Spy Pixels In Emails Have Become Endemic (bbc.com) 217
AmiMoJo writes: The use of "invisible" tracking tech in emails is now "endemic", according to a messaging service that analysed its traffic at the BBC's request. Hey's review indicated that two-thirds of emails sent to its users' personal accounts contained a "spy pixel", even after excluding for spam. Its makers said that many of the largest brands used email pixels, with the exception of the "big tech" firms. Defenders of the trackers say they are a commonplace marketing tactic. And several of the companies involved noted their use of such tech was mentioned within their wider privacy policies. Emails pixels can be used to log: if and when an email is opened, how many times it is opened, what device or devices are involved, the user's rough physical location, deduced from their internet protocol (IP) address - in some cases making it possible to see the street the recipient is on.
This information can then be used to determine the impact of a specific email campaign, as well as to feed into more detailed customer profiles. Hey's co-founder David Heinemeier Hansson says they amount to a "grotesque invasion of privacy". And other experts have also questioned whether companies are being as transparent as required under law about their use.
This information can then be used to determine the impact of a specific email campaign, as well as to feed into more detailed customer profiles. Hey's co-founder David Heinemeier Hansson says they amount to a "grotesque invasion of privacy". And other experts have also questioned whether companies are being as transparent as required under law about their use.
When possible... (Score:5, Interesting)
Re:When possible... (Score:4, Interesting)
Hmm...is there an iOS equivalent of a plain text email reader for the phone and tablet?
Re: When possible... (Score:3)
How would the input work then? Mutt and touchscreens aren't exactly a perfect match.
Re: When possible... (Score:4, Informative)
I use mutt on my Samsung phone, through termux.
It works fine, though it's most convenient if you use the "hacker's keyboard" app with it instead of the default Samsung keyboard.
Re:When possible... (Score:4, Insightful)
It seems like my web-based email clients always block "unsafe images", and what they mean is "all remote images".
Tracking pixels show up as an image (somewhat ironically) indicating the original image was blocked.
Re:When possible... (Score:5, Funny)
Hotmail? What's up with that gramps?
We use it to let each other know when Matlock is on. Something something off my lawn.
Re: (Score:2)
" view it with a client that supports complete disablement of loading of external resources."
How fancy; where did you ever find such a client?
Wait... which client does NOT support this?
Everything from Microsoft Outlook desktop to the Samsung email mobile app, to gmail's web app to the iphone's mail app has this feature.
Shit, even GMAIL blocks this (Score:5, Informative)
IIRC, even GMail blocks this. It does so by having Google automatically cache all the spy pixels, so you just know the mail was delivered.
When possible...use dial-up. (Score:2)
Half meg of rubbish justifies investing in broadband much like windows rubbish justified buying an ever more powerful computer each year. Welcome to progress.
Re:When possible... (Score:4, Interesting)
Disable Image Load, Write in Plain Text (Score:5, Insightful)
That's my default settings. I'm an outlier though I guess especially since I have to keep shifting O365 back to plain text as it doesn't seem to maintain that setting.
[John]
Re: Disable Image Load, Write in Plain Text (Score:5, Interesting)
The plain text meme can die in a fire though. This is not the 80s. Using markup where useful is not wrong.
It's all that stuff that veers away from it only being a document, that's problematic. Like scripts or design that you would never see in a printed document.
And images can and should be embedded, if only so half the content isn't gone, when the sender decides to remove the old stuff from their server.
Re: (Score:2)
Sure, and I do use markup when needed. I'm not, "I will ONLY use plain text." But 99% of what I send out doesn't need to be in HTML.
[John]
Re: Disable Image Load, Write in Plain Text (Score:2)
The Beach Boys phenomenon is often coupled with the "Princess Bride Effect" where they think "it's inconceivable."
Re: Disable Image Load, Write in Plain Text (Score:4, Funny)
I was working for a company that was working on a e-commerce site for Wizards of the Coast, and I found the site allowed SCRIPT tags in USERNAMES, I signed up as a user that made a popup appear to any other user/admin that loaded a page where their name appeared.
Management response: "Why would anyone want to hack a website?" refused to fix, company no longer exists.
