It didn’t take much for Florian Seroussi, a technology investor in New York City, to become suspicious of his email.
His misgivings were sparked late one night last year when he opened a message from an entrepreneur who was asking him to invest in a startup. Minutes later, Seroussi’s cellphone rang with a call from the same startup executive.
Coincidence? Not to Seroussi. “What are the odds that at 10:30 at night, a guy suddenly has a vision that I’m reading his email?” he said. “They must know something that I don’t.”
It turned out that the startup executive had planted a tracking mechanism into his message to Seroussi, a trend that is increasingly afflicting all of our email. Trackers, which come in many forms including a single invisible pixel inserted into an email or the hyperlinks embedded inside a message, are frequently being used to detect when someone opens a message and even where they are when they open the email. By some estimates, trackers are now used in as much as 60 percent of all sent emails.
The trackers are traditionally offered by email marketing services like GetResponse and MailChimp. They have a legitimate use: to help commercial entities send messages tailored for specific types of customers. The Electronic Frontier Foundation, a nonprofit that focuses on digital rights, estimates that practically every marketing email now contains some form of a tracker.
Yet, the prevalence of these trackers raises consumer questions. Because trackers are invisible, many people are unaware of them and have no inkling of how to dodge them. “It’s definitely a privacy concern,” said Cooper Quintin, a technologist and privacy advocate for the Electronic Frontier Foundation. “There’s no mechanism for people to opt out.”
A basic method for thwarting some email trackers involves disabling emails from automatically loading images, including invisible tracking pixels. But that doesn’t defeat all trackers, which are also hiding in other places like fonts and Web links.
I recently put a handful of free email tracking services and tracker detectors to the test to assess whether there was a viable method for identifying and removing the invisible snoopers. I tried the trackers and detectors on the most popular email service, Gmail.
I found that the available solutions for combating trackers were far from ideal. Some failed to ferret out many trackers, while others required major trade-offs.
In my experiment, I was able to create an email newsletter on MailChimp in 10 minutes with trackers embedded into the email itself, as well as inside buttons for sharing on social media and buying an item. After I sent the newsletter to myself, MailChimp showed when I opened the email and that I clicked on all the buttons. It also showed that I opened the message in the United States, though it could not pinpoint my precise location.
I then tried two tracking detectors that aim to help people identify whether the trackers have invaded your messages. One is called Ugly Email and the other is Trackbuster.
Ugly Email works as a Gmail plug-in. When a tracker is detected, it shows the icon of an eyeball in the subject line to alert you that a tracker is hidden inside the email. The software notified me about some marketing emails containing trackers, including trackers from MailChimp. But after I sent myself test emails with trackers using MailTrack, Ugly Email failed to flag those.
Sonny Tulyaganov, the Web engineer who created Ugly Email, said he manually added different email tracking pixels to a list for his detector to look for them. He added MailTrack after I shared my test results.
Trackbuster was more thorough, though it also wasn’t ideal. The service, which works with Gmail, connects with your inbox, scans all your messages for trackers in a temporary folder and purges trackers before spitting the scrubbed messages back into your inbox. Trackbuster also sends weekly reports on the number of emails it found to have trackers.
In testing the service over two weeks on my work email account, I learned that about 280 of my 1,400 emails, or 20 percent — including many from public relations professionals pitching me their products — contained hidden trackers.
But there is a major trade-off with Trackbuster. You have to grant the app access to your messages. The startup’s privacy policy says it won’t store your emails and it won’t read them except in cases where a user requests technical support or to comply with laws.
Some privacy advocates have gotten enterprising about circumventing email trackers. Quintin says he sets up his devices to dodge the trackers in two ways. Inside Gmail.com, there is a setting that requires Gmail to ask for your permission before displaying images in an email. Clicking “no” to that request will prevent images, including invisible tracking pixels, from loading.
For another, he sets up his email apps — the desktop client Thunderbird and the Android app K-9 Mail — to disable HTML, the standard Web language that trackers use to ping external servers. That can prevent the loading of other components, like fonts, that contain tracking code, according to Quintin.
Those two solutions combined aren’t foolproof against trackers. If you visit any Web links inside an email, chances are that they will still detect that you clicked on them.
I opted to disable Trackbuster because of the sensitivity of my work emails. I also turned off Ugly Email because it did not appear to detect many trackers. Then I heeded some of Quintin’s advice and configured Gmail to ask for permission before loading an image.
It’s not perfect, but it was the best I could do without ruining my email experience.
Published 29 November 2015, 15:36 IST