Ask HN: Please help me get in touch with Apple's email privacy engineers
With Apple's recent announcements about blocking tracking pixels in emails, I wonder if they might also consider doing something about tracking links too.
I wrote https://bengtan.com/blog/whats-in-email-tracking-links-and-pixels/ and I know of some techniques that can be used to bypass tracking links (ie. Discover the destination URL of a tracking link without actually crawling the tracking link).
It would be great for privacy if Apple also started disrupting tracking links (and then the rest of the email service providers do so too).
How do I get in touch with the Apple software engineer(s) who are working on email-privacy/anti-tracking-pixel software? I'm just a random no-name person on the Internet. Can anyone help me please?
Thanks.
13 comments
[ 2.9 ms ] story [ 44.9 ms ] threadWhat stops a tracking link from using a different url in the get params than it actually returns? I don't think this is workable.
The problem here is that it will probably work on a small scale. But if someone like Apple or Google adjusted to it, places like MailChimp would notice immediately, and "fix the glitch" as you describe.
https://mycompany.co/my-product-name?affiliate=12345678
That's obvious and easy to filter out, but let's say they changed it to:
https://myproduct.co/my-product-name/12345678
That's less obvious because it's part of the URL to resolve instead of a variable. You could filter out the "12345678" now to instead direct you to:
https://mycompany.co/my-product-name
OK, but let's say the company (through plausible deniability) didn't use permalinks, or (again through plausible deniability) used model numbers as their address. They could disguise the tracking link with
https://mycompany.co/12345678
Which could again be detected, but then you'd just get sent to
https://mycompany.co/
instead of the actual page you wanted to visit.
The point is, that if you try to filter out affiliate links, you will invariably get to a point where all you can do is send them to the homepage of the website in this cat-and-mouse game of disguising affiliate links as product pages. And while sending you to the homepage is theoretically completely private, I think marketing folks and actual end-users would understandably complain.
Or even, https://correct.horse.battery.staple.example.com/
I mean, you could add rules, but the second your rules turns something like Slacks "magic link" into a thing that can't be used, users will rightfully be upset.
I don't disagree with your overall point, but getting feedback like this in front of the eyes of an employee who can actually assess its validity is easier said than done.
Does OP really believe that no one in Apple's engineering department has ever asked "should we do anything about tracking IDs in email links?" Or that no one at Apple is able to reverse-engineer MailChimp links?
What happens when one of the biggest email services, Apple, starts removing those tracking IDs? Marketing just rolls over and dies?
It will be pretty trivial to keep changing up their url parameter system, or even to have unique urls that don't include query parameters at all, like the MailChimp system but without the simple Base64 encoding. Sure, it would be a bit of a pain to engineer, but needs must.
It seems this would be better to make a browser extension, which can keep up with changes, and, honestly, would probably be small enough that marketers wouldn't bother trying to adapt to it.
He has no decision making power.
Lots of things related to privacy and security are part of a way bigger multi-billion dollar game than what companies are trying to mislead public with.