Re: Disable Image Load, Write in Plain Text (Score:4, Informative)
The problem with advanced formatting in emails is that I want them to display how I prefer to read them, and care little for your font preferences or colour choices.
Bold and italics are okay but I don't want your pink on blue Comic Sans.
Re: (Score:3)
I don't want your pink on blue Comic Sans.
I like it when I get e-mails in dumb fonts, backgrounds, colors, etc. It makes it easer for me to instantly detect if an e-mail can be safely ignored.
Re: (Score:2)
But how else are you going to get your ransom notes?
Re: (Score:3)
Re: (Score:2)
If HTML wasn't insecure crap, this might be true. Unfortunately bold font is apparently too difficult to implement without a giant back-door.
Also... plain-text does the job. Why exactly does anyone need more than that unless it is ad copy (which I don't want anyways).
(Actually even UNICODE has had security issues in the past, but I can see where UNICODE is actually a necessity for pretty much anything non-english speaking)
Re: Disable Image Load, Write in Plain Text (Score:4, Interesting)
Markup doesn't have to be HTML. You can use something like **Markdown** (see what I did there?) or another lightweight markup language which is intuitive to read in plain ASCII, can express most of what you'd want to express in HTML formatted email, and can be mechanically translated to HTML. I use MultiMarkdown, a slightly more expressive version of Markdown. A lot of why I like it is that I'm a touch typist; it's just more convenient.
HTML is a more powerful tool, but this is another example of how "more powerful" is not necessarily better for the users. There's a place for a sledge hammer, and also a place for a tack hammer.
Re: (Score:3)
HTML is a more powerful tool, but this is another example of how "more powerful" is not necessarily better for the users. There's a place for a sledge hammer, and also a place for a tack hammer.
Said on a site that uses HTML in it's comment boxes.
Re: (Score:2)
I have my comment boxes set to plain text.
Re: Disable Image Load, Write in Plain Text (Score:4, Funny)
Re: (Score:2)
I almost never use HTML unless I'm doing a link; I'll use text markup and people just *understand*.
Re: (Score:2)
It would help if people used markup properly. The people that use markup are the same people who say "The password is "hunter2" (without quotes)" instead of "The password is hunter2"
Re: Disable Image Load, Write in Plain Text (Score:4, Funny)
Don't give people ideas....
"Your password must contain at least one uppercase letter, lowercase letter, number, special character, and bold, italic, or underlined text."
Re: (Score:3)
The vast majority of phishing only works because of dirty HTML tricks. That's a pretty damned high price to pay.
Re: (Score:2)
+100%
Also: don't use Outlook.
Did we go back in time or something? (Score:4, Insightful)
Re: (Score:2)
funny
Re: (Score:2, Insightful)
Also they could have weatherized the windmills (Score:2, Insightful)
Re: (Score:2, Insightful)
Don't tell Crenshaw that. He'll think you're calling him a liar for his appearance on the Fox tabloid [foxbusiness.com]. It is interesting to note he never mentioned that natural gas, a non-renewable, wasn't running and provides more energy than the windmills do.
I guess when you're trying to score points with the uneducated it's easier to lie than it is to present facts. At least the article got the facts right even though they
Re: (Score:2)
Different people are emphasizing different facts that they think support some political position.
Texas is experiencing an extended period of record cold.
This isn't a normal winter.
Because we don't normally have temperatures below zero, we don't have de-icing systems on our windmills and certain other power-related equipment. Windmills make up something like 23% of our power, so that's reducing supply.
At the same time, because we generally have mild winters, we use heat pumps most of the year and resistance
Re: (Score:2)
Yes, maybe they did not put winter lubricant in the Windmills. We had the same problem here in MN the first winter. The California company that put the windmills in here did not think about cold weather. oops! funny ;) cold unforeseen in winter or negligent engineering?
If Texas has ever experienced snow (like ever), then the unforeseen turns into a rather shitty excuse real quick-like.
Re: (Score:2)
If Texas has ever experienced snow (like ever), then the unforeseen turns into a rather shitty excuse real quick-like.
It does seem to be the go-to excuse, though. I remember some years ago, my sister's town in Texas (either Plano or someplace next door) was entirely shut down by a few inches of snow. The municipality owned no snowplows, and most of my sister's neighbors didn't even seem to own a shovel.
