Email Tracking: How It’s Done and Two Tools to Stop It

I’ve talked a lot about general web security and privacy in numerous blog posts over the past few years.

However, I haven’t talked much about email privacy. An email I recently received from a mailing list reminded me just how creepy some marketing services and technologies can be.

The Email

I got this email a couple of weeks ago:

Check out the third paragraph. “[O]ur records show that you haven’t been opening our emails.” How does a company know when I open an email?

There actually two ways – tracking pixels and links. Here’s how they work and how best to preserve your privacy if you desire.

The Tracking Pixel

A tracking pixel is a small (usually 1 pixel x 1 pixel) transparent image that is embedded in an email. These are not attachments (which are extra files sent along with an email), these tracking pixels are image files directly linked inside an email.

The email sender hosts this 1×1 transparent image on their web server.

When a user opens the email, the tracking pixel is automatically downloaded from the sender’s web server. When this file is downloaded, the sender can see a lot of information – when the image was downloaded, the IP address that downloaded it (which can show location), the device that downloaded it, etc.

As internet connection speeds have increased, marketers have moved from tracking pixels (which are designed to be invisible) to using regular images (for example, the emoji in the email I posted above). They all perform the same function, though.

Gmail (Sort of) Fights Tracking Images

Originally, Gmail would not automatically download images. But in 2013 Gmail made a couple of changes: they would start downloading images in emails by default, but they would download and cache the images on Google’s own servers instead of the user’s computer.

This means that while marketing newsletters or emails would see more accurate open counts (since images would be loaded by default), it would break the geolocation tracking (kind of).

I imagine Google thought that this was a fair tradeoff. Google can score points with marketers by showing the increased accuracy of email open rates. And they can score points with the average Gmail user by “protecting” their geolocation information.

But once Google downloads and caches the images on their server, that means that they (Google) can see when, where, and on what device you open the email, since your computer requests the images from Google’s server automatically (remember images load by default now).

And unlike a single marketer, Google can aggregate your open rate for all your emails. They can tell that you’re more likely to open emails from a specific store on a specific day, and use that to target you for ads from that store.

Turn Off Images in Gmail

If you don’t want to send any of that information to Google (or email marketers) by default, it’s fairly easy to turn off automatic image loading in Gmail.

In Gmail go to the gear icon in the top right, and click at the top of that menu where it says “All Settings”. Under the “General” label, the ninth section down (for me, at least) is where you can toggle the automatic loading of images.

You can also click here to go directly to the General settings page and turn off the automatic image loading.

Note that this doesn’t turn off images completely. In any email with images you’ll see a banner at the top. You can click that banner to enable images for this email, or from all emails from this sender.

However, images are not the only privacy consideration for emails – the other major issue concerns email links.

Email Link Tracking

Most marketing or newsletter emails have links included. And if you hover over a link in an email you’ll see that they may not go where you expect.

For example, the Disqus link for the “Keep Me Subscribed” button goes to this address:

I removed the middle of the link address, but the link is quite a lot of gibberish. It’s also unique to me. This unique link has the same effect as the tracking pixel and tracking image.

If I click the link, my browser will load this page. The page request will hit the Disqus server, which will show information like my IP address, the day/time I clicked, my device, etc. Additionally, since the link would open in a web browser, the page could request any Disqus cookies to see whether I’m logged in or not (which would be an additional way to track who I am).

Since so much of the link tracking “magic” happens behind-the-scenes in the browser, the safest way to protect yourself is to simply not click links in your email. (Incidently this is also a great security practice.)

DuckDuckGo – Another Way to Secure Email

When it comes down to it, you have to have some trust in 3rd parties when dealing with your email.

One company that I’ve been more and more impressed with over the past several months has been DuckDuckGo. They are an alternative, privacy-focused search engine that seems to strike a great balance between useful results and prioritizing privacy over profits.

They have a new beta program called Email Protection. Essentially this lets you create “dummy” email addresses for newsletters or other email signups. When email is sent to one of these “dummy” addresses, DuckDuckGo will remove the tracking technology and then forward the email on to your normal email address.

I’ve signed up (but not been invited) to the beta, but this seems like it has potential. Certainly this means that DuckDuckGo will have access to your email data, but they state upfront that they save no information – not even the email header data (which shows where the email came from).

Of course, you have to trust DuckDuckGo in order to have faith that they will honor their privacy policy, but I have no issues with that. Take a look at the different privacy policies for DuckDuckGo and Google on the iOS App Store. This isn’t the whole story, but it certainly shows their different approaches to monetization: