2021, @08:49AM (1 child)
It also lets you choose whether you do want one/some/all, or not.
That control, plus local history are priceless.
(Score: 2) by corey on Sunday February 21 2021, @09:01PM
Yeah I like that domain control feature too.
My Apple Mail on my iPhone has the setting to not download images. It works well but doesn’t have the control like thunderbird. I almost never load images. The HTML sans images is normally sufficient to get the message from the email and act on it if needed.
(Score: 4, Interesting) by inertnet on Thursday February 18 2021, @11:28AM (2 children)
Me too. Funny side effect: today I got a snail mail letter from a company claiming that they couldn't email me. Sure you can email me, but you don't get to see if and when I open your email.
(Score: 2) by Muad'Dave on Thursday February 18 2021, @12:32PM (1 child)
I've gotten the same thing. "We're not reaching you!"
(Score: 1) by hemocyanin on Friday February 19 2021, @02:14AM
You should enable all automatic downloads -- how else will you learn important information about your car's warranty?
(Score: 1, Informative) by Anonymous Coward on Thursday February 18 2021, @01:36PM (1 child)
Previously I had thunderbird set to not download images, but I had not looked at it since upgrading to version 78. It had reverted back! For others who wish to prevent tb from downloading spy pixels:
thunderbird menu:
view / message body as / simple html
(Score: 5, Interesting) by looorg on Thursday February 18 2021, @02:57PM
That is if you want some HTML, I prefer the 'view / message body as / plain text', it's very rare that I have to switch to simple html to view an email -- but it does happen a few times per year or so. But most of the time it does a good job at just stripping everything that isn't plain text out.
(Score: 2) by richtopia on Thursday February 18 2021, @05:34PM
Same with K9 mail on Android. Plus, less bandwidth consumed.
(Score: 0) by Anonymous Coward on Friday February 19 2021, @03:51AM
Yahoo mail lets me do the same - although Yahoo mail itself puts ad banners around its web pages, so its just a matter of use theirs but still good that when I open an email I'm not connecting to arbitrary servers to fetch images.
(Score: 0) by Anonymous Coward on Friday February 19 2021, @05:11PM
This whole thing makes me want to just block images that are either too small to see or that don't announce their size without a download. That right there would cut down on this a lot. And really, images should be either attached to the email or contain their size anyways. This is the 21st century, large numbers of people have been online for decades, there's simply no excuse for images that don't have the appropriate sizing information in the tag.
(Score: 3, Interesting) by darkfeline on Thursday February 18 2021, @08:18AM (7 children)
I wonder how effective tracking pixels are. Gmail neuters them (all images get proxied through some Google cache server), and it seems most people are using Gmail personally. Anyone on Yahoo, AOL, Outlook, etc are a lost cause, and if you're on ProtonMail, you know what you are doing.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Thursday February 18 2021, @08:41AM (1 child)
I believe ProtonMail downloads the images for you. Their Feb. 14 newsletter has 313.11 KB of embedded images.
(Score: 0) by Anonymous Coward on Thursday February 18 2021, @08:51AM
Never mind, those are attachments. What it does have is a banner warning about remote content, and you have to manually load the images in.
(Score: 5, Informative) by rigrig on Thursday February 18 2021, @11:17AM
That doesn't really neuter <img src="http://evil.trackingcompany.tld/campaign-id-123/this_was_sent_to_darkfeline/pixel.png"> though.
No one remembers the singer.
(Score: 4, Informative) by edIII on Thursday February 18 2021, @07:12PM (3 children)
That's wholly ineffective. I've done some work integrating systems with email platforms like this. Every image has a unique ID these days. So regardless if it is downloaded over TOR, they still know that image was retrieved. Likewise, any links in the email regarding offers will be tied to the customer profile.
Only "good" news here is that this isn't related to SPAM, as much as it is related to companies working a large email list of existing customers with existing business relationships. You can opt-out of the email entirely, and it's usually very well respected. Primarily, because it's only a few large marketing companies that do this, and they won't risk their relationships with the major email providers over it. It's hard to develop very high IP/email reputation. Email providers expect a lot of information, specified back channels for complaints, you name it.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Interesting) by toddestan on Friday February 19 2021, @04:51AM
Does Google cache the image when the email is received, or when it is opened? I would guess the latter, but sometimes Google operates in mysterious ways.
One thing I've seen with some of the overbearing corporate virus scanners is that when they scan an email to see if it's malicious, they'll also follow all the links in the email as well as load all the images to see if they lead to somewhere malicious, and thus trigger all the bugs the marketing types put in their spammy emails. I'm not sure if the marketing types have figured this out yet or not, but I've wondered if that kind of thing might kill off the whole spy pixel thing by injecting tons of noise into their systems. But so far it hasn't seem to have changed anything as the spammy newsletters I did not sign up for at work are still full of mile long URLs.
(Score: 0) by Anonymous Coward on Friday February 19 2021, @05:14PM (1 child)
Absolutely, some of this stuff can be blocked by using a VPN, but at bare minimum they'll know that the image was downloaded by somebody. So, if you've got your own domain name, then they definitely know that it got to a real address, if you're on gmail or some other shared email provider, then it depends whether they download every one of those images or not as to whether they've learned anything about the address without you loading it.
This whole thing is a good argument for blocking any image linked to a message that isn't large enough to be seen or that doesn't indicate it's size. Don't even try loading it without additional user input if it doesn't have an appropriate size listed and block the domain if the listed size is purposefully misleading.
(Score: 2) by edIII on Friday February 19 2021, @07:30PM
No, they will know it was downloaded by you. What I'm speaking about is existing business relationships where you already purchased a product, and actually did opt-in to the newsletter, new offers, etc. Whatever the carrot was, you took the carrot.
In those specific cases, anytime you download the unique picture it is tied to your customer profile. That included full name, billing info, shipping address, billing address, phone number, etc. This works regardless if you are using a truly anonymous packet sharing network, because the data being transferred is what ties it to you, not the location on the network.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 5, Insightful) by RamiK on Thursday February 18 2021, @09:29AM (10 children)
None of this is anything new and it's been the default of most mail clients not to load remote images for years precisely over this.
compiling...
(Score: 4, Insightful) by maxwell demon on Thursday February 18 2021, @12:01PM (9 children)
I guess the problem is that these days a lot of people don't use local mail clients but web interfaces. And the web browser doesn't distinguish between images coming from the online UI and images coming from a displayed email. Unless the webmail server allows blocking images, you only have the option of either blocking all images (which likely renders the webmail UI unusable) or allowing all images.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Insightful) by Runaway1956 on Thursday February 18 2021, @01:19PM (7 children)
I don't think so. Everyone has their opinion, but for my part, mail seems to work just fine with images blocked. I can read the subject, I can read the sender, and that is enough to decide not to even look at most email. When I actually open an email, I see text, or I don't see text. If there is no text, I just close the email, and send it to spam. To my knowledge, I've not had problems with the IRS failing to contact me, or the DMV, or God, or my employer, or Social Security, or the electric company, or any of the small number of online markets that I have chosen to interact with. Ebay and Amazon send an email, I read the text, and decide on an individual basis whether to respond to that particular email. If I decide to respond, I click one link or another, without ever looking at the images.
Maybe twice a year, I am intrigued by something within an email, and click the "display images" button.
To me, opening images seems almost as silly as opening attachments.
(Score: 2) by maxwell demon on Thursday February 18 2021, @03:36PM (6 children)
Your mail provider's web UI has a block images option?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Runaway1956 on Thursday February 18 2021, @03:52PM (3 children)
Yes, it does. When I click emails, I do NOT SEE any images, unless, and until, I click "Display images below" - alternatively, I could click "Always display images from noreply@newsletter.advrider.com"
This is Gmail I am talking about. I have other mail providers that I don't use very often, I'd have to open them and look to see how they work.
(Score: 2) by maxwell demon on Friday February 19 2021, @11:37AM (2 children)
Then reread my original comment. Carefully.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Touché) by Runaway1956 on Friday February 19 2021, @01:14PM (1 child)
OK, I did re-read. As you say, I have limited choices - display all images, or no images. We only differ in our opinions, in that I think blocking all images leaves the mail "usable". There should be a third option to "block remote images" or "block third party images" or similar, which would make the web mail "more usable". I still assert that Gmail is "usable" without displaying images at all.
If I am missing something, you'll have to spell it out.
(Score: 2, Redundant) by maxwell demon on Friday February 19 2021, @01:49PM
Here's the relevant quote from my original post:
Since the webmail server you use does allow it, the rest of the sentence (which includes the part you had quoted in your reply) obviously doesn't apply.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by RamiK on Thursday February 18 2021, @09:50PM
Both gMail and Outlook Online block remote images by default.
compiling...
(Score: 0) by Anonymous Coward on Friday February 19 2021, @05:54AM
The Webmail of my domain's host (Aplus.net) blocks images & styles by default, with buttons for "Show content" or "Always show content from XYZ".
And has other options:
__Trust sources in contacts
__Trust anything I send
__Trust defined sources below
(Score: 2) by unauthorized on Friday February 19 2021, @08:46AM
You can also use browser addons which allow for explicit control of cross-domain requests (eg uBlock). This will break 99% of the modern web without setting up custom and often unintuitive permissions for each domain, but it will kill nearly all forms of client-side tracking bugs. Combine with Decentraleyes for best results.
(Score: 1, Interesting) by Anonymous Coward on Thursday February 18 2021, @09:33AM
Loading external pictures (even as attachment) should not be done by default.
I remember images exploiting buffer overflows and similar issues for code execution within the image libraries in the past... how common are these attack vectors being present/exploited these days?
(Score: 5, Informative) by PiMuNu on Thursday February 18 2021, @09:47AM
Just FYI, Hey is some email/social web UI manager thing. This is just marketing material from them, kindly reposted by BBC. There was a similar article a year or two ago.
(Score: 5, Insightful) by Arik on Thursday February 18 2021, @10:31AM (13 children)
HTML in email should result in it being rejected by the server. It's very simple. Bounce that garbage back.
If laughter is the best medicine, who are the best doctors?
(Score: 1, Informative) by Anonymous Coward on Thursday February 18 2021, @11:33AM (1 child)
Ah yes, that takes me back to the days where certain participants in certain physics experiments not only took the Microsoft shilling, but swallowed the bloody thing.
One place in particular, proxy 200KB html/xml abominations sent straight from Word (FFS!) to send one line of text....the filters on my servers made short work of them, even with a nice 'no html email accepted' bounce message, so I ignored it as being SEFP, that was until I was one day informed by the PHB to let them through.
Several decades later, and here we are...
(Score: 2) by Gaaark on Thursday February 18 2021, @12:47PM
Talking about the Big Bang Theory guys?
Yeah... i can see why Hawking was on there, but Billy Bob Gates? Man, IT Crowd is a much better show.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Interesting) by shortscreen on Thursday February 18 2021, @11:56AM (1 child)
HTML email is retarded. The funny part is that it's possible to send an email that contains separate HTML and plain text bodies within it. So you know how the retards handle this? If they include a plain text section at all, they just populate it with a generic error message or a link to their website.
(Score: 2) by SpockLogic on Thursday February 18 2021, @03:51PM
HTML email is evil.
Eudora, I miss you.
Overreacting is one thing, sticking your head up your ass hoping the problem goes away is another - edIII
(Score: 2, Insightful) by SemperOSS on Thursday February 18 2021, @01:12PM (6 children)
Hm, well. I am not so sure I buy this. As much a nerd as I may be, I still think that presentation makes a difference and can transfer the message much more easily than tons of text. (Yes, picture and thousand words comes to mind.)
We, of the more technological persuasion, need to remember that we are still a minority and that we cannot (and should not) bend everyone to our beliefs. I know it can be difficult to descend from the ivory tower of technical superiority to deal with other people's demands of accessible and understandable information, or to deal with a decadent society where looks and bling mean more than cerebral profiency … but that is, unfortunate as it may be, the reality we live in.
I would happily see the single-pixel, hidden image — and all the other nefarious, abusive, privacy-bashing objects and methods — disappear … not that I see them myself due to Thunderbird's possibility of not downloading pictures unless I tell it to. The truth is it will not happen and we will therefore have to tackle this in the ongoing arms race with all the businesses that cannot survive without knowing every sordid (or not) detail of our sorry (or not) lives.
If I rejected HTML E-mails on the server level, I would now be homeless as no estate agent seems to know anything about text-only E-mails to send text-only messages.
I don't need a signature to draw attention to myself.
Maybe I should add a sarcasm warning now and again?
(Score: 0) by Anonymous Coward on Thursday February 18 2021, @01:45PM (1 child)
So all those non-techie socket moms are doing the right thing using Apple Ismail, no images displayed by default.
Most people won’t click to show images when it’s still much easier to just flag it as spam.
(Score: 0) by Anonymous Coward on Friday February 19 2021, @01:49PM
> socket moms
Is this the latest name for MILFs?(grin)
(yes, I know it's just a typo, but hit my funny bone)
(Score: 2) by janrinok on Thursday February 18 2021, @02:12PM
Yet text messages are still popular. I'm not sure that any technological bent is required to send a text only message. There are, IMO. very few instances where a picture would be an improvement to any of the emails that I receive - so I don't see them.
