Tracking is everywhere on the Internet. Over the past year, a drumbeat of tech-industry scandals has acclimated users to the sheer number of ways that personal information can be collected and leaked. As a result, it might not come as a surprise to learn that emails, too, can be vectors for tracking. Email senders can monitor who opens which emails, when, and what device they use to do it. If you work for a business or a non-profit that sends mass emails, maybe you’ve used tools to perform this kind of tracking before. Even if you have used them, this might be the first you’ve heard of it — because unfortunately, in email marketing software, tracking is often enabled by default.
There are a lot of different ways to track email, and different techniques can lie anywhere on the spectrum from marginally acceptable to atrocious. Responsible tracking should aggregate a minimal amount of anonymous data, similar to page hits: enough to let the sender get a sense of how well their campaign is doing without invading users’ privacy. Email tracking should always be disclosed up-front, and users should have a clear and easy way to opt out if they choose to. Lastly, organizations that track should minimize and delete user data as soon as possible according to an easy-to-understand data retention and privacy policy.
Unfortunately, that’s often not how it happens. Many senders, including the U.S. government, do email tracking clumsily. Bad email tracking is ubiquitous, secretive, pervasive, and leaky. It can expose sensitive information to third parties and sometimes even others on your network. According to a comprehensive study from 2017, 70% of mailing list emails contain tracking resources. To make matters worse, around 30% of mailing list emails also leak your email address to third party trackers when you open them. And although it wasn’t mentioned in the paper, a quick survey we did of the same email dataset they used reveals that around 80% of these links were over insecure, unencrypted HTTP.
In addition, several of these third-party email tracking technologies will try to share and correlate your email address across different emails that you open, and even across different websites that you visit, further shaping your invisible online profile. And since people often access their email from different devices, email address leaks allow trackers (and often network observers) to correlate your identity across devices.
It doesn’t have to be that way. For users, there are usually ways to “opt out” of tracking within your email client of choice. For mail client developers, including a few simple features can help protect your users’ privacy by default. And if you’re at an organization that does perform tracking, you can take a proactive approach to respecting user privacy and consent. Here are some friendly suggestions to help make tracking less pervasive, less creepy, and less leaky.
How can users protect themselves?
There are many popular email clients which behave differently and have different settings, so protections may vary. Here are some general guidelines for improving your email privacy and security hygiene.
Limit your email client’s image/resource loading.
A common tracking practice includes embedded links to “pixels” or other pieces of content that are hosted on a remote server. When your client tries to load the content, it sends out a request that allows you to be tracked. Blocking third-party resources limits the ability of email senders to track when you read or open emails. Some clients, including Thunderbird and Outlook, have it disabled by default, and both Gmail and Apple Mail allow you to disable it by choice. If you need to view images in a particular email, you can selectively turn on this feature for that particular email, but be aware that this allows email-open trackers to work.
For even more security, you can turn off HTML email completely. This will remove formatting from your emails, but it will completely stop any form of remote content tracking.
If you’re not sure how well your email client protects you, the Email Privacy Tester is a useful tool to check whether you’re vulnerable to a variety of different tracking techniques. For example, even though Gmail uses a proxy to serve images in emails, the privacy tester reveals that using Gmail won’t actually protect you from pixel tracking (though it will mask your IP address). Try using it to test each of your email clients, especially the one you use on your mobile phone.
Be careful when clicking links.
Don’t click links in email unless you absolutely have to, and try to view the link URL beforehand. This is good practice in general to avoid security risks like phishing as well as privacy-invasive tracking.
If you use a webmail client, standard web hygiene techniques work well for email also. To prevent email trackers from getting even more information about you, turn off third-party cookies in your browser and install a tracker-blocker like Privacy Badger. In addition, to prevent your email browsing behavior from being visible to ISPs and snoops on your network, limit your exposure to HTTP. You can use an extension like HTTPS Everywhere to block HTTP resources from loading by default.
How can email clients do more to protect their users?
Email clients should represent the interests of their users as they interact with the Internet. That includes using sensible protections by default and including strong privacy-preserving options for especially concerned users.
If they have the resources, clients can proxy content that’s embedded in emails, like Gmail does. It’s not perfect, but has some security and privacy benefits, like preventing HTTP requests from leaking onto the network, blocking cookies, and hiding IP address and User Agent information from the tracker. If you’re a client developer, there’s even more that you can do.
Tracking should be opt-in, not opt-out, so if you don’t already, turn off remote content loading for your users by default. At the very least, you can give your users the option to do this. Also, give users the ability to turn off HTML email. You can check for any further leaks on your client using the Email Privacy Tester.
Even if your users regularly employ end-to-end encryption, after decrypting the email, clients often render the email as they would a regular one, so you’ll still need to think about these tracking protections.
How can email senders respect their readers?
The need for feedback on email campaigns drives the ubiquity of pixel and link tracking, and many of these techniques have been used for decades. But it’s unfortunately rare to see these tracking technologies being implemented securely and responsibly. Here’s how to make sure the analytics tools on your email campaign respect and protect users’ privacy.
Rule #1: use TLS!
An astounding number of link-tracking domains are served over HTTP, and many large email senders don’t use STARTTLS. Make sure your links are over HTTPS, and that your mail server supports outgoing STARTTLS. There’s no reason network eavesdroppers should know what mailing lists folks are subscribed to when users open their emails or their email-link browsing history.
Don’t obfuscate your links.
The practice of obfuscating tracked links is especially dangerous, as it trains your readers to click unrecognizable links. This can lead users to click suspicious links from phishers. 91% of cyberattacks start with a phishing email, and normalizing suspicious-looking links in email makes life easier for phishers.
Lastly, and most importantly, think before you track.
Who are you exposing your readers’ private information to? Do you really need to embed their email addresses in your URLs? At what privacy cost do “insightful analytics” come at? Nothing about counting the number of visitors coming to your site via email is inherently bad. But do you really need to store exactly who clicked which link from which email? Campaigns can get quite a bit of signal without invading their users’ privacy and trust just from aggregated counting, rather than individualized tracking of every user’s interaction. And think twice before hiring a third-party service to do your tracking for you. Read their privacy policy, and make sure you’re not selling out your users’ data for a few useful numbers.
Email sanitation, security, and privacy is a team effort. Stay vigilant, and keep good email hygiene!