Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Technology

Spy Pixels In Emails Have Become Endemic (bbc.com) 217

AmiMoJo writes: The use of "invisible" tracking tech in emails is now "endemic", according to a messaging service that analysed its traffic at the BBC's request. Hey's review indicated that two-thirds of emails sent to its users' personal accounts contained a "spy pixel", even after excluding for spam. Its makers said that many of the largest brands used email pixels, with the exception of the "big tech" firms. Defenders of the trackers say they are a commonplace marketing tactic. And several of the companies involved noted their use of such tech was mentioned within their wider privacy policies. Emails pixels can be used to log: if and when an email is opened, how many times it is opened, what device or devices are involved, the user's rough physical location, deduced from their internet protocol (IP) address - in some cases making it possible to see the street the recipient is on.

This information can then be used to determine the impact of a specific email campaign, as well as to feed into more detailed customer profiles. Hey's co-founder David Heinemeier Hansson says they amount to a "grotesque invasion of privacy". And other experts have also questioned whether companies are being as transparent as required under law about their use.

This discussion has been archived. No new comments can be posted.

Spy Pixels In Emails Have Become Endemic

Comments Filter:
  • When possible... (Score:5, Interesting)

    by Anonymous Coward on Wednesday February 17, 2021 @11:11AM (#61072228)
    When possible, I download all e-mail via SMTP and view it with a client that supports complete disablement of loading of external resources. Not specifically for the 'pixels', but more because I never really got into the whole HTML/RTF e-mail thing. I shouldn't have to load half a megabyte of rubbish to read two lines of text. More relevantly, as the sender, you should have no reason to expect that I would want to inform you that I've read it, much less where I read it from.
  • by Bigbutt ( 65939 ) on Wednesday February 17, 2021 @11:11AM (#61072230) Homepage Journal

    That's my default settings. I'm an outlier though I guess especially since I have to keep shifting O365 back to plain text as it doesn't seem to maintain that setting.

    [John]

    • by BAReFO0t ( 6240524 ) on Wednesday February 17, 2021 @11:54AM (#61072396)

      The plain text meme can die in a fire though. This is not the 80s. Using markup where useful is not wrong.

      It's all that stuff that veers away from it only being a document, that's problematic. Like scripts or design that you would never see in a printed document.

      And images can and should be embedded, if only so half the content isn't gone, when the sender decides to remove the old stuff from their server.

      • by Bigbutt ( 65939 )

        Sure, and I do use markup when needed. I'm not, "I will ONLY use plain text." But 99% of what I send out doesn't need to be in HTML.

        [John]

      • Agree with your logic, but many developers suffer from the "Beach Boys" phenomenon--they think "wouldn't it be nice if.." (a song from their Pet Sounds album [wikipedia.org]) and go ahead and implement things without thinking "what could possibly go wrong" or "does anybody else want this."

        The Beach Boys phenomenon is often coupled with the "Princess Bride Effect" where they think "it's inconceivable."

        • by Kaenneth ( 82978 ) on Wednesday February 17, 2021 @03:43PM (#61073144) Journal

          I was working for a company that was working on a e-commerce site for Wizards of the Coast, and I found the site allowed SCRIPT tags in USERNAMES, I signed up as a user that made a popup appear to any other user/admin that loaded a page where their name appeared.

          Management response: "Why would anyone want to hack a website?" refused to fix, company no longer exists.

      • by AmiMoJo ( 196126 ) on Wednesday February 17, 2021 @12:24PM (#61072520) Homepage Journal

        The problem with advanced formatting in emails is that I want them to display how I prefer to read them, and care little for your font preferences or colour choices.

        Bold and italics are okay but I don't want your pink on blue Comic Sans.

        • by Pascoea ( 968200 )

          I don't want your pink on blue Comic Sans.

          I like it when I get e-mails in dumb fonts, backgrounds, colors, etc. It makes it easer for me to instantly detect if an e-mail can be safely ignored.

      • by ebyrob ( 165903 )

        If HTML wasn't insecure crap, this might be true. Unfortunately bold font is apparently too difficult to implement without a giant back-door.

        Also... plain-text does the job. Why exactly does anyone need more than that unless it is ad copy (which I don't want anyways).

        (Actually even UNICODE has had security issues in the past, but I can see where UNICODE is actually a necessity for pretty much anything non-english speaking)

      • by hey! ( 33014 ) on Wednesday February 17, 2021 @12:52PM (#61072630) Homepage Journal

        Markup doesn't have to be HTML. You can use something like **Markdown** (see what I did there?) or another lightweight markup language which is intuitive to read in plain ASCII, can express most of what you'd want to express in HTML formatted email, and can be mechanically translated to HTML. I use MultiMarkdown, a slightly more expressive version of Markdown. A lot of why I like it is that I'm a touch typist; it's just more convenient.

        HTML is a more powerful tool, but this is another example of how "more powerful" is not necessarily better for the users. There's a place for a sledge hammer, and also a place for a tack hammer.

      • It would help if people used markup properly. The people that use markup are the same people who say "The password is "hunter2" (without quotes)" instead of "The password is hunter2"

      • by sjames ( 1099 )

        The vast majority of phishing only works because of dirty HTML tricks. That's a pretty damned high price to pay.

    • by nagora ( 177841 )

      +100%

      Also: don't use Outlook.

  • by rsilvergun ( 571051 ) on Wednesday February 17, 2021 @11:13AM (#61072244)
    or is it really that slow a news day? I mean, there's that stuff in Texas going on... Anyway email clients have refused to load images by default for years now. This isn't news.
    • Yes, maybe they did not put winter lubricant in the Windmills. We had the same problem here in MN the first winter. The California company that put the windmills in here did not think about cold weather. oops!
      funny ;) cold unforeseen in winter or negligent engineering?
      • Re: (Score:2, Insightful)

        Comment removed based on user account deletion
        • and the rest of the grid. Plus Texas refused to connect to other's state's Grids. This was done so they could avoid additional federal regulations that kick in under interstate commerce clause (and would require the private company that owns everything to make their grid more resilient, biting into profits).
        • Re: (Score:2, Insightful)

          While Texas has windmills, its power needs have never been met primarily by windmills.

          Don't tell Crenshaw that. He'll think you're calling him a liar for his appearance on the Fox tabloid [foxbusiness.com]. It is interesting to note he never mentioned that natural gas, a non-renewable, wasn't running and provides more energy than the windmills do.

          I guess when you're trying to score points with the uneducated it's easier to lie than it is to present facts. At least the article got the facts right even though they
        • Different people are emphasizing different facts that they think support some political position.

          Texas is experiencing an extended period of record cold.
          This isn't a normal winter.

          Because we don't normally have temperatures below zero, we don't have de-icing systems on our windmills and certain other power-related equipment. Windmills make up something like 23% of our power, so that's reducing supply.

          At the same time, because we generally have mild winters, we use heat pumps most of the year and resistance

      • Yes, maybe they did not put winter lubricant in the Windmills. We had the same problem here in MN the first winter. The California company that put the windmills in here did not think about cold weather. oops! funny ;) cold unforeseen in winter or negligent engineering?

        If Texas has ever experienced snow (like ever), then the unforeseen turns into a rather shitty excuse real quick-like.

        • by PCM2 ( 4486 )

          If Texas has ever experienced snow (like ever), then the unforeseen turns into a rather shitty excuse real quick-like.

          It does seem to be the go-to excuse, though. I remember some years ago, my sister's town in Texas (either Plano or someplace next door) was entirely shut down by a few inches of snow. The municipality owned no snowplows, and most of my sister's neighbors didn't even seem to own a shovel.

        • by JustAnotherOldGuy ( 4145623 ) on Wednesday February 17, 2021 @12:29PM (#61072536) Journal

          People like Tucker Carlson are busy blaming it on Pelosi and California. I have no idea where they come up with this shit, but they always know who to try to blame.

          So yeah, somehow California is to blame for ERCOT not understanding that winter is coming and that the temperature goes down when that happens.

          Amusingly, ERCOT stands for the Electrical Reliability Council of Texas.

          This is what happens when a state is so butthurt at losing the Civil War that they intentionally REFUSE to couple to the National Power Grid like every other state does. Smooth move, Texas!

          • This is what happens when a state is so butthurt at losing the Civil War that they intentionally REFUSE to couple to the National Power Grid like every other state does. Smooth move, Texas!

            This isn't necessarily in defense of the Republic of Texas, but I wonder what your argument actually looks like? After all, it's good to dabble in a bit of reality when changing your states power supply.

            Number of times Texas towns are shut down due to not being on the National Power Grid vs. Number of times states have experienced massive rolling blackouts/brownouts because they are on the National Power Grid. This happened 24 hours ago:

            "Evergy, Midwest Energy and Sunflower Electric all notified their customers at mid-morning Tuesday that an order to impose blackouts had been lifted. The Southwest Power Pool ordered the blackouts Monday and early Tuesday to save energy reserves in the 14 states it oversees. The SPP said it has enough generating capacity to meet the demand for electricity, but the rolling blackouts were being conducted to protect the regional power grid."

            (Texas) "Ya'll have fun with that bullshit. We'll take our chances."

            • by JustAnotherOldGuy ( 4145623 ) on Wednesday February 17, 2021 @04:04PM (#61073218) Journal

              I don't think I see your point.

              The fact is that TX deliberately chose NOT participate in the National Power Grid for whatever reason, and now they're in the shit for it. AND they're begging other states for power.

              If they were part of the grid they A) wouldn't have had 4 million people in the dark, and B) they wouldn't have to beg for power- that's literally what the *national* grid exists for- to balance power needs across the US. Thank goodness the forward-thinkers in TX were way too smart to fall for that!!

              But hey, Texas- you do you, and try not to freeze to death. Yee haaaa.

          • by sjames ( 1099 )

            Perhaps Reliability has become another one of those political words. Kinda like countries run by a dictatorship inevitably include "Democratic" or "People's" in their official name.

    • Yeah, old news. I was doing this 20 years ago.

      Even better, back then Outlook would let you get to the DOM via a script, which you could then post back to your own server through the tracking GIF. So if the recipient forwarded the email, you could collect the next sets of addresses *and* any text added to the content. Pretty sure I figured that out from a Slashdot article back then.

      Surely they've fixed that by now. Right?

  • Have never seen them (Score:2, Interesting)

    by gweihir ( 88907 )

    That may be because I read email with Mutt and pipe HTML through Lynx to textify it.

    I will never understand the sheer stupidity of misusing a browser to display email.

    • Blame Microsoft. Their fault for making it popular.

      • Blame Microsoft. Their fault for making it popular.

        ...right after you place the blame where it belongs, Netscape which became Mozzila pushed an email client that defaulted to displaying html - it took several years before anyone else did the same

    • Imagine misusing it to watch movies, run a 3D game, or virtualize Linux! ^^

    • I will never understand the sheer stupidity of misusing a browser to display email.

      Okay, that's just silly.

    • by ceoyoyo ( 59147 )

      Well, you see, way back in the late 90s and early 2000s the GUI had pretty much taken over, and a command line was just some hacker thing. So typically a public terminal would give you access to the web and that's it. Since computers were fairly big and heavy and you didn't always have one with you, it would be awfully convenient if you could use such a public terminal to check your e-mail. So people came up with inventive things like SquirrelMail, which sticks a web front end on an IMAP server. Some bright

  • It's not a problem (Score:5, Informative)

    by Chris Mattern ( 191822 ) on Wednesday February 17, 2021 @11:16AM (#61072260)

    In Thunderbird, from the menu, Edit/Preferences. Choose "Privacy" and uncheck "Allow remote content in messages". This is disabled by default, in fact. Similar functions exist in any other mail client.

  • by Forty Two Tenfold ( 1134125 ) on Wednesday February 17, 2021 @11:19AM (#61072266)
    I don't think it means what I think you think it means.
  • by TheNameOfNick ( 7286618 ) on Wednesday February 17, 2021 @11:24AM (#61072282)

    If your mail doesn't come with a plain text version, I'm not reading it. Anything that isn't attached to the email does not exist. Advertisers are scum.

  • by great throwdini ( 118430 ) on Wednesday February 17, 2021 @11:27AM (#61072300)

    Having long ago worked for not-even-close to the largest or most sophisticated marketing emailer (on behalf of Fortune 500 clients) waaaay back in 1999, the use of "spy" pixels (aka beacons, etc.) was de rigueur. So much so that firms couldn't compete without even that very basic tracking functionality in place.

    Even assuming that by now a lot of what was once outsourced may have been taken in-house with turnkey emailing solutions, I find it hard to believe that adoption of this technique isn't closer to 100%.

  • by QuietLagoon ( 813062 ) on Wednesday February 17, 2021 @11:35AM (#61072314)
    ... that's the way I have it configured. Though I suspect many companies will go the way of newegg.com's marketing and sale emails, and not show anything useful unless you allow remote content to be loaded. So I removed myself from the newegg.com email list.
    • I wonder how effective pi-hole is at blocking these trackers. It amazes me how out of touch advertisers are...

      • Comment removed (Score:5, Insightful)

        by account_deleted ( 4530225 ) on Wednesday February 17, 2021 @12:02PM (#61072436)
        Comment removed based on user account deletion
        • You seem to be of the mistaken impression that those metrics really matter, or really provide actionable inteligence that can be converted into sales. Marketing is about the 2% rule, only with email it is more likely 0.2% conversion rate. This means you are annoying a disproprtionate number of people you contact, and your solution to improving sales is to annoy more people.

          I know my wife tolerates more spam than I do, and buys some of the crap from or associated with it, but even she has a lower than 2% h

    • Only once in my life have I *ever* found a lower price for something on Newegg. I don't see why people continue to patronize them. Why pay more for the same exact item?

      I routinely include them in searches when I buy PC gear, but they never ever have a good price; often it's well above what every other store sells it for. How do they stay in business?

      • Recent answer. Because they were the only one that had it. And ebay would have been higher and riskier.

      • by hawk ( 1151 )

        a "good enough" price for things that they ship from a warehouse that's apparently sitting on top of a UPS distribution depot.

        I haven't ordered from them in some time, but over 250 miles away in the next state, free ground shipping usually arrives the next day, even ordering at 6PM.

  • by Etcetera ( 14711 ) on Wednesday February 17, 2021 @11:38AM (#61072330) Homepage

    Tracking pixels have been a thing since long before Google bought Doubleclick; and the solution to the privacy implications is usually the same: disable image loading by default unless you trust the sender. And avoid small image size loads when possible.

    Incidentally, the Big Tech firms don't need to use tracking pixels because half the targets are using Gmail or Live/Outlook anyway, which will happily scan your email and give way more metrics back than a tracking pixel will to begin with. It's only the on-net Outlook folks who will want more privacy.

    • > Gmail or Live/Outlook anyway, which will happily scan your email and give way more metrics back than a tracking pixel will to begin with

      They _absolutely_ do not share any data with email senders that is interesting, in the least. At the most broad they provide aggregate complaint rates per sending IP (GPT or SNDS). At the most specific, they will forward back to you the entire email that a user reported as spam as part of their FBL process (Gmail doesn't even do this).

      The do not share any data about in

  • What does the spam folder have to do with anything?

    The thing that blocks these tracking pixels is not which folder it's in, but the "load images" setting. You have to deliberately turn on this setting, because all email software that I know about has it turned off by default, and you generally have to enable it specifically for each sender.

    This has been a thing since...oh...1995 or so.

  • Suppose I want to turn the tables. How do I put "spy pixels" in my emails to see if they are read?
  • Don't all e-mail clients block external resources by default, and offer enabling domain-specific resource only if you want them?

    I thought that was standard for at least a decade now.

  • Marketing - See evil, advertising, scum
  • Another approach (Score:5, Interesting)

    by bluegutang ( 2814641 ) on Wednesday February 17, 2021 @12:05PM (#61072442)

    A number of comments so far have noted that various programs disable loading of images in emails, due to image tracking.

    IIRC Gmail, though, takes something of the opposite approach. Immediately when an email is received, Google loads the images in it and stores a local copy for when the use wants to read the email. It does this whether or not the email is read, in fact, whether or not the Gmail account to which the mail is addressed even exists. Thus, anyone who sends a mail to a Gmail account can count on the tracking image being read - but by the server, not the user. Thus the image is useless for tracking, whether or not the email is opened. Whereas with the alternate method of disabling image loading, the tracking is still effective if the user decides they do want to see the image.

    • It's crazy how wrong this is.

      > Immediately when an email is received, Google loads the images in it and stores a local copy for when the use wants to read the email

      No, they don't.

      > in fact, whether or not the Gmail account to which the mail is addressed even exists.

      No, they don't, *especially* if the Gmail account doesn't exist. Like every other provider, if an account doesn't exist, they reject the message before any of the data has even been sent.

      > Thus, anyone who sends a mail to a Gmail account

  • Is there a single person on this site that's surprised to hear that *gasp* emails are tracked? Shocked sir, shocked I say. I'm veritably choking on my handlebar mustache wax just at the thought of it! Where's my fainting couch?
  • "load remote images" enabled for this to work? I'm a dumb OSX-User, but afaik, Apple Mail doesn't do that by default.
    • by Tailhook ( 98486 )

      Almost no contemporary email clients load images by default. The reason this technique is viable is that users bash on the "allow" button/link the instant they sense the slightest impedance.

  • Is that supposed to be an excuse? Marketing tactics means "I am doing this to make money", and it's not like no one has ever done something wrong to make money. Oh wait, that's why 90% of evil crap get done. As for 'commonplace', the following all used to be commonplace:

    Child labor
    Cocaine and Opium in products that did not list ingredients.
    Slavery

  • The use of "invisible" tracking tech in emails is now "endemic",

    And other experts have also questioned whether companies are being as transparent as required under law about their use.

    I think that answers itself.

  • If you've been aware awhile, you must have heard "HTML email is an abomination". Ponder this venerable saying. There is reason for the disgust. Marketters might love it but why encourage spam?

    As others have posted, using fast text MUAs (mutt) or at least avoiding autoloading images (even on iOS) improves both speed and security.

  • I'm not in favor of it, but i want to point out that the email pixel is not a perfect as it is sold to be. A few reason (probably more can be added).

    1. if you don't load the images you are not tracked (they assume you have not read it, in fact you might have).

    2. If you forward your message to someone, they'll track them as if it was you (in terms of location and times it was opened).

    3. Some corporate email systems preload all email images to scan for viruses or other treats, this will show as "read email" w

  • You have to whitelist in senders to see the images.

  • ... that won't inconvenience staff to the point of choosing between allowing the spying or putting up with the whining?

    • by Voyager529 ( 1363959 ) <[moc.oohay] [ta] [925regayov]> on Wednesday February 17, 2021 @01:33PM (#61072782)

      Add a PiHole to your environment. If you're using MS AD or some other internal DNS server, make its upstream DNS server the PiHole and let the PiHole use Quad9 or FoolDNS or your ISP's DNS or whatever. If you've got a marketing team or someone else who really, really needs to use Google Analytics or whatever, add them to an exclusion list so they only use public DNS servers and let them have all their e-mails tracked; they're marketing, so they won't care.

      Not all tracking pixels would be 100% blocked, but most of them would be =)

      • We use content filtering but when the content is coming from legitimate domains blocking becomes problematic and impacts operations.

        The last decade it seems this line of work has turned into 'whack-a-mole' vs the latest security hole or scumbags coming up with new ways to spy.

        Perhaps we're seeing "State Department" type destabilization tactics applied to IT - make everything so SHIT that we'll welcome a shitty centralised 100% controlled and surveilled IT ecosphere because it's "better" ;)

        In the end, we all

      • ... they're marketing, so they won't care.

        Who markets to the marketers?

      • by AmiMoJo ( 196126 )

        If you have AD then a PiHole probably isn't fast enough for your number of users. Even a Pi 4 doesn't scale very well.

        You could use a VM on better hardware, or just install software on client PCs.

  • Who is still using an email client that loads images from unknown senders by default?

  • "Pixel Tracking" is a terrible term and should be abolished. It actually displays no understanding about the implementation, nor how these things operate.

    It's just another example of how incredibly dumbed-down terms can actually be damaging to the technical understanding of anything.

  • Why do they call them "Spy" pixels, and what is wrong with tracking pixels? For that matter are we really that afraid of images in emails?

    It's useful to know if somebody has read an email and AFAIK, a tracking pixel is one of the only ways to do it.

    It's trivial to just add a logo and use that to track instead of a 1 pixel transparent image. Are we going to call those "Spy Logos"?

With your bare hands?!?

Working...