Re:Did we go back in time or something? (Score:5, Insightful)
People like Tucker Carlson are busy blaming it on Pelosi and California. I have no idea where they come up with this shit, but they always know who to try to blame.
So yeah, somehow California is to blame for ERCOT not understanding that winter is coming and that the temperature goes down when that happens.
Amusingly, ERCOT stands for the Electrical Reliability Council of Texas.
This is what happens when a state is so butthurt at losing the Civil War that they intentionally REFUSE to couple to the National Power Grid like every other state does. Smooth move, Texas!
Re: (Score:2)
This is what happens when a state is so butthurt at losing the Civil War that they intentionally REFUSE to couple to the National Power Grid like every other state does. Smooth move, Texas!
This isn't necessarily in defense of the Republic of Texas, but I wonder what your argument actually looks like? After all, it's good to dabble in a bit of reality when changing your states power supply.
Number of times Texas towns are shut down due to not being on the National Power Grid vs. Number of times states have experienced massive rolling blackouts/brownouts because they are on the National Power Grid. This happened 24 hours ago:
"Evergy, Midwest Energy and Sunflower Electric all notified their customers at mid-morning Tuesday that an order to impose blackouts had been lifted. The Southwest Power Pool ordered the blackouts Monday and early Tuesday to save energy reserves in the 14 states it oversees. The SPP said it has enough generating capacity to meet the demand for electricity, but the rolling blackouts were being conducted to protect the regional power grid."
(Texas) "Ya'll have fun with that bullshit. We'll take our chances."
Re:Did we go back in time or something? (Score:4, Informative)
I don't think I see your point.
The fact is that TX deliberately chose NOT participate in the National Power Grid for whatever reason, and now they're in the shit for it. AND they're begging other states for power.
If they were part of the grid they A) wouldn't have had 4 million people in the dark, and B) they wouldn't have to beg for power- that's literally what the *national* grid exists for- to balance power needs across the US. Thank goodness the forward-thinkers in TX were way too smart to fall for that!!
But hey, Texas- you do you, and try not to freeze to death. Yee haaaa.
Re: (Score:2)
Perhaps Reliability has become another one of those political words. Kinda like countries run by a dictatorship inevitably include "Democratic" or "People's" in their official name.
Works for me (Score:2)
Re: (Score:2)
Californians should be petmantly quarentiened to their state.
Agreed! I've always thought CA should cede from the rest of the USA. It is much easier to seal borders between countries than states.
Re: (Score:2)
Yeah, old news. I was doing this 20 years ago.
Even better, back then Outlook would let you get to the DOM via a script, which you could then post back to your own server through the tracking GIF. So if the recipient forwarded the email, you could collect the next sets of addresses *and* any text added to the content. Pretty sure I figured that out from a Slashdot article back then.
Surely they've fixed that by now. Right?
Re: (Score:2)
Re: (Score:2)
Wow...don't you have some anger issues.
FYI...I am reasonably confident my IQ is both over room temperature and your as well, and I will miss him.
Re: (Score:3, Insightful)
He's dead? FANTASTIC NEWS, thank you!
He was a scumbag and a liar...
He was still a human being. Someone's son, husband, father, brother, uncle. Celebrating someone's death simply because you don't agree with their politics puts you on about the same level they were. I hope your loved ones don't have to suffer the indignity of witnessing someone dancing on your grave. Be a better human being. (And no, for the record, I didn't like Rush. I didn't like 99% of the drivel that came out of his stupid mouth. I've still never wished him dead.)
Re: (Score:3, Funny)
He was still a human being.
Citation required.
Re: (Score:2, Insightful)
I'm going to go out on a limb, and say that you formed your opinion by not listening the person himself, but from others who also didn't listen, and intentionally misquoted the man for their own political gain. I say that because if you had listened to him, you would have heard a man who espoused personal freedom and personal responsibility. He believed that everyone should have an opportunity to succeed (note equal opportunity and not equal outcome). He wanted people to actually think for themselves and no
Re:Did we go back in time or something? (Score:5, Informative)
I'm going to go out on a limb, and say that you formed your opinion by not listening the person himself,
You're wrong. I listened to Rush Limbaugh quite a few times, especially on long drives when there was nothing else in range. The man was a disingenuous scumbag, a liar, a drug addict, and a hypocrite. Fuck him.
He believed that everyone should have an opportunity to succeed (note equal opportunity and not equal outcome). He wanted people to actually think for themselves and not parrot any party lines.
What a load of bullshit. You believe this horse crap because you want to believe it, not because it's true. Sorry, but if you sucked his conservative cock any harder, the top of your head would cave in.
He advocated for "all drug addicts" to be locked up, but when it turned out that HE was a drug addict, suddenly it's all about "2nd chances and rehabilitation".
Yeah, fuck that guy. The world is a better place without him in every conceivable way.
Have never seen them (Score:2, Interesting)
That may be because I read email with Mutt and pipe HTML through Lynx to textify it.
I will never understand the sheer stupidity of misusing a browser to display email.
Re: (Score:2)
Blame Microsoft. Their fault for making it popular.
Re: (Score:3)
Blame Microsoft. Their fault for making it popular.
Re: Have never seen them (Score:2)
Imagine misusing it to watch movies, run a 3D game, or virtualize Linux! ^^
Re: (Score:2)
I will never understand the sheer stupidity of misusing a browser to display email.
Okay, that's just silly.
Re: (Score:2)
Well, you see, way back in the late 90s and early 2000s the GUI had pretty much taken over, and a command line was just some hacker thing. So typically a public terminal would give you access to the web and that's it. Since computers were fairly big and heavy and you didn't always have one with you, it would be awfully convenient if you could use such a public terminal to check your e-mail. So people came up with inventive things like SquirrelMail, which sticks a web front end on an IMAP server. Some bright
It's not a problem (Score:5, Informative)
In Thunderbird, from the menu, Edit/Preferences. Choose "Privacy" and uncheck "Allow remote content in messages". This is disabled by default, in fact. Similar functions exist in any other mail client.
Wording. (Score:3)
If you call it a "tactic", you're the enemy (Score:4, Insightful)
If your mail doesn't come with a plain text version, I'm not reading it. Anything that isn't attached to the email does not exist. Advertisers are scum.
Re: (Score:2)
For once I agree with you. There's nothing inherently wrong with using a browser to read email. It's just another tool in the box, and works perfectly well for most people.
For 99% of users it comes down to using a browser versus installing another app, and most apps are shit- they're thin, crappy wrappers around the actual site, and they provide reduced functionality most of the time.
Re: If you call it a "tactic", you're the enemy (Score:4, Informative)
It's not about how you read email. You can read email in a web browser if you like. It's about the content of the mail. I draw the line at plain text because HTML mail is used for all sorts of bad stuff, including tracking pixels, hiding the true target of links, etc. If you can't be bothered to put the essence of an email in plain text, then I can't be bothered to read it. Do not send me a brochure instead of clear and concise information. HTML could be used for good formatting and assist in making an email more readable. In practice it isn't though. HTML is an excuse to override local choices for font size and line length and include ads, logos, tracking, legalese and other annoyances. Those things stick out like a sore thumb if you try them in a plain text email. You immediately understand that they clutter up the email and obscure the one or two relevant pieces of information.
Re: If you call it a "tactic", you're the enemy (Score:4, Insightful)
I agree with almost everything you said, but that's not the fault of the browser or the HTML.
HTML in email should be like garlic in a salad- used minimally for best effect, but not a smidgen more.
Re: If you call it a "tactic", you're the enemy (Score:3)
Nothing of what you listed is HTML. Not a single thing.
HTML is just a single file. Of text. With tags to mark parts as something, semantically. And hyperlinks.
Images and all that crap are hyperlinks, embedded or not.
Ditto for scripts, fonts, etc. That is not HTML's fault. Treat is like a damn standalone document, and all your problems that you blame on HTML vanish.
Basically, if you e-mail client supports HTTP, burn it with fire. If it doesn't support HTML, do the same.
Surprised It's Only 2/3rds ... (Score:4, Interesting)
Having long ago worked for not-even-close to the largest or most sophisticated marketing emailer (on behalf of Fortune 500 clients) waaaay back in 1999, the use of "spy" pixels (aka beacons, etc.) was de rigueur. So much so that firms couldn't compete without even that very basic tracking functionality in place.
Even assuming that by now a lot of what was once outsourced may have been taken in-house with turnkey emailing solutions, I find it hard to believe that adoption of this technique isn't closer to 100%.
My email client does not load remote content... (Score:4, Informative)
Re: (Score:2)
I wonder how effective pi-hole is at blocking these trackers. It amazes me how out of touch advertisers are...
Comment removed (Score:5, Insightful)
Re: (Score:2)
You seem to be of the mistaken impression that those metrics really matter, or really provide actionable inteligence that can be converted into sales. Marketing is about the 2% rule, only with email it is more likely 0.2% conversion rate. This means you are annoying a disproprtionate number of people you contact, and your solution to improving sales is to annoy more people.
I know my wife tolerates more spam than I do, and buys some of the crap from or associated with it, but even she has a lower than 2% h
Newegg (Score:2)
Only once in my life have I *ever* found a lower price for something on Newegg. I don't see why people continue to patronize them. Why pay more for the same exact item?
I routinely include them in searches when I buy PC gear, but they never ever have a good price; often it's well above what every other store sells it for. How do they stay in business?
Re: (Score:2)
Recent answer. Because they were the only one that had it. And ebay would have been higher and riskier.
Re: (Score:2)
a "good enough" price for things that they ship from a warehouse that's apparently sitting on top of a UPS distribution depot.
I haven't ordered from them in some time, but over 250 miles away in the next state, free ground shipping usually arrives the next day, even ordering at 6PM.
Breaking News from... 2001? (Score:3)
Tracking pixels have been a thing since long before Google bought Doubleclick; and the solution to the privacy implications is usually the same: disable image loading by default unless you trust the sender. And avoid small image size loads when possible.
Incidentally, the Big Tech firms don't need to use tracking pixels because half the targets are using Gmail or Live/Outlook anyway, which will happily scan your email and give way more metrics back than a tracking pixel will to begin with. It's only the on-net Outlook folks who will want more privacy.
Re: (Score:2)
> Gmail or Live/Outlook anyway, which will happily scan your email and give way more metrics back than a tracking pixel will to begin with
They _absolutely_ do not share any data with email senders that is interesting, in the least. At the most broad they provide aggregate complaint rates per sending IP (GPT or SNDS). At the most specific, they will forward back to you the entire email that a user reported as spam as part of their FBL process (Gmail doesn't even do this).
The do not share any data about in
Even in the spam folder? (Score:2)
What does the spam folder have to do with anything?
The thing that blocks these tracking pixels is not which folder it's in, but the "load images" setting. You have to deliberately turn on this setting, because all email software that I know about has it turned off by default, and you generally have to enable it specifically for each sender.
This has been a thing since...oh...1995 or so.
Re: (Score:2)
OSX and Thunderbird disables by default. Pretty sure Pine does too.
Re: (Score:2)
And Outlook and GMail Web and Android Mail and pretty much everybody.
Turn The Tables (Score:2)
Re: (Score:2)
https://getmailspring.com/ [getmailspring.com]
Scroll down a bit on the home page to find Read Receipts and Link Tracking.
Re: Turn The Tables (Score:2)
That's what MDNs are for.
And opened does not mean read.
How's this news? (Score:2)
Don't all e-mail clients block external resources by default, and offer enabling domain-specific resource only if you want them?
I thought that was standard for at least a decade now.
Webster's update (Score:2)
Another approach (Score:5, Interesting)
A number of comments so far have noted that various programs disable loading of images in emails, due to image tracking.
IIRC Gmail, though, takes something of the opposite approach. Immediately when an email is received, Google loads the images in it and stores a local copy for when the use wants to read the email. It does this whether or not the email is read, in fact, whether or not the Gmail account to which the mail is addressed even exists. Thus, anyone who sends a mail to a Gmail account can count on the tracking image being read - but by the server, not the user. Thus the image is useless for tracking, whether or not the email is opened. Whereas with the alternate method of disabling image loading, the tracking is still effective if the user decides they do want to see the image.
Re: (Score:3)
It's crazy how wrong this is.
