This is an interesting reading. Although there are more tracking mechanisms than pixels. Surely you can configure your email client to not to load remote content automatically, but most of the clients will still leak information in various html/css elements.<p>A while ago, I used <a href="https://www.emailprivacytester.com/" rel="nofollow">https://www.emailprivacytester.com/</a> to test several famous iOS email clients, and most of them more or less leaked _something_, even without loading remote content. In the end, I found Fastmail and Apple's built-in iOS mail client to be the top-notch in terms of privacy (Fastmail leaked nothing but only their server side DNS server via DNS prefetch[1][2], which has nothing to do with client. Apple is slightly worse, but still far better than any other email clients like Outlook, Spark, Edison...)<p>1. <a href="https://www.emailprivacytester.com/testDescription?test=dnsLink" rel="nofollow">https://www.emailprivacytester.com/testDescription?test=dnsL...</a><p>2. <a href="https://www.emailprivacytester.com/testDescription?test=dnsAnchor" rel="nofollow">https://www.emailprivacytester.com/testDescription?test=dnsA...</a>
Those tracking links are so annoying. They make it hard to see where the link is actually going. A newsletter could be linking to Wikipedia, but if you open the message in Gmail, there could be two or more layers of trackers in that URL.<p>Example: The Frontend Focus newsletter in Gmail<p>The link of the first news headline is something like<p><pre><code> https://www.google.com/url?q=https%3A%2F%2Ffrontendfoc.us%2Flink%2F109272%2Fc0daad1d97&sa=D&sntz=1&usg=AFQgCNFEh5TaNZpHqsqyBGWEaq2iL9MwCg
</code></pre>
The actual URL is<p><pre><code> https://www.slashgear.com/safari-overhaul-includes-tab-groups-and-web-extensions-on-mobile-07676634/</code></pre>
Hi,<p>Author here.<p>This investigation into email tracking attempts to deconstruct tracking links and pixels and highlight the data that is being collected. It covers Mailchimp, ConvertKit, Substack and other Mailgun retailers.<p>There's also some attempted (albeit unsuccessful) reverse-engineering of an opaque token in the Substack section (If you like reading stuff about reverse-engineering).<p>Happy to answer any questions.<p>Thanks.
There's also Litmus, which uses a really advanced set of multiple pixels to give data on how long a user is reading an email. Presumably, they insert delays into how long it takes to load each pixel, and if any of the requests get cancelled they can get an idea of how long the email was open for.<p>The Litmus pixels are usually dropped into another ESP's template, so the data you get would be used to supplement the normal tracking pixel email.
CyberChef helped me decode the URL:<p>It was a zlib deflate and a URL-safe Base64 code.<p><a href="https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9-_',false)Zlib_Inflate(0,0,'Adaptive',false,false)From_Quoted_Printable()&input=ZUp5TmpMME9nekFRZzUtR2JLQmNPQUlaTXJSUVhnUGw3eWdTaEtwTjFkY3ZvQTRka2V6QmxqOTdqYzVDRFd6U2dndmdsY0RkeUFzb1VNcTI3N29PaGJyZUJMUVpjaHZpbUV3czNMcXd1M1lLRkRsRkhCdkhxNXE3V29WZ1NLRVRFb1VuTnV0N1NvOVhWbDR5MFdfNnc3ZkVudnBYd0hZOUxtYWFqLU9rUzZpRE5FUTVKMGs1LW1CejZ3UGxwa0pIalRKR1FjWHNPNlUxLXZVVGg3Q3p3LVRQZ2NmNjFQUUxVdFJWdXc" rel="nofollow">https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z...</a><p>Update: Finishing reading the article, someone beat me to this.
Here we are talking as if it’s the big companies that’s the problem.<p>The problem is their clients.<p>Your mom and pop store down the street sending out the weekly newsletter that helps keeps their business alive is the ones sending the mail that annoys you so.<p>The mail sending companies offered the feature of knowing when a subscriber opened an email and when they clicked on something.<p>So that tiny blogger who sends a weekly update in sub stack to subscribers eagerly awaits her click and open stats.<p>It’s hard for the likes of Mailchimp to pull back those features because their customers so rely on them.<p>How do I know? I write this kind of sending software all the time for thousands of these small customers.<p>We are talking husband and wife operations here. People who know nothing about email sending or what goes on behind it.<p>But take away their click and open tracking and you lose their business the next day —- that part — they know and want.<p>Add in the part of them knowing who opened and who clicked on what and it’s gosh darned magic for most small business owners.<p>Don’t blame Mailchimp, Sendgrid, Substack etc — that’s pointless.<p>Blame your mom as she sits writing next weeks newsletter update.
PSA: (a) Disable automatic loading of e-mails in Gmail if you don't want to be tracked. (b) Don't ever click links from e-mails, Google for the content instead.<p>Settings -> General -> Images -> Ask before displaying external images<p>(I've also been debating sending an auto-reply back to users of such e-mail apps (e.g. Superhuman) with an autoresponse to the effect of "Due to the use of tracking pixels your e-mail has been de-prioritized. If you would like a faster response please send me a plain text e-mail" to discourage people from using these privacy invasions.)
Here's an question... Suppose I'd like to send emails that include images. The images are content, I don't care about tracking. Is there any way to do that in a way that's privacy friendly?<p>The natural way of doing this would be embedded images. However, it seems that many mail clients don't support these. (<a href="https://www.emaillistvalidation.com/blog/embedded-image-support-in-html-email/" rel="nofollow">https://www.emaillistvalidation.com/blog/embedded-image-supp...</a>)<p>Are there any other options? The only other option I can see would be to use SVG images and then sort of "compile" the SVG into the html source. However, given how email clients have limited html support, this doesn't seem workable either...<p>It's frustrating that these tracking pixels have made genuine content images so unreliable.
After using Firefox's HTTPS only mode I have noticed that quite disturbingly a lot of these auto-injected tracking links redirect through HTTP. I have seen nearly a dozen of websites that have this for <i>password reset links</i>.<p>It makes me wonder if it could be a viable attack to set up a WiFi hotspot, block login attempts so that some users think that they forgot their password (the error won't be right, but many users may try resetting their password anyways). Then you just intercept the HTTP tracking link and reset their password for them. Now you have stolen their account.<p>Of course you could just do this passively but prompting it by trying to fail login attempts would get you more hits.
One interesting thing I noticed with Linkedin emails is that it dynamically fetches unread notification count. For example, if someone views your profile, there will be a notification in the website. If you go to your mail and open an <i>old</i> Linkedin email before you check the notification in the website, you will see a little red 1 on the corner of Linkedin logo. Later, if you go to website, clear notification, and then open the same email, you will see that notification counter is gone. If find it quite interesting that Gmail lets this behaviour.
Related to the post, I've enjoyed using the Trocker extension[0].<p>[0] <a href="https://trockerapp.github.io/" rel="nofollow">https://trockerapp.github.io/</a>
I have found MailTrackerBlocker [1] to be useful to block tracking.<p>1. <a href="https://github.com/apparition47/MailTrackerBlocker" rel="nofollow">https://github.com/apparition47/MailTrackerBlocker</a>
if you were a large email service and you really wanted to mess with this sort of tracking could you<p><pre><code> - fetch the images at the point the mail is accepted for delivery
- cache the result
- rewrite the URLs transparently in the UI to point to your cached copy</code></pre>