Collin M. Barrett

Collin M. Barrett is a Christian, husband, and software developer in Memphis, TN specializing in .NET/C# and WordPress. Blogging about programming, security & privacy, finance, and life.

HomeInfoSecAvoiding Metadata Tracking by Email
Avoiding Metadata Tracking by EmailPhoto by Thomas Lefebvre

Avoiding Metadata Tracking by Email

Published:

Date: July 26, 2016 5:33 PM
From: [email protected]*da.com
Subject: “Unsubscribing you from [The Faucet] (final notice)”

Hi all,

[Joe Pottida] here. Thank you for joining [The Faucet] many months ago. Our records indicate that you’ve never opened our monthly newsletter. To save your inbox, I’ll be automatically unsubscribing you from this list in 5-days.

[Joe]

Notes: [Fictional names] substituted for privacy and comic relief. And by “final notice,” they also meant “first notice.”

Well, Joe… Your records are wrong.

Above is an excerpt from an email I received today. I am largely opposed to newsletters and marketing emails delivered to my inbox. They almost always get the unsubscribe treatment before being pitched to the trash. However, this particular monthly curation was one that I explicitly subscribed to per the endorsement of several trusted personalities that I follow. It has been a monthly brief with just a few intriguing discoveries by the author. It is short, not spammy, not trying to sell me anything, and somewhat valuable.

While I do have respect for attempting to auto-unsubscribe folks who appear not to read their newsletters (something major retailers would never consider), how did this author know (or think they know) that I do not open their emails in the first place? How is it possible for them to attempt to track whether I have opened an email or not in one of the hundreds of possible email client applications?

The answer to this question and the ability to prevent it is quite simple. To understand the concept, we need to look at how images are sent through email.

TL;DR

One simple setting toggle in your email client can improve your email privacy.

Pictures by Email

Images as Attachments

Pictures can be sent via email in two primary ways. Attaching a picture to an email is analogous to when we used to send real printed images in handwritten letters via USPS. That habit has become a lost art form to most Americans, but it helps us understand the concept of a file being “physically” sent along with the content of the email itself.

The security implications of email attachments are well known. Attempting to open a file that an unknown sender created is a bit like opening a mailed package with unexpected contents. Many of the largest email providers (read Gmail) provide built-in malware scanning to protect their users from downloading a malicious attachment. As long as you are reasonably confident about the authenticity of the sender, email attachments are quite safe to open. If you are really unsure, or if you use a smaller email provider without attachment protection like I do (ProtonMail), VirusTotal provides an excellent email attachment scanning utility that can be used regardless of your email provider or client. Note, however, that allowing a third-party to scan attachments has its privacy considerations.

The possibility of malware aside, there are no real privacy concerns associated with an email attachment. The sender cannot track when, where, or if you open it.

Embedded Images

Images embedded in emails are almost always for one of two purposes.

  1. Advertise to me
  2. Track information about me

Both functions are more unhealthy than not. One convinces me to buy something, the other compromises my privacy.

When an image is embedded in an email, the HTML markup instructs your application to retrieve the image from the sender’s server. This is analogous to receiving a wedding invitation that requests you to visit the happy couple’s wedding site to R.S.V.P. Since they cannot know if you received the message or if you are going to attend just by the one-way paper invite, they request a trackable response. Unlike preparing to attend a wedding, though, letting a retailer know which of their emails you opened and therefore which of their products you are more interested in provides valuable information about yourself for free. In a battle against the multi-billion dollar marketing industry vs. my financial discipline, I need any and all defensive tactics available.

Depending on the design of your client, allowing embedded images to load while reading an email can provide if, when, and even sometimes where you read the email.

But, why does it matter?

It might seem petty. It probably is petty. But if I have the choice between marketers knowing whether I opened their mailing or not, I would rather them see a stream of “not opened” in their analytics dashboard.

My wife and I received a letter (and bumper sticker, you know the great slogan) from Donald Trump last week. If there was a way for his campaign to know if we received and opened that letter, is that information something we would prefer them to have or not? While it might not really matter, I would rather keep that information private. Who knows how even the smallest bits of personal metadata could be used in the future?

How to Block ’em

This varies widely depending on your email client. Most modern applications, however, have a feature to disable loading images simply by default. On a per-email basis, you have the option to view the pictures if you deem it necessary. Just realize that loading the embedded images requires a phone-home to the sender’s server letting them know when and that you opened it. For the large percentage who use Gmail, here are Google’s instructions for this feature.

Don’t Miss a Thing!

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *