I was under the impression that the email tracking pixel technique became less reliable once GMail started pre-loading email images on its own server and sending you the cached copy instead. Does anyone know if these services found a way around that?
There are lots of potential ways to track via an email besides images. I'm not sure which work in Gmail. But the more common marketer's strategy is just to provide a lead and a hyperlink - let the user click it and track them in their browser.
Marketers can still embed images with unique URIs that identify an address and know when a user opens it. Even if Google caches it, they know that address opened it once (because Google doesn't preload images until the user opens the mail)
Contrary to popular beliefs, gmail does not pre-fetch all the images. It fetches the images via a proxy the first time the user loads the email via gmail app or gmail web, and caches it for repeat opens. Also, there’s no proxying if the user uses a third party app (like the iPhone app). So open metrics are still fairly accurate since not many users open the same email multiple times.
So why does gmail do this if it still allows the websites to track opens? Primarily to prevent IP address leak and to prevent the website owner from reading it's cookies on email opens (if opened on a browser), and/or cross-linking multiple emails for further tracking and linking identities.
Anyone know if mutt does this? I currently pipe HTML mails through w3m to read them, and I'm almost certain this technique is pulling remote content, so I would be interested if anyone has some tips on improving this setup. Avoiding HTML mails altogether is sadly not an option.
Put it in a sandbox without network access. https://github.com/projectatomic/bubblewrap might be worth looking at for that. It also has the added benefit of reducing the attack surface of running w3m on untrusted content.
Oh, that's an interesting idea! I currently use firejail quite a bit, but hadn't thought of using it to also kill network access for w3m's rendering of an html email. Thanks for the idea!
Many web mail clients (Yahoo, Hotmail, etc.) don't render images by default, and you opt to download each email's images with a button. HTML mail renders without images pretty cleanly if the alt text is included.
IMO, this should be the default for all email clients, and the lack of that feature on mobile devices shows the immature state of mobile development compared to desktop.
I implemented this on an invoicing app I make. The app also lets users create "estimates", "quotes", "proposals" and other documents which I do not use it on.
The reason I did this is because over the first decade after creating the app the users of the app kept telling me that clients would tell them "I didn't receive the email".
I've had clients do that to me as well, even before I made the app. One of them was a contractor for the U.S. federal government who owed me over $20k and was most certainly going to screw me. In that case, after sending the invoice with the US Postal service three times I sent it the forth time with a "Return Receipt" required. Even that didn't get my check in the mail from them because they lied again about receiving it until I informed them I had a signature saying they did get it.
Still, the only reason they paid me is because I shut down web based "Real Time Traffic Conditions Map" I'd created for the project a few days before their public debut of the app and refused to turn it back on until the check was in my hands.
I don't really consider this an invasion of privacy. All it is telling my users is rather or not their customers and clients opened the emailed invoice and it's little different than the "Return Receipt" service offered by the US Postal Service.
13 comments
[ 1.8 ms ] story [ 45.6 ms ] threadMarketers can still embed images with unique URIs that identify an address and know when a user opens it. Even if Google caches it, they know that address opened it once (because Google doesn't preload images until the user opens the mail)
So why does gmail do this if it still allows the websites to track opens? Primarily to prevent IP address leak and to prevent the website owner from reading it's cookies on email opens (if opened on a browser), and/or cross-linking multiple emails for further tracking and linking identities.
https://support.mozilla.org/en-US/kb/remote-content-in-messa...
This seems to be a sufficient countermeasure against the kind of tracking in the article.
The reason I did this is because over the first decade after creating the app the users of the app kept telling me that clients would tell them "I didn't receive the email".
I've had clients do that to me as well, even before I made the app. One of them was a contractor for the U.S. federal government who owed me over $20k and was most certainly going to screw me. In that case, after sending the invoice with the US Postal service three times I sent it the forth time with a "Return Receipt" required. Even that didn't get my check in the mail from them because they lied again about receiving it until I informed them I had a signature saying they did get it.
Still, the only reason they paid me is because I shut down web based "Real Time Traffic Conditions Map" I'd created for the project a few days before their public debut of the app and refused to turn it back on until the check was in my hands.
I don't really consider this an invasion of privacy. All it is telling my users is rather or not their customers and clients opened the emailed invoice and it's little different than the "Return Receipt" service offered by the US Postal Service.
FWIW, it works with Gmail too.