Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

E-mail Open Tracking Has Quietly Taken Over the Web

December 19, 2017

As recently reported in Wired, over 40 percent of e-mails are tracked, according to a study published last June by OMC, an "email intelligence" company that also builds anti-tracking tools.

Tracking clients embed a line of code in the body of an email—usually in a 1×1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates. Major tech companies like Facebook and Twitter followed suit in their ongoing goal to profile and predict our behavior online.

Lately, a growing number of tracked e-mails are being sent not from corporations, but people you know. "We have been in touch with users that were tracked by their spouses, business partners, competitors," says Florian Seroussi, the founder of OMC. "It's the wild, wild west out there."

According to OMC's data, a full 19 percent of all "conversational" email is now tracked. That's one in five of the e-mails you get from your friends. And you probably never noticed. I sure as heck never did.

"I do not know of a single established sales team in [the online sales industry] that does not use some form of email open tracking," says John-Henry Scherck, a content marketing pro and the principal consultant at Growth Plays. "I think it will be a matter of time before either everyone uses them," Scherck says, "or major email providers block them entirely."

Both Amazon and Facebook use e-mail trackers a lot. When Facebook sends you an e-mail notifying you about new activity on your account, it opens an app in background, and now Facebook knows where you are, the device you're using, the last picture you've taken—they get everything.

Both Amazon and Facebook "deeplink all of the clickable links within the e-mail to trigger actions on their app running on your device," Seroussi says. "Depending on permissions set by the user, Facebook will have access to almost everything from Camera Roll, location, and many other logs that are hidden. But even if a user has disabled location permission on his device, e-mail tracking will bypass this restriction and still provide Facebook with the user's location."

"Look, everybody opens e-mails, even if they don't respond to them," Seroussi says. "If you can learn where a celebrity is—or anyone—just by emailing them, it's a security threat." It could be used as a tool for stalkers, harassers, even thieves who might be sending you spam e-mails just to see if you're home.

"During the 2016 election, we sent a tracked e-mail out to the US senators, and the people running for the presidency," Seroussi says. "We wanted to know, were they doing anything about tracking? Obviously, the answer was no. We typically got the location of their devices, the IP addresses; you could pinpoint almost exactly where they were, which hotels they were staying at."

There's one more reason to be wary: E-mail tracking is evolving. Research from October looked at e-mails from newsletter and mailing list services from the 14,000 most popular websites on the web, and found that 85 percent contained trackers—and 30 percent leak your email addresses to outside corporations, without your consent.

"You can have tens of parties receive your email address," says Steven Englehardt, one of the computer scientists behind the study. "Your email hash is really your identity, right? If you go to a store, make a purchase or sign up for something—everything we do today is associated with your email." Data brokers have long stockpiled information on consumers through web tracking: browsing habits, personal bios, and location data. But adding an e-mail address into the mix, Englehardt says, is even more reason for alarm.

"This kind of tracking creates a big dataset. If a dataset leaks with email hashes, then it'd be trivial for anyone to go see that person's data, and people would have no idea that data even existed," he says. "You can compare it to the Experian data leak, which exposed people's social security numbers, and could cause fraud. In my mind, this leak would be even worse. Because it's not just financial fraud, but intimate details of people's lives."

A host of anti-tracking services have sprung up to combat the rising tide of inbox tracers—from Ugly Mail, to PixelBlock, to Senders. Ugly Mail notifies you when an email is carrying a tracking pixel, and PixelBlock prevents it from opening. Senders makes use of a similar product formerly known as Trackbuster, as part of service that displays info (Twitter, LinkedIn account, etc.) about the sender of the e-mail you're reading.

Even those methods aren't foolproof. Tracking methods are always evolving and finding ways around the current crop of track-blockers. "It's a fight we're having over the last couple of years," Seroussi says. "They can't counter all the methods that we know—so they get around the block by setting up new infrastructures. It's a chase, they're doing a job."

To prevent third-parties from leaking your e-mail, meanwhile, Princeton's Englehart says "the only surefire solution right now is to block images by default." That is, turn on image-blocking in your email client, so you can't receive any images at all.

OMC has found dozens of novel methods that newfangled trackers are using to get your e-mail open info. "We found 70 different ways where they use tracking," Seroussi says, "Sometimes it's a color, sometimes it's a font, sometimes it's a pixel, and sometimes it's a link."

Scary stuff. Seems to me that Congressional action is needed, but then again, that may be (and usually is) wishful thinking.

Hat tip to Dave Ries.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

E-mail Open Tracking Has Quietly Taken Over the Web

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer