48 comments

[ 4.1 ms ] story [ 115 ms ] thread
yeah well what about google tracking emails itself.
is a given if you are using gmail. If anyone doesn't want google, microsoft, yahoo tracking email.. you better get your own mail server.
(comment deleted)
Or pay one, e.g. Gandi: https://www.gandi.net/
And now you're back to square one due to draconian French surveillance laws.

Running your mail server on a VPS is not a very good solution, particularly when that VPS exists in a country that interpreted 1984 to be an instruction manual rather than a cautionary tale.

Wouldn't adblock/muBlock/etc. accomplish the same, while working cross browser?
unfortunately not, adblock blocks ad related media only. This is one of the few tools that will intelligently block people from tracking your email views/opens
* Easy privacy.

EasyPrivacy is an optional supplementary subscription that completely removes all forms of tracking from the internet, including web bugs, tracking scripts and information collectors, thereby protecting your personal data.

My point being, if you care about privacy enough it would extend more than just your email. Thus using Adblock Plus (with Easylist + Easyprivacy + other subscriptions), would be more beneficial to the end user.
Thanks for posting ibejoeb!
Neat tool, thanks. I wasn't going to install it because it required access to mail.google.com and googleusercontent.com, but since it's open I feel better about it. It might be helpful to others to mention that and link to it in the chrome store.
google already grabs the images via image proxy.. http://gmailblog.blogspot.com/2013/12/images-now-showing.htm...
Unique images still allow for read receipts.

The proxy effectively prevents cookie setting, ip address determination and geolocation, and injection-type attacks.

If Google proxies and caches images at the time of receipt, instead of when you open the email, then you effectively don't have read receipts for Gmail users, because it looks like they all read the email immediately.

Caching images immediately is probably an attractive engineering decision on its own merits. Whether spamming read receipts is good (because it makes them useless) or bad (because it makes people think the emails got read) is an interesting question.

BTW what is the point?

I mean, one can legitimately want that they do not receive the tracking information. But are there any real security implications, like siphoning off any unauthorized data, facilitating spam, etc?

Tracking an email open is enough of a security threat by itself.
But this is not any email; it's usually a promo or info email, usually with a link to directly click, so I would willingly divulge the same details — if the email is legitimate.

I could imagine that geolocating my IP might be undesirable at times. I wonder what are other potential security (not privacy) implications.

It's not just marketing emails. I have worked with people that track opens of their emails so they could decide how and when to follow-up with their contractors, clients, and prospective clients.
The context for those is still marketing.

I too don't understand what's to be gained from a tool like this. If the party collecting the data abuses it to spam you then you simply unsubscribe/block the emails altogether. And of course they know you know you can do this, which gives them incentive to not do that.

That's because there is really isn't much to be obtained from this tool other than a sense of gaining control over your email.
I know first-hand of some recruiters who use email opens as yet another metric to gauge potential candidates. If you open emails but don't respond right away, some recruiters will immediately cross you off their list.
(comment deleted)
We use it to see if you are interested in the email. If you don't open 3 or 4 we take you off the list. We also use it to see if email addresses are no longer used.

I don't really see why you'd care about tracking pixels 99% of the time. If you purchase something from us and we email you, it's super useful for both of us to know if you have read the email (purchase receipt or booking confirmation.)

I personally don't see much spam and what I do see I just delete, so tracking pixels in those aren't an issue for me.

I don't want you to know where I live. No matter how benevolent you claim to be.
The average company does not behave so genially. They want to see who is opening adverts.

All I care about is myself getting the confirmation, if I have a problem I will contact the company. I do not care if they know about me receiving it otherwise, and I certainly do not care to help in the inevitable but unfortunately legal flood of spam after any online purchase.

The average company does not behave so genially. They want to see who is opening adverts.

All I care about is myself getting the confirmation, if I have a problem I will contact the company. I do not care if they know about me receiving it otherwise, and I certainly do not care to help in the inevitable but unfortunately legal flood of spam after any online purchase.

> If you purchase something from us and we email you, it's super useful for both of us to know if you have read the email (purchase receipt or booking confirmation.)

Why? If I'm interested in the email, I'll request it (i.e. if I'm purchasing something from you, me receiving confirmation emails from you should be opt-in, either in my user settings on your site or on a per-purchase basis). If I'm not interested in the email, I'll click the "unsubscribe" link in the email (you do include unsubscribe links, right?) or otherwise specify such in - again - my user settings.

In other words, that's not your call to make. That's my call to make, and your explanation is sounding like a very weak excuse to pin my privacy to a table and give it a night it'll never forget.

Some brainstorming:

- Could be used for entrapment, that is to say, could send over potentially criminal information and argue that the user did in fact "receive" it since it was read.

- If you could inject your own tracker into someone else's email, you might also gleam when and potentially how they read that email.

- One funny thing that came to mind. In Australian contract law (likely similar to the UK from which the laws were adopted), if you email someone an your acceptance to a offer, that acceptance is deemed as received when the email is read (the person becomes aware of the acceptance). Where as with regular postal mail, the offer is accepted when posted (the "postal rule", a nice headache). If you had a tracking code, it would be harder to to argue you weren't aware of the acceptance by email. That is unless your email client pre-fetches images before the email itself is opened...

(comment deleted)
...or if you're using mutt you're laughing all the way to the plain-text version.

On a serious note: just block remote content.

No Chrome extension can know which images are being used to track email opens. If you want to disable that sort of tracking you should disable images/external resources completely. Otherwise you're just getting a false sense of security.
I use (al)pine. Nobody has ever, in any way, received information about my email opens.

I speed through email with keystrokes and zero mouse movement, and I can use email with ease on even the slowest of satellite or 2G network access.

Finally - and this is my favorite part - since I use pine, and my engineers at rsync.net also use pine, not one single intra-company email has ever traversed the Internet. Ever.

All intra-company email is simply a local copy operation on a single mail server.

That's pretty neat to hear. I used to use Pine on the Seattle Community Network back in the early 1990s and have been thinking of trying it again. Have you documented your setup somewhere?
> since I use pine, and my engineers at rsync.net also use pine, not one single intra-company email has ever traversed the Internet. Ever.

What does the mail client have to do with this? I use Thunderbird with Gmail, and, since all of my contacts use Gmail, not one single email has ever traversed the Internet, ever.

With TLS-enabled mail servers, this isn't very relevant a metric.

>With TLS-enabled mail servers, this isn't very relevant a metric.

They still have the meta-data, the actually interesting stuff.

They know that some email was sent by someone to someone somewhere around that time, but nothing more.
Nothing more? That all you need to know in 99% of the time. Just in case you didn't get the memo: ‘We Kill People Based on Metadata’.

http://www.nybooks.com/blogs/nyrblog/2014/may/10/we-kill-peo...

Really? You're equating knowing who sent what when and how to just knowing that something was sent at some point, from an unknown origin to an unknown destination?
I used to use pine and as an email client it's very nice but I have such engrained muscle memory for emacs that I switched to gnus and then later to notmuch.

Also increasingly, mail clients are sending only html without a text/plain part, and w3m on emacs renders those nicely.

http://techcrunch.com/2013/12/12/gmail-open-rates/

"[...] Google spokesperson I emailed said that’s not entirely correct. (The spokesperson declined to be quoted.) Instead, they said marketers who track open rates through images will still be able to do so — indeed, they suggested that the data might be more accurate now since open rates will count users who read the emails but don’t load the images."

Sounds like Google made sure tracking works even when users attempt to evade it.

But another quote in the same article still talks about pixels:

"MailChimp can still detect the first request for the open-tracking pixel."

(comment deleted)
Isn't this redundant unless I accept images? I get:"Images are not displayed. Display images below - Always display images from webmaster@ibmverse.com" (for example).
You are correct, I'm 99% sure this is why blocking images is an option in email browsers.
I generally use Thunderbird and while I have not checked what it does in all cases, it generally flags when there is remote content and provides options regarding loading it. I'm happy with that. I know many folk of course use web based mail readers, and this is directed at them, but if its a big issue using a product like Thunderbird may be the way to.
I thought gmail recently preloaded images so you didn't need this? (I say this because the example shows gmail)
I thought that too, but no. It seems it replaces the original link with a google url, which is basically a proxy address for that original url. It seems they may cache it, but don't preemptively download it when the mail is received.

http://gmailblog.blogspot.com.au/2013/12/images-now-showing....

Obviously if they downloaded any image linked to an email send to gmail that could lead to a DOS, and be very wasteful in any case. So they wait until you actually open the email. But at least it obscures your IP unless you click on the links.