> Immediately when an email is received, Google loads the images in it and stores a local copy for when the use wants to read the email
No, they don't.
> in fact, whether or not the Gmail account to which the mail is addressed even exists.
No, they don't, *especially* if the Gmail account doesn't exist. Like every other provider, if an account doesn't exist, they reject the message before any of the data has even been sent.
> Thus, anyone who sends a mail to a Gmail account
so, yeahh (Score:2)
Don't you need to have (Score:2)
Re: (Score:2)
Almost no contemporary email clients load images by default. The reason this technique is viable is that users bash on the "allow" button/link the instant they sense the slightest impedance.
"Commonplace marketing tactic?" (Score:2)
Is that supposed to be an excuse? Marketing tactics means "I am doing this to make money", and it's not like no one has ever done something wrong to make money. Oh wait, that's why 90% of evil crap get done. As for 'commonplace', the following all used to be commonplace:
Child labor
Cocaine and Opium in products that did not list ingredients.
Slavery
Re: (Score:2)
Came. here to say that. "Common marketing tactic" should make you think "shouldn't be done."
Well, they ARE being transparent about it (Score:2)
The use of "invisible" tracking tech in emails is now "endemic",
And other experts have also questioned whether companies are being as transparent as required under law about their use.
I think that answers itself.
"HTML email is an abomination" (Score:2)
If you've been aware awhile, you must have heard "HTML email is an abomination". Ponder this venerable saying. There is reason for the disgust. Marketters might love it but why encourage spam?
As others have posted, using fast text MUAs (mutt) or at least avoiding autoloading images (even on iOS) improves both speed and security.
Not as perfect as those selling it claim (Score:2)
I'm not in favor of it, but i want to point out that the email pixel is not a perfect as it is sold to be. A few reason (probably more can be added).
1. if you don't load the images you are not tracked (they assume you have not read it, in fact you might have).
2. If you forward your message to someone, they'll track them as if it was you (in terms of location and times it was opened).
3. Some corporate email systems preload all email images to scan for viruses or other treats, this will show as "read email" w
slashmail.org disables all images by default (Score:2)
You have to whitelist in senders to see the images.
Nothing we can do as admins... (Score:2)
... that won't inconvenience staff to the point of choosing between allowing the spying or putting up with the whining?
Re:Nothing we can do as admins... (Score:4, Interesting)
Add a PiHole to your environment. If you're using MS AD or some other internal DNS server, make its upstream DNS server the PiHole and let the PiHole use Quad9 or FoolDNS or your ISP's DNS or whatever. If you've got a marketing team or someone else who really, really needs to use Google Analytics or whatever, add them to an exclusion list so they only use public DNS servers and let them have all their e-mails tracked; they're marketing, so they won't care.
Not all tracking pixels would be 100% blocked, but most of them would be =)
Re: (Score:2)
We use content filtering but when the content is coming from legitimate domains blocking becomes problematic and impacts operations.
The last decade it seems this line of work has turned into 'whack-a-mole' vs the latest security hole or scumbags coming up with new ways to spy.
Perhaps we're seeing "State Department" type destabilization tactics applied to IT - make everything so SHIT that we'll welcome a shitty centralised 100% controlled and surveilled IT ecosphere because it's "better" ;)
In the end, we all
Re: (Score:2)
... they're marketing, so they won't care.
Who markets to the marketers?
Re: (Score:3)
If you have AD then a PiHole probably isn't fast enough for your number of users. Even a Pi 4 doesn't scale very well.
You could use a VM on better hardware, or just install software on client PCs.
Really? (Score:2)
Who is still using an email client that loads images from unknown senders by default?
Can we stop using the term Pixel in this context? (Score:2)
"Pixel Tracking" is a terrible term and should be abolished. It actually displays no understanding about the implementation, nor how these things operate.
It's just another example of how incredibly dumbed-down terms can actually be damaging to the technical understanding of anything.
Devil's Advocate Here (Score:2)
It's useful to know if somebody has read an email and AFAIK, a tracking pixel is one of the only ways to do it.
It's trivial to just add a logo and use that to track instead of a 1 pixel transparent image. Are we going to call those "Spy Logos"?