Effectively all email clients are web browsers now, yet don’t have any of the privacy protection features actual browsers do.
BY:
Eric De Grasse
Chief Technology Officer
26 February 2021 (Chania, Crete) – A few months ago I wrote a post for our cybersecurity listserv about email tracking pixels which are 1px by 1px square images created by a line of code that is inserted into an email message. It’s not obvious to the recipient that email tracking pixels are present because they are often transparent and placed somewhere discreet in the header or footer of the email. These days, tracking pixels are used by nearly every sophisticated business (any small business that uses email automation software such as Constant Contact or Mailchimp has access to them) to help marketers measure their open and click rates, discover traffic sources, track conversions, and collect other useful data points. Some email tracking pixels have more advanced, strategic functions, such as remarketing pixels, which deliver the user personalized advertising around the Internet.
And don’t get me started on how predictable this entire privacy disaster was, once we lost the war over whether email messages should be plain text only or could contain embedded HTML. Effectively all email clients are web browsers now, yet don’t have any of the privacy protection features actual browsers do.
Over the last few months there was been a surge of commentary on it. In the last week BBC has covered it twice, in an article saying “spy pixels in emails have become endemic” plus a BBC Radio 4 podcast with some cybersecurity mavens explaining how its done.
I want to expand my comments to include our legaltech listserv because use of tracking pixels is governed in the UK and other parts of Europe by the Privacy and Electronic Communications Regulations and the infamous General Data Protection Regulation. As the BBC article notes, these regulations require organizations to inform recipients of the pixels, and in most cases to obtain consent. The BBC article is a good overview of the issue but let me add a few more points.
In the BBC article a vendor statement is made “It’s in our privacy policy”. Complete nonsense when it comes to email spy pixels. It’s nonsense for most privacy policies, period, because most privacy policies are so deliberately long, opaque, and abstruse as to be unintelligible. But with email they’re absurd. The recipient of an email containing a tracking pixel never agreed to any privacy policy from the sender.
And “it’s a commonplace marketing tactic” is hardly a defense. It’s an excuse … and a damn shitty one. It just shows how out of control the entire tracking industry is. Their justification for all of it is, effectively, “it’s pervasive so it must be OK”. That’s like saying back in the 1960s that most people smoke so it must be safe.
But embedded ubiquitous tracking – in which data from widespread and diverse heterogeneous tracking sensors and tracking apps is automatically and dynamically fused, and then transparently provided to applications – is simply impossible to stop. It’s whack-a-mole time for data privacy advocates.
As my business partner, Greg Bufithis, noted last year in a series of posts on the futility of data privacy regulation:
Data has become a crucial part of our infrastructure, enabling commercial and social interactions. Rather than just tell us about the world, data acts in the world. Because data is both representation and infrastructure, sign and system. As media theorist Wendy Chun puts it, data “puts in place the world it discovers”. Restrict it? Protect it? We live in a massively intermediated, platform-based environment, with endless network effects, commercial layers, and inference data points. It will continue to be collected in every manner, every form imaginable.
Earlier in this series I noted that whether you use Apple iOS or an Android phone (and even your laptop) you will engage with 5,400+ trackers, mostly embedded in apps, most feeding to data brokers. You spew out an average of 1.5 gigabytes of data about yourself over the span of a month. In all of this, the General Data Protection Regulation (GDPR) problem over “transparency” should loom large. But it does not. It’s why EU citizens are struggling with “Data Privacy and Data Subject Access Requests” (DSARs) mandated under the GDPR: if you don’t know where your data is going, how it is being collected, how can you ever hope to keep it private? DSARs are a sham but data privacy vendors will not tell you that because they need to make money from their services.
Emails pixels are fascinating because they can be used to log:
• if and when an email is opened
• how many times it is opened
• what device or devices are involved
• the user’s rough physical location, deduced from their internet protocol (IP) address – in some cases making it possible to see the street the recipient is on
So the benefits of tracking pixels for sales and marketing teams becomes obvious since they gaining access to helpful analytics such as:
• How many people open your emails, how many people click through links, and the general success rate of each campaign.
• Which headlines, preview text, and even sent times/days that will generate more opens and clicks.
• What percentage of your audience reads email on their phones, desktop computer, or tablet.
• Which email providers recipients use.
• What region their audience is located in.
With this information, sales and marketing teams can focus on narrowing down their audience (through filters that identify engaged subscribers, predicted demographics, and general location information), making their content more relevant, and providing a better overall experience for their recipients.
Now, email tracking pixels do not collect sensitive information such as the recipient’s bank details, or private browsing history. In order to do that, the code would have to get access to the recipient’s cookies (text files that save to your computer when you visit a particular website and collect information on your online behavior). Tracking pixels do not save to your computer and don’t collect any information outside of your engagement with the email they were embedded in.
BUT … to be fair, tracking pixels of any kind can theoretically gain access to this information through advanced tracking/hacking methods which I have detailed in other posts. Mainstream email providers (including Gmail) can automatically run incoming communications through an image proxy server which blocks email tracking pixel-related trojans that go beyond the limits of what regular marketing or sales tracking pixel does. But you need to “opt in”.
If you want to know if your email has a tracking pixel use a tool such as Boxy Suite or Ugly Email. You can also assume that pretty much any communication you get from a brand will have a tracking pixel that ties to their website for when you choose to click through. And if your email provider shows a pop-up message about external images inside an email, you can simply decline the request to block the email tracking pixel.
