How to protect yourself from email tracking

Email has been around for over 50 years. Back in 1971, what is widely regarded as the first email was sent by Ray Tomlinson as a test of an email feature on Arpanet. Since no one had told him what the historical event was, he just sent it to himself and the content was something like “QWERTYUIOP,” he said in an interview in the late 1990s.

The protocol still used to send emails, smtp, has been around since 1981. The most common protocol for retrieving and managing email, imap, was introduced in 1988. The biggest technical changes since then are the addition of encrypted connections using ssl/tls.

At no time in the early decades of email was privacy and protection of personal data included in the development of the email technology itself. Encryption for those who need to send secrets came fairly early with PGP (1991) and s/mime (1995), but 30 years later it has still not taken hold in the market. Other developments have meant that email today has less privacy protection than ever.

Threats to and from

Email can pose a privacy problem on two completely different fronts, with completely different requirements for protective measures. One is the monitoring of your communication along the path between you and the recipient — that is, an external threat to your emails. But a far greater concern for most people today is the threat that comes from within the email — various techniques to track and spy on you via the technical content of the emails you open.

How you are tracked

As soon as you open an email, the person who sent it can find out where you are, when and how many times you open it. All this is thanks to so-called tracking pixels — tiny images, just a single white pixel, generated on the sender’s server with a random file name linked to you. This is used in everything from spam to newsletters and one-off emails.

Måns Jonasson, internet expert at the Swedish Internet Foundation, points out that tracking via the scanning of images with unique file names linked to user profiles or accounts is not limited to tracking pixels.

It can be any image in an HTML email.

“HTML emails also allow you to track recipients using other techniques such as cookies and dynamic content,” says Cooper Quintin, senior public interest technologist at the Electronic Frontier Foundation (EFF).

Both Måns Jonasson and Cooper Quintin also talk about the other common way you are tracked: While tracking pixels and the like work passively, tracking links are an active type of tracking. There are basically two types of tracking links: links that don’t go to the final destination at all, but reach it via a server that tracks the click and sends you on, and regular links with an additional tracking code after the address itself.

In both cases, these are links that you are asked to click on in the email, leading to, for example, a blog post or a product page in a shop. In the former case, the browser will first go to a completely different domain and move on. You can often see the page start to load several times before it finally opens, with several different addresses appearing in the address bar.

The second type takes you directly to the destination, but if you click on the address bar to see the full address, you can see that it is very long and contains long codes and other things at the end after the regular address. You can also see this by copying the address and pasting it into the address bar instead of clicking on it.

Stop tracking

To avoid being tracked by tracking pixels and other tracking images, there are two basic methods. You can either turn off HTML emails altogether and open all emails as plain text, or you can turn off the automatic loading of remote content (of which images are the most common type).

“Turning off the automatic loading of images is the best, most concrete example of simple protection if you’re worried about being tracked, and it’s done automatically on suspected spam in Gmail and many other clients,” says Måns Jonasson.

Cooper Quintin recommends the more drastic option of turning off HTML emails altogether. One advantage of this over stopping the loading of images is that it also prevents other potential security flaws in the handling of HTML, so it provides some protection against malware and hacking. But on the other hand, it makes many emails such as mailings with offers that you actually want to receive not work properly, so it is a balance between privacy protection and benefit.

As many users today have switched off the automatic loading of images, some marketers have chosen to send emails that contain hardly any plain text. Almost all content is placed in images, and a text near the top says something like, “Does this email not look right? Open in browser instead,” with a link.

“It’s a trend I’ve seen […] that you have to load images to read the email because all the text is in images,” says Cooper Quintin.

To prevent tracking in these cases, there’s not much you can do on your own. It is not possible to disable image scanning and only scan individual images by clicking on them, for example. If the images are links and you have not switched off HTML emails, you can of course click on them, but then it is probably a tracking link.

Effectively “washing” outbound links is difficult and tricky, because you need to know in advance which ones are being used for tracking and it will never be 100 percent effective, and it risks breaking legitimate links, just like any other filtering on the internet.

There are a few companies that are actively working to prevent email tracking. Apple users have access to a technology called Privacy Protection in Mail which protects against both active and passive tracking. The service scans all images and other data on Apple’s servers so that the sender cannot see your IP address and when you opened the email. It also scrubs away tracking code from many providers, such as Google, Facebook, and Microsoft’s ad-saving codes.

Subscription-based email provider Hey also has several technologies that stop tracking. Like Apple, all images are loaded from the company’s servers rather than directly from your devices, and Hey automatically removes tracking pixels and other tracking from a long list of known trackers, plus any images and other content that follow typical tracking patterns (such as one-pixel-sized images).

Encryption and surveillance

So far, it’s been all about the email threat. But what about the threat to email, like mass surveillance? The only way to fully protect yourself from any form of surveillance is with full-strength encryption, where only you and the recipient have the keys to unlock the contents of your messages. However, this type of encryption has never been widely adopted for email.

Solutions like PGP, GPG, and s/mime are complicated to set up and use. Both sides must create key pairs and exchange their public keys, and get an email client that supports the technology. This is complicated enough on a computer but almost impossible on a mobile phone, where most people check their emails today.

I asked Måns Jonasson and Cooper Quintin whether it is even worth trying to get started with PGP as a private person.

“Honest answer: No,” says Måns Jonasson.

PGP turns out to be incredibly difficult even for IT security experts, not to mention ordinary users. “PGP is not the best solution for encrypted communication and I think it’s better to prioritize getting others to start using Signal, WhatsApp, ProtonMail and