by Paul Arnote (parnote)
By now, everyone must be aware of multiple ways and efforts of Big Tech and advertisers to track users across the internet. As they do, they vacuum up all sorts of information about users, such as who they are, who they interact with, what kind of things they like, what OS and browser they are running, where they go (and when), where they live, what ISP they use, their birthdate, and a whole host of other information. Most of the information, taken by itself, is harmless and virtually meaningless. But, when coupled with all of the OTHER "useless, meaningless" data that is caught up in data collection, a pretty accurate picture of each individual user can be painted. And, it can all be done without the end user being aware of the information that is collected.
Today, everyone sends emails. Political parties, retail merchants, Grandmas, Grandpas, you name it. EVERYONE sends emails these days, it seems.
Well, the new exploit I only recently discovered is that there are also email trackers. These "invaders" of your Inbox track and report back on what you do with an email. It reports back that your email was read, what links you clicked on, the browser and OS you are running, when and how often an email is read, how long you have the email open, your IP address, if you downloaded anything connected with the email, and on and on and on. In their simplest form, email trackers allow senders to know when a recipient has received and/or read an email. I truly never knew this was a "thing" until recently.
Email trackers used to be the playground for the marketing guys. But, increasingly, ordinary users are also using them to tell when a recipient has received and/or read an email. And you will definitely be surprised by the very high percentage of emails you receive that have a tracker embedded in them. In my case, over 90% of the emails I receive have embedded trackers. The trackers were so prevalent that I was more shocked by some of the ones that did not have trackers embedded in them, to be perfectly honest.
How They Work
The way these email trackers work is actually quite simple. They (the sender) embeds a small 1x1 invisible (transparent) image into the email. They can embed them pretty much anywhere, but most appear at the end of an email message. This image, when loaded, is linked to some code that sends the requested information back to a server. All of this happens in the background, without you ever realizing it.
How To Stop/Minimize Email Trackers
Users could take the most draconian measure, and just tell the email program to NOT automatically download external images. In fact, that is the default setting in Thunderbird, and should still be set that way, unless you changed it at some point. If you did change it so that external images can be downloaded, it's a trivial task to change it back.
Preventing the downloading of the invisible/transparent 1x1 image in the first place is the best protection. If you use a web based email solution, such as Gmail, you can turn off the automatic downloading of external images. Yes, it will make your email look a LOT more boring, but then you also won't have to worry about the email trackers. They were never downloaded to start with.
Even Gmail has settings to prevent the automatic downloading of external images. Go to the Gear icon in the Gmail web interface, and click on "See All Settings." Under the "General" category, scroll down until you see the "Images" section. Select the "Ask before displaying external images" option. Now, all of the little 1x1 invisible/transparent tracker images won't be downloaded automatically. Just keep in mind that no other images will be downloaded automatically, either.
But what if you want your email to look all pretty with all those bright colors that those external graphics bring? Well, you could go with the next best option, which is a browser plugin that blocks the reporting by email trackers. These work with web based email services, such as Gmail, Outlook and Yahoo! Mail. They block the reporting capability of the email trackers.
One such browser plugin is called Trocker (short for Tracker Blocker). Not only is it open source, but it is free to use. The plugin is available for both Firefox and Google Chrome.
From the Trocker plugin page for Firefox:
Tracking your emails to know if the receiver has opened them or not is awesome, so is being immune to it! Trocker gives you the latter! It blocks attempts by email trackers and won't let them track what you do with the emails you receive.
You will be amazed to see how many of the emails you receive have trackers in them!
You can trust Trocker! Trocker runs locally on your machine and does not send or receive any information from the Internet. It needs permission to all tabs in order to be able to detect and prevent any tracking images or tracked links from being loaded from any of the tabs. But it makes absolutely no outbound Internet access and we neither gather nor use any data about you or your browsing behavior.
Trocker is also open source with the source code available at https://github.com/trockerapp/trocker and we encourage everyone to check it out from there or from Chrome Dev tools to confirm that there are no suspicious activities being done.
Trocker keeps you safe in all webmails, including Gmail™, Yahoo! and Outlook.com. It has additional capabilities in Gmail, Inbox and Outlook.com. In these 3 webmails, it has a heuristic tracker detection that detects and blocks almost any email tracking attempt, even from not well-known trackers!
Trocker is very efficient as it only gets activated when a tracker is detected.
Some email trackers track emails by injecting an invisible small image in the mail that is hosted in a specific address in their server. They know when the email is opened by looking at the download requests of the injected images on their servers.
Trocker (as a lovely Tracker Blocker) stops this by simply blocking those image links from being loaded. It finds those injected images by looking at the url and matching the url pattern with the tracking servers that host injected images.
If you yourself are a user of these tracking services (you track emails you send others), your service wouldn't be affected and will work fine. Trocker would only defend you from OTHERS tracking you.
Moreover, some links are click tracked meaning that if you click on them, your clicks are logged and tracked. Trocker tries to bypass those links and redirect you directly to the original target without you being tracked. If not possible, Trocker will inform you that the link you've clicked on is tracked.
No one will be able to know when and if you open their emails, or click on their links if you enable Trocker. In Gmail, Inbox and Outlook.com, Trocker has a heuristic tracker detection that will detect and block almost any tracker, even if it is unknown. This works based on the fact that very tiny images are almost always trackers. After all, if they want you to see the image, they will make it bigger than 1x1 pixel!
One of the settings I recommend turning on in Trocker is the one labeled "Expose Trackers." The little 1x1 invisible/transparent images will be replaced with a "T" graphic, allowing you to actually see the tracker that is hidden in the email. It will also place a "T" graphic at the end of the "From" line. In my installation of the Firefox addon, it was not turned on by default. It makes it much easier to see which emails have trackers embedded in them (which is most of them).
Ugly Email is another browser extension that blocks email trackers. Like Trocker, Ugly Email is available for both the Firefox and Google Chrome web browsers.
From the Ugly Email Firefox addon page:
The #1 downloaded Gmail extension for blocking read receipts and other email tracking pixels.
Ugly Email is an open-source Gmail extension for identifying and blocking email trackers.
Ugly Email scans through your inbox and looks for emails containing tracking pixels. Tracked emails are labeled with an eyeball icon, and the tracking pixel is blocked.
All of the Ugly Email data is stored on your browser's IndexDB storage locally. We do not track, transfer, or store any of your information.
But perhaps the most telling information about Ugly Email comes from the user comments. Take a look at some of these comments dating back over the past couple of years.
Thank you to all users who reviewed this. Thanks to you and your warnings that this extension wants access to all websites visited I changed my mind and did not and will never install this extension. The whole point was to prevent people from tracking you, but not by giving one app unchecked access to all browsing history. Reprehensible.
Another user wrote, "Doesn't work as great as it does on a chrome browser and doesn't track the tracking emails. Plus most of my antivirus have detected this extension as malware and spyware. Can dev see into this and update it? Thanks."
Another user commented, "As far as I can tell, this app should only need access to our data on one domain -- when we're looking at our gmail inbox. Yet it asks for permission for all your data for all websites. (See the difference here: https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions).
"This is a huge red flag. Unfortunately, until they do something to address this, I'm uninstalling."
I mention it here because if you search for information on email tracking blockers, you WILL see Ugly Email mentioned a lot. But, because of its seemingly intrusive, snooping behavior and desire to vacuum up data from ALL of your open tabs, I cannot recommend it. I won't even install it on any of my computers to just check it out. For me, the risk is just too great.
If you are a Google Chrome user, you have a couple of more options. PixelBlock is one email tracker blocker made specifically for Gmail. The browser extension is only available for the Google Chrome browser. Email Privacy Protector, by CloudHQ, is another email tracker blocker that's also made specifically for Gmail, and is only available for the Google Chrome browser.
It's your data, and no one is going to protect it for you. Instead, "they" are going to try to mine, steal and thieve all the data you allow "them" to steal. While many who insert trackers into emails feel that they have a "right" to harvest the data provided, it does not supersede your rights to privacy. When so much personal data is harvested from your actions with your emails, it can only invade your privacy.
This never has been and never is about whether you have anything to hide. "They" have no more rights to YOUR data than some stranger has coming into your home and taking a bath.
It's your data. It's YOUR responsibility to do whatever you deem necessary to protect it.