(Score: 3, Interesting) by RS3 on Thursday February 18 2021, @02:32PM (2 children)
I understand what you're saying, but your statement is too narrow. It's not simply a matter of aesthetics. This could get far more philosophical than I have time (or attention) for, but often we techies develop things that can be very useful, but also very dangerous. Hopefully I don't need to list the many examples, but electricity is a good one. When electricity was first used for lights, appliances, etc., it wasn't very well protected. Things had exposed metal conductors and people could touch them and get shocked, maybe electrocuted. Other things could touch them and cause fires, etc. So the inventive minds developed insulation, insulated connectors, etc.
The many problems with web / email safety, privacy, and security, is that most people don't understand the dangers they're living with. Aesthetics can be a Venus fly trap. That pretty car could be a deathtrap. I'd rather err on the side of safety.
If you really want the aesthetics, embed the image in the email- not js and links to things that enable tracking, spying, and voyerism.
(Score: 1, Informative) by Anonymous Coward on Thursday February 18 2021, @07:41PM (1 child)
Texting worked quite fine without images until people fucked it up with emojis.
(Score: 3, Insightful) by RS3 on Thursday February 18 2021, @08:35PM
Yup. That and the various texting apps that use MMS which requires data connection (and cost to some of us) even though they're only sending actual text.
(Score: 2) by jb on Friday February 19 2021, @02:42AM
HTML in email should
result in it being rejected by the serverbe a capital offence.There, FTFY.
(Score: 0) by Anonymous Coward on Friday February 19 2021, @05:17PM
That's a bit extreme, HTML brings legitimate markup options to the table. Blocking any content from being loaded via links would accomplish the same basic thing without giving up the ability to use HTML's markup features to make it more readable.
(Score: 3, Interesting) by shortscreen on Thursday February 18 2021, @12:23PM
So many senders are sure that my email reader will load their arbitrary web shit.
Then I get tons of emails with nothing but blank rectangles.
And multiple copies of the same email.
Emails asking why I haven't been reading their emails.
Out-of-band messages telling me to sign in to my account and update my email address.
Emails saying I'll be taken off the mailing list, which then turns out to be an empty promise when they keep sending anyway.
It's pretty dumb, but less annoying than the practice of obfuscating every single link with some MITM crap.
(Score: 4, Touché) by drussell on Thursday February 18 2021, @01:30PM (2 children)
I read my e-mail in Pine.
(Score: 2) by RS3 on Friday February 19 2021, @02:26AM
Pine (Alpine) was my first email client in the 90s and I loved it. I still use Pine on servers, but I haven't used it for my personal email for years. I just discovered they have a Windows port, but I haven't tried it.
Do you use it on Windows, or Linux, or ?
AFAIK Pine does not fetch pop3 mail. Way back in the day I had used "fetchmail" but found it a bit tedious / fiddly to get it set up. So I actually used Netscape mail (IIRC) or some other similar client, just to pull pop3 mail into an "inbox" file, then Pine worked perfectly.
How do you get pop3 mail into your computer?
(Score: 1) by anyanka on Friday February 19 2021, @04:21AM
Back in the day, Pine was the client with the fancy user interface :D
(Score: 3, Interesting) by helel on Thursday February 18 2021, @03:01PM (2 children)
Some of my friends/family can be a real pain to get in touch with sometimes so getting a ping when they open my email lets me know they're at their phone and available to call.
(Score: 3, Informative) by looorg on Thursday February 18 2021, @04:41PM (1 child)
But you shouldn't need tracking pixels for that. If only people actually used the normal standardized return receipt function (MDN - RFC 3798) there wouldn't be a need for hidden or tracking pixels. Unless of cause you are advertiser scum that needs to track people so you can sell them more shit. That said I do find it more normal then not to have all such return receipt functions off, cause you know people don't want to be tracked -- but yet they watch full HTML emails with images and all that. Makes absolutely no sense.
(Score: 0) by Anonymous Coward on Thursday February 18 2021, @08:32PM
I find RFC 2549 [ietf.org] to be more reliable.
(Score: 2, Insightful) by fustakrakich on Thursday February 18 2021, @03:12PM
That's supposed to be a defense for the practice? Well hell, if everybody's doing it, it's perfectly ok, right? And the fucking press? No challenge from those weasels. WTF?
La politica e i criminali sono la stessa cosa..
(Score: 1, Insightful) by Anonymous Coward on Thursday February 18 2021, @03:49PM
That I read/write/respond to email via mutt. And for those fools who insist on html crapola without an equivalent plain text copy, mutt is setup to use lynx to render a plain text copy of the html crapola.
So the tracking pixels will never be 'pinged'.