63 comments

[ 2.8 ms ] story [ 83.5 ms ] thread
Tracking pixels don’t even work with Gmail because Google fetches them out of band. It doesn’t reveal open rates.
> Gmail because Google fetches them out of band. It doesn’t reveal open rates.

"Our open rates have skyrocketed! send more emails!"

Want them to really listen to you? Cancel your accounts - move to another bank.

This works well as a bluff, but of course you need to be ready to follow through in case they call the bluff. Which if you are, you may as well switch banks for real anyway.

> Want them to really listen to you? Cancel your accounts

Just loop in your regulators. This costs them far more and properly documents the problem for follow-up in case it becomes a pattern. Possibly more annoying than moving accounts. But far more effective (unless you have nine figures with the firm).

I've heard CapitalOne does the same thing... send paper mail saying their emails aren't being read.
NAB Australia does exactly the same thing. Unless I "load remote images" when I receive their emails, they'll start mailing letters saying that they switched me to paper statements as their emails are not going through. It also took me a bit to investigate as their emails were obviously coming through.
I'm in two minds on this - the bank does need to know that its communications are being received

But, they have no idea if the paper statements are making it to your desk, or if they are getting swiped from the letterbox (I'm in an apartment in Melbourne, and the snail mail is not reliable at all, mail is sometimes delivered to the wrong building, sometimes the wrong address entirely, it's also swiped by miscreants who have nothing better to do, and, in some cases, the pricks set the letter boxes on fire, taking all the mail with it)

CapitalOne balance alerts for a low-use credit card - they silently disabled the alerts because "I wasn't reading them". Because I have read notifications disabled and don't load remote resources.

Even if they truly believed I wasn't reading them, disabling them makes no sense to me. They certainly weren't bouncing and I wasn't reporting them as spam.

I dropped CapitalOne after that (not sure I moved to something better though...)

If NAB has an option to turn on plain text emails, that might help, since they obviously can't do tracking that way.
> I have a credit card with HSBC: you know, the bank with virtue-signalling multiculturalism in their ads.

Was this opening sentence necessary? It is not germane at all to the rest of the article. Ironically, it is itself virtue-signalling (for some definition of virtue), just to a different audience.

> just to a different audience

And apparently not targeted all that well, since half the comments here think it is a right-wing (anti-multiculturalism) sentiment, and the other half a left-wing (anti-corporate-reputation-laundering) sentiment.

It doesn't even link to an ad, it links to a weird parody attempt of the ad on the same site as the article. Which makes little sense for people unfamiliar with the original ad it parodies.
(comment deleted)
Some may treat these as an inconvenience or annoyance, but I think it’s a sign of rot. And it may run a lot deeper. Unfortunately I feel like most financial institutions have terrible websites and practices in general, so I don’t know if switching will let you avoid problems.
Capital One does this to me as well, but at least they make it clear so I actually understanding what they mean ("You haven't opened an email from us lately...").

It's fine, Capital One. I did open your emails, I just didn't load your shady tracking pixels.

So what do you think, what's happening here?

My experience with IT in banks is that this entire "feature" of tracking who's opening/not opening emails must have went through about 50 people, and it must have taken at least a year from the idea forming in someone's head, going through all the administrative bureaucracy, getting approved, developed, tested, and rolled out.

Is it that HSBC has 0 competent people who could have mentioned that "tracking pixels are unreliable, especially in 2025/26"? Or is it that everybody who mentioned this was overruled by middle/upper management because they know better? What about the http:// part? I imagine there must have been a few developers saying we should not be serving anything under http://.

I think of the term "state of the practice"

Same thing happens with renting apartments. Slowly but surely, conveniences like apartment-phone-app (to open doors, to access mailboxes) get accepted by people and then they "throw the switch" and make the remaining 3% do it. Or maybe new renters must accept it to move in. And then they can deny access to apartments imeediately, track their residents, match with online activity and more...

I'd guess one of two things. One is a conversation that goes like:

"I want to send letters to everyone who doesn't open our emails."

"We can't really detect that. We could add a tracking pixel, but–"

"Yeah, do that, the tracking pickle thing."

The other is that the "did they open this?" feature was rolled out purely for metrics knowing that it's imprecise, and later on got repurposed for something unsuitable without looking at how the "did this email get opened?" facility actually worked.

My take: someone wanted a technical solution for what is a people/process problem. A hypothetical version of events, just one of many possible scenarios of course: 1) Important communications required by law and/or regulation are sent by email. 2) Contacting customers via email is sometimes unreliable. It is unreliable enough that problems caused by missed emails caused enough pain in some exec's silo that they demanded a solution. 3) "Make sure people read their email" isn't really an actionable demand. The business knows this, so they turned to IT. 4) "Make sure people read their email" isn't really technically feasible either, but at this point it's not about making sure that the customer got the message: it's about making sure that the company is covered if a customer complains about missing communications. 5) To that end, a variety of technical solutions are proposed, and everyone knows that they're all bad or incomplete. The tracking pixel is chosen because it's at the intersection of "least bad" and "lowest effort to implement." 6) Around now, someone probably pointed out the issue with serving the content over http, but changing that requires buy-in from another team. It'll go to their product manager as an inject and maybe get prioritized for next PI (it won't, something more important will come up between now and then). 7) The tracking pixel ships. The team that implemented it stresses that this is an incomplete solution and the business really needs to re-evaluate their processes around customer communications. 8) The email tracking pixel solution gets a bullet point on a slide in a presentation given to managers 3-5 levels higher than the devs who made it. No one mentions that the solution is incomplete and requires additional work and investment. No one ever thinks of it again.
> Is it that HSBC has 0 competent people who could have mentioned

Given the salaries, tooling and working conditions for tech people in such companies, why would anyone competent work there?

Can somebody please tell Barclays their 3DS widget is never redirecting back to the seller when transaction has been approved on user's device?

In fact, the sheer amount of systems not working correctly in Britain is astonishing. Feels like the whole country is falling apart.

I noticed this a couple of years ago too, I just ignored the letters, continued to receive the emails, and they stopped sending me letters about it /shrug
Charles Schwab has something very similar. They keep unenrolling me from their paperless thing and then send me a letter every month telling me they unenrolled me because emails aren't being delivered.

But I get their emails just fine. It's their tracking that (intentionally) isn't working.

(comment deleted)
Maybe this is what's happening to me at Fidelity. They keep complaining about my email on custom domain but the Protonmail address works fine. I use different apps for the two because PM doesn't support IMAP, so maybe PM doesn't block the tracking pixels but the other one does.
Gmail automatically downloads images ahead of time, so the tracking pixels will have been fetched by Gmail themselves regardless of when the user opens the email.
So does Apple's Mail Client. So do most webmail providers. Open signals are generally worthless.
I think gmail adds some heuristics on top of it, like if the same image was included in emails to multiple people.

At least that's what I remember from them announcing the feature. No idea about other providers, and I haven't tested the feature myself.

When Gmail downloads the image it identifies itself as GoogleImageProxy, and will be coming from a GCP/Google ASN.

Similar signal will be there for any email provider or server-side filter that downloads the content for malware inspection.

Pixel trackers are nearly never implemented in-house, because it's basically impossible for you to do your own email. So the tracker is a function of the batteries-included sending email provider. Those guys do that for a living, so they are sophisticated, and filter on the provider download of images.

> But it gets worse. Because HSBC are using http://, rather than https:// URLs for their tracking pixels, they’re also saying that every time you read an email from them, they’d like everybody on the same network as you to be able to know that you did so, too. If you’re at my house, on my WiFi, and you open an email from HSBC, not only might HSBC know about it, but I might know about it too.

> But we’re in the Darkest Timeline. Tracking pixels have become so endemic that HSBC have clearly come to the opinion that if they can’t track when I open their emails, I must not be receiving their emails. So they wrote me a letter to tell me that my emails have been “returned undelivered” (which seems to be an outright lie).

>used to surreptitiously track when somebody reads an email

Not in my email client, mutt. I use Thunderbird once in a great while. For some reason I thought there was an option to stop that and I enabled it. Will need to check the next time I fire up Thunderbird.

All sounds about right for HSBC. They've got some of the worst banking tech in existence. How the heck anyone puts up with their crap is beyond me, I moved away a decade ago but still have a close family member with them and they're forever having issues (genuinely not user error) with the crippled online banking app they've got that looks like something from the early days of app development.
I don't see anything wrong with attempting this. A significant number of people mistype/change their e-mail address, and security messages from banks can be important, so anything that catches no-longer-working e-mail addresses is better for everyone involved. And I assume a very small proportion of people try to disable tracking pixels.

But this post is entirely speculation. The author has no evidence they're basing it on tracking pixels. They're literally just guessing.

And I'm dubious that tracking pixels would be a reliable enough signal to be worth it. Doesn't Gmail download images in advance anyways? Plus, I regularly filter predictable emails or just archive them directly from my inbox based on the subject line without opening.

I'd more likely assume they have an e-mail bounce detector that just has a bug in it.

> But this post is entirely speculation. The author has no evidence they're basing it on tracking pixels. They're literally just guessing.

They literally admit to this and go on to provide the evidence for their guess:

> I think I can place a solid guess about what went wrong here.

> I don't see anything wrong with attempting this.

I do, when the result of that attempt is to tell people to change their email addresses unnecessarily. Most people will fall for that.

> I can understand your frustration, but if the bank has sent the letter, you will have to update the e-mail address.

That's why I fucking hate society. This is everywhere.

HSBC, truly the pinnacle of Great Banks. Surprised they haven't earned your breakup yet.
The same exact thing would happen to me with interactive brokers.
Banks have some of the worst IT in the world. Being purely manager-led, with developers completely subservient to the bean counters, the results are terrible.

This is one of the reasons why in 2019 they wrote about their own demise https://web.archive.org/web/20240213185758/https://www.cimb.... against fintech (which is only slightly less archaic) and how cryptos, I don't know which ones, but maybe some yet to be born, will eventually displace them because regardless of their dominant position, the level of poor service and archaic systems is not humanly/socially sustainable for much longer.

Their leadership is mentally incapable of changing. Unfortunately, I fear that most of the population isn't either.

This isn't going to get to someone at HSBC. Nothing will change.

  They hired another company to do it.
  The project has been over for 4 years.
  The man who determined the requirements no longer works at HSBC or the other company.
  The coder doesn't even know HSBC is using his code.
It's absolutely useless - humans going into the age of software. It's a death spiral of I don't know's for a hundred miles.
Years ago, I used to get marketing spam emails from Bank of America. In their email, they did not offer a way to opt out from those types of email, so I invalidated the unique email address that I had created just for them. A few months later, I got a snail mail letter like the one Dan got, telling me that emails were being rejected and that I needed to correct my email address. I went through the same sort of nonsensical dialog with them, and they simply would not let me opt out from their marketing emails, so I left it disabled for a few years. Eventually they offered "email preferences", so I re-enabled it.

My wife continues to get spam snail mail from Citi, and they offer no way to opt out. If it was my account, I would switch banks.

Back to the main topic: I think it's pretty stupid of the HSBC IT folks to assume that an email was not read because the tracking pixels were never accessed. Lots of email clients these days do not load images by default.