How Email Open Tracking Quietly Took Over the Web

“I JUST CAME across this email,” began the message, a long overdue reply. But I knew the sender was lying. He’d opened my email nearly six months ago. On a Mac. In Palo Alto. At night.

I knew this because I was running the email tracking service Streak, which notified me as soon as my message had been opened. It told me where, when, and on what kind of device it was read. With Streak enabled, I felt like an inside trader whenever I glanced at my inbox, privy to details that gave me maybe a little too much information. And I certainly wasn’t alone.

There are some 269 billion emails sent and received daily. That’s roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an “email intelligence” company that also builds anti-tracking tools.

The tech is pretty simple. Tracking clients embed a line of code in the body of an email—usually in a 1×1 pixel image, so tiny it’s invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online.

But lately, a surprising—and growing—number of tracked emails are being sent not from corporations, but acquaintances. “We have been in touch with users that were tracked by their spouses, business partners, competitors,” says Florian Seroussi, the founder of OMC. “It’s the wild, wild west out there.”

According to OMC’s data, a full 19 percent of all “conversational” email is now tracked. That’s one in five of the emails you get from your friends. And you probably never noticed.

“Surprisingly, while there is a vast literature on web tracking, email tracking has seen little research,” noted an October 2017 paper published by three Princeton computer scientists. All of this means that billions of emails are sent every day to millions of people who have never consented in any way to be tracked, but are being tracked nonetheless. And Seroussi believes that some, at least, are in serious danger as a result.

AS RECENTLY AS the mid-2000s, email tracking was almost entirely unknown to the mainstream public. Then in 2006, an early tracking service called ReadNotify made waves when a lawsuit revealed that HP had used the product to trace the origins of a scandalous email that had leaked to the press. The intrusiveness (and simplicity) of the tactic came as something of a shock, even though newsletter services, salespeople, and marketers had long used email tracking to gather data.

Seroussi says that Gmail was the ice breaker here—he points back to the days when sponsored links first started showing up in our inboxes, based on tracked data. At the time it seemed invasive, even unsettling. “Now,” he says, “it’s common knowledge and everyone’s fine with it.” Gmail’s foray was the signal flare; when advertisers and salespeople realized they too could send targeted ads based on tracked data, with little lasting pushback, the practice grew more pervasive.

“I do not know of a single established sales team in [the online sales industry] that does not use some form of email open tracking,” says John-Henry Scherck, a content marketing pro and the principal consultant at Growth Plays. “I think it will be a matter of time before either everyone uses them,” Scherck says, “or major email providers block them entirely.”

That’s partly to do with spam. “Competent spammers will track any activity on your email because they tend to buy entire lists of addresses and will actively try to rule out spam traps or unused emails,” says Andrei Afloarei, a spam researcher with Bitdefender. “If you click on any link in one of their messages they will know your address is being used and might actually cause them to send more spam your way.”

But marketing and online sales—even spammers—are no longer responsible for the bulk of the tracking. “Now, it’s the major tech companies,” Seroussi says. “Amazon has been using them a lot, Facebook has been using them. Facebook is the number one tracker besides MailChimp.” When Facebook sends you an email notifying you about new activity on your account, “it opens an app in background, and now Facebook knows where you are, the device you’re using, the last picture you’ve taken—they get everything.”

Both Amazon and Facebook “deeplink all of the clickable links within the email to trigger actions on their app running on your device,” Seroussi says. “Depending on permissions set by the user, Facebook will have access to almost everything from Camera Roll, location, and many other logs that are hidden. But even if a user has disabled location permission on his device, email tracking will bypass this restriction and still provide Facebook with the user’s location.”

I STUMBLED UPON the world of email tracking last year, while working on a book about the iPhone and the notoriously secretive company that produces it. I’d reached out to Apple to request some interviews, and the PR team had initially seemed polite and receptive. We exchanged a few emails. Then they went radio silent. Months went by, and my unanswered emails piled up. I started to wonder if anyone was reading them at all.

That’s when, inspired by another journalist who’d been stonewalled by Apple, I installed the email tracker Streak. It was free, and took about 30 seconds. Then, I sent another email to my press contact. A notification popped up on my screen: My email had been opened almost immediately, inside Cupertino, on an iPhone. Then it was opened again, on an iMac, and again, and again. My messages were not only being read, but widely disseminated. It was maddening, watching the grey little notification box—“Someone just viewed ‘Regarding book interviews’—pop up over and over and over, without a reply.

So I decided to go straight to the top. If Apple’s PR team was reading my emails, maybe Tim Cook would, too.

I wrote Cook a lengthy email detailing the reasons he should join me for an interview. When I didn’t hear back, I drafted a brief follow-up, enabled Streak, hit send. Hours later, I got the notification: My email had been read. Yet one glaring detail looked off. According to Streak, the email had been read on a Windows Desktop computer.

Maybe it was a fluke. But after a few weeks, I sent another follow up, and the email was read again. On a Windows machine.

That seemed crazy, so I emailed Streak to ask about the accuracy of its service, disclosing that I was a journalist. In the confusing email exchange with Andrew from Support that followed, I was told that Streak is “very accurate,” as it can let you know what time zone or state your lead is in—but only if you’re a salesperson. Andrew stressed that “if you’re a reporter and wanted to track someone’s whereabouts, [it’s] not at all accurate.” It quickly became clear that Andrew had the unenviable task of threading a razor thin needle: maintaining that Streak both supplied very precise data but was also a friendly and non-intrusive product. After all, Streak users want the most accurate information possible, but the public might chafe if it knew just how accurate that data was—and considered what it could be used for besides honing sales pitches. This is the paradox that threatens to pop the email tracking bubble as it grows into ubiquity. No wonder Andrew got Orwellian: “Accuracy is entirely subjective,” he insisted, at one point.

Andrew did, however, unequivocally say that if Streak listed the kind of device used—as opposed to listing unknown—then that info was also “very accurate.” Even if pertained to the CEO of Apple.

IF TIM COOK is a closet Windows user (who knows! Maybe his Compaq days never fully rubbed off) or even if he outsources his email correspondence to a firm that does, then it’s a fine example of the sort of private data email tracking can dredge up even on our most powerful public figures.

“Look, everybody opens emails, even if they don’t respond to them,” Seroussi says. “If you can learn where a celebrity is—or anyone—just by emailing them, it’s a security threat.” It could be used as a tool for stalkers, harassers, even thieves who might be sending you spam emails just to see if you’re home.

“During the 2016 election, we sent a tracked email out to the US senators, and the people running for the presidency,” Seroussi says. “We wanted to know, were they doing anything about tracking? Obviously, the answer was no. We typically got the location of their devices, the IP addresses; you could pinpoint almost exactly where they were, which hotels they were staying at.”

This is what worries Bitdefender’s Afloarei about malicious spammers who use trackers, too. “As for the dangers of being tracked in spam, one must keep in mind the kind of people that do the tracking, and the fact that they can find out your IP address and therefore your location or workplace,” he says. Just by watching you open your email, Afloarei says spammers can learn your schedule (“based on the time you check your email”), your itinerary (based on how you check mail at home, on the bus, or so on), and personal preferences (based on where they harvested the email; say, a sports forum, or a music fansite).

Because so many people can be looked up on social media based on email addresses, or their jobs and locations, Afloarei says it’s “pretty easy” to correlate all the data and track someone down in person. “Granted, most spammers are only interested in getting your credit card or simply getting you infected and part of their botnet, but the truly devious ones can deduct so much information besides all that.”

There’s one more reason to be wary: Email tracking is evolving. Research from October looked at emails from newsletter and mailing list services from the 14,000 most popular websites on the web, and found that 85 percent contained trackers—and 30 percent leak your email addresses to outside corporations, without your consent.

So, if you sign up for a newsletter, even from a trusted source, there’s a one in three chance that the email that newsletter service sends you will be loaded with a tracking image hosted on an outside server, that contains your email address in its code and can then share your email address with a “large network of third parties.” Your email address, in other words, is apt to be shared with tracking companies, marketing firms, and data brokers like Axiom, if you as much as open an email with a tracker, or click on a link inside.

“You can have tens of parties receive your email address,” says Steven Englehart, one of the computer scientists behind the study. “Your email hash is really your identity, right? If you go to a store, make a purchase or sign up for something—everything we do today is associated with your email.” Data brokers have long stockpiled information on consumers through web tracking: browsing habits, personal bios, and location data. But adding an email address into the mix, Englehart says, is even more reason for alarm.

“This kind of tracking creates a big dataset. If a dataset leaks with email hashes, then it’d be trivial for anyone to go see that person’s data, and people would have no idea that data even existed,” he says. “You can compare it to the Experian data leak, which exposed people’s social security numbers, and could cause fraud. In my mind, this leak would be even worse. Because it’s not just financial fraud, but intimate details of people’s lives.”

Given the risks, perhaps what’s most striking about the rise of ubiquitous email tracking is how relatively quietly it’s happened—even in a moment marked by increased awareness of security issues.

“It’s shifted. It’s more and more used in conversational threads. In business emails. This is what scares us the most,” Seroussi says. “One out of six people that emails you is sending a tracker, and it’s real life”—not marketing, not spammers. “It could be your friend, your wife, your boss, this number is really mind boggling—you give up a lot of privacy just opening emails.”

AFTER THE GREAT Tim Cook Email Tracking Incident, I left Streak on. I’d found, grudgingly, that it was useful; it was sometimes more efficient to know when sources had read my email and when I might need to nudge them again. But because I was using the same Gmail account for personal and professional use, I ended up tracking friends and family, too. That’s when I saw how starkly tracking violates the lightly-coded social norms of email etiquette. I watched close friends read an email and not respond for days. I saw right through every white lie about email (about not receiving it, or it getting stuck in the spam folder). Sure, it’s occasionally nice; you can get a rough sense of how many people read the latest update to the weekend plans on a thread, and you can feel confident that your brother isn’t blowing you off, he’s just really bad at reading email. But it mostly serves to add yet another unnecessary layer of expectation onto our already notification-addled lives, another social metric to fret over, and another box to click on feverishly whenever it arrives. Not to mention a tinge of surreptitious digital voyeurism.

Clearly, this is a situation that the tracking outfits want to avoid. They’ve kept mostly to the shadows, harvesting useful sales data and email open rate info without causing too many ripples; the last thing they want is for their products to be deemed invasive or spyware. This, however, puts them in a deeply awkward position: In order to stand out amongst a burgeoning field of email tracking services, they need to tout their accuracy and ease of use—while somehow giving the public the impression the data they’re soaking up isn’t a threat.

As the number of easy-to-use, free tracking products proliferates—some email clients are beginning to simply ship with tracking features, as Airmail did in 2016—we’re going to have to contend with a digital social landscape where there’s an insurgent mix of trackers and trackees. And, increasingly—anti-trackers.

IF YOU DON’T want people to know your precise whereabouts whenever you glance at a specially priced offer for a cruise featuring your favorite 90s alt rock bands; if you’d rather Facebook not harvest your device data every time a former high school classmate inveighs against Trump in a comment on one of your vacation pics; if you’re the CEO of one of the top technology companies in the world and you’d rather not be associated with using a rival’s product—you have options.

A host of anti-tracking services have sprung up to combat the rising tide of inbox tracers—from Ugly Mail, to PixelBlock, to SendersUgly Mail notifies you when an email is carrying a tracking pixel, and PixelBlock prevents it from opening. Senders makes use of a similar product formerly known as Trackbuster, as part of service that displays info (Twitter, LinkedIn account, etc) about the sender of the email you’re reading. Using these services, I spotted more than a few acquaintances and even some contacts I consider friends using tracking in their correspondence.

But even those methods aren’t foolproof. Tracking methods are always evolving and improving, and finding ways around the current crop of track-blockers. “It’s a fight we’re having over the last couple of years,” Seroussi says. “They can’t counter all the methods that we know—so they get around the block by setting up new infrastructures. It’s a chase, they’re doing a job.”

To prevent third-parties from leaking your email, meanwhile, Princeton’s Englehart says “the only surefire solution right now is to block images by default.” That is, turn on image-blocking in your email client, so you can’t receive any images at all.

OMC has found dozens of novel methods that newfangled trackers are using to get your email open info. “We found 70 different ways where they use tracking,” Seroussi says, “Sometimes it’s a color, sometimes it’s a font, sometimes it’s a pixel, and sometimes it’s a link.” It’s an arms race, and one side has an immense advantage.

When Seroussi debuted Trackbuster in 2014, he was expecting a few hundred downloads. Within hours, he’d had 12,000. People who knew about email tracking—often trackers themselves, ironically—were eager for a way to quash it. Still, other trackers are furious with what the track-blockers are doing. “We receive death threats,” he says, more agitated than angered. It’s the wild west, after all. “They’ve been trying to destroy us for two years.”

Scherck, the marketing consultant, thinks that Google could up and kill email tracking altogether. “I do think public opinion could turn on email tracking, especially if Gmail started alerting users to tracking by default inside of Gmail with pop ups, or some native version of Ugly Email,” he says. “Just look at how consumers have turned on Facebook for their advertising. People absolutely hated that Uber was buying data on who was using Lyft from Unroll.me.” It would only take a strong enough nudge. “Most consumers don’t understand just how much information they are giving up,” he says.

If Google and the other big tech firms won’t budge, though, Seroussi believes the problem is serious enough to warrant government intervention. “If the big companies don’t want to do something about it, there should be a law defining certain kinds of tracking,” he says. And if nothing is done at all, Seroussi thinks it’s only a matter of time before email tracking is used for malign purposes, potentially in a very public way. “I always wonder when a big story is going to come out and say that people broke into a house because they used email trackers to know the victims were out of town,” he says. “It’s probably already happened.”

As for me, I was tired of all the tracking. After a couple months of ambiguous insights, I didn’t want to know who was opening my emails and not replying anymore. I didn’t want to wait, strung-out-like, for a notification to ring in a response from a crucial source. I didn’t want to feel like I was breaking the rules of whatever slipshod digital social compact we’ve got; my semi-spying days were done. I deleted Streak, and left Senders running—and kept a screenshot of Tim Cook’s Windows on my desktop as a souvenir.

Source: Wired

‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs