Foiling Electronic Snoops in Email
Nytimes.com Tech Fix
By BRIAN X. CHEN NOV. 18, 2015
IT didn’t take much for Florian Seroussi, a technology investor in Manhattan, to become suspicious of his email.
His misgivings were sparked late one night last year when he opened a message from an entrepreneur who was asking him to invest in a start-up. Minutes later, Mr. Seroussi’s cellphone rang with a call from the same start-up executive.
Coincidence? Not to Mr. Seroussi. “What are the odds that at 10:30 at night, a guy suddenly has a vision that I’m reading his email?” he said. “They must know something that I don’t.”
It turned out that the start-up executive had planted a tracking mechanism into his message to Mr. Seroussi, a trend that is increasingly afflicting all of our email. Trackers, which come in many forms including a single invisible pixel inserted into an email or the hyperlinks embedded inside a message, are frequently being used to detect when someone opens a message and even where that person is when the email is opened. By some estimates, trackers are now used in as much as 60 percent of all sent emails.
Follow these steps to disable images from loading automatically:
· On Gmail
1. Click on the gear icon and click Settings.
2. Under the General tab, scroll down to Images.
3. Select “Ask before displaying external images.”
4. At the bottom, click Save Settings.
· On an iPhone
1. Open the Settings app.
2. Tap on Mail, Contacts, Calendars.
3. Swipe left on “Load Remote Images” to turn it off.
· On an Android
1. Open the Gmail app.
2. Select your account.
3. Tap on Images.
4. Select “Ask before showing.”
The trackers are traditionally offered by email marketing services like GetResponse and MailChimp. They have a legitimate use: to help commercial entities send messages tailored for specific types of customers. The New York Times, too, uses email trackers in its newsletters. The Electronic Frontier Foundation, a nonprofit that focuses on digital rights, estimates that practically every marketing email now contains some form of a tracker.
Yet, the prevalence of these trackers raises consumer questions. Because trackers are invisible, many people are unaware of them and have no inkling of how to dodge them. “It’s definitely a privacy concern,” said Cooper Quintin, a technologist and privacy advocate for the Electronic Frontier Foundation. “There’s no mechanism for people to opt out.”
A basic method for thwarting some email trackers involves disabling emails from automatically loading images, including invisible tracking pixels. But that doesn’t defeat all trackers, which are also hiding in other places like fonts and web links.
I recently put a handful of free email tracking services and tracker detectors to the test to assess whether there was a viable method for identifying and removing the invisible snoopers. I tried the trackers and detectors on the most popular email service, Gmail.
My conclusions aren’t heartening. I found that the available solutions for combating trackers were far from ideal. Some failed to ferret out many trackers, while others required major trade-offs.
I began by testing the email trackers themselves. One was MailTrack, which is a plug-in for Google’s Chrome browser that can quickly insert a hidden tracking pixel into a message. Setting it up is simple. You install the plug-in and enable a Google mail account to use the service. After typing an email, you hit a double check mark icon to embed the invisible tracker. When the recipient opens the email, you receive a notification and an email alerting you that the message has been opened.
I also tried a better-known email marketing service, MailChimp, which includes tracking as part of a suite of features. The service is tailored for small businesses to compose and send email campaigns for their products. The company says its trackers can see when specific recipients open email and also pull data on where they are and what devices they are using.
“People want to be spoken to as a snowflake, an individual,” Eric Muntz, MailChimp’s vice president for product, said in an interview. “Our tools help our users talk to their customers in a very specific way.”
In my experiment, I was able to create an email newsletter on MailChimp in 10 minutes with trackers embedded into the email itself, as well as inside buttons for sharing on social media and buying an item. After I sent the newsletter to myself, MailChimp showed when I opened the email and that I clicked on all the buttons. It also showed that I opened the message in the United States, though it could not pinpoint my precise location.
I then tried two tracking detectors that aim to help people identify whether the trackers have invaded your messages. One is called Ugly Email and the other is Trackbuster, a company that Mr. Seroussi founded last year after receiving the suspiciously well-timed email from the start-up.
Ugly Email works as a Gmail plug-in. When a tracker is detected, it shows the icon of an eyeball in the subject line to alert you that a tracker is hidden inside the email. The software notified me about some marketing emails containing trackers, including trackers from MailChimp. But after I sent myself test emails with trackers using MailTrack, Ugly Email failed to flag those.
Sonny Tulyaganov, the web engineer who created Ugly Email, said he manually added different email tracking pixels to a list for his detector to look for them. He added MailTrack after I shared my test results. But Mr. Tulyaganov said Ugly Email was a hobby project and was not a fully staffed organization with the resources to catch every new mail tracker.
Trackbuster was more thorough, though it also wasn’t ideal. The service, which works with Gmail, connects with your inbox, scans all your messages for trackers in a temporary folder and purges trackers before spitting the scrubbed messages back into your inbox. Trackbuster also sends weekly reports on the number of emails it found to have trackers.
In testing the service over two weeks on my work email account, I learned that about 280 of my 1,400 emails, or 20 percent — including many from public relations professionals pitching me their products — contained hidden trackers. (I deleted their emails without opening them.)
What responsibility do email providers like Alphabet’s Google have in all of this? In a statement, Google said that for two years, it has taken steps to prevent users from having their locations, browsers, devices or apps tracked through emails.
For example, when you read email on Gmail.com or the official Google Mail apps for iPhone or Android, images are intercepted and rewritten on a server between the sender and the recipient. That makes it impossible for the sender to receive detailed information like the recipient’s location, device or app used.
“Since we launched Gmail we’ve worked to make it the most secure email service available,” the company said in a statement.
Some privacy advocates have gotten enterprising about circumventing email trackers. Mr. Quintin of the Electronic Frontier Foundation says he sets up his devices to dodge the trackers in two ways. Inside Gmail.com, there is a setting that requires Gmail to ask for your permission before displaying images in an email. Clicking “no” to that request will prevent images, including invisible tracking pixels, from loading.
For another, he sets up his email apps — the desktop client Thunderbirdand the Android app K-9 Mail — to disable HTML, the standard web language that trackers use to ping external servers. That can prevent the loading of other components, like fonts, that contain tracking code, according to Mr. Quintin.
Those two solutions combined aren’t foolproof against trackers. If you visit any web links inside an email, chances are that they will still detect that you clicked on them. Taking these steps also makes it likely that your emails end up looking ugly.
I opted to disable Trackbuster because of the sensitivity of my work emails. I also turned off Ugly Email because it did not appear to detect many trackers. Then I heeded some of Mr. Quintin’s advice and configured Gmail to ask for permission before loading an image, and I also set up the iPhone’s built-in mail app to prevent images from loading automatically.
It’s not perfect, but it was the best I could do without ruining my email experience.================================================================
**Important note** - contact our sister company for very powerful solutions for IP management (IPv4 and IPv6, security, firewall and APT solutions:
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” will be published soon follow by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio Additionally, I provide content for an online newsletter via paper.li. I have also established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. Further, I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and have been a contributor to numerous blogs and publications.
Lastly, I am the founder and president of Tabula Rosa Systems, a company that provides “best of breed” products for network, security and system management and services. Tabula Rosa has a new blog and Twitter site which offers great IT product information for virtually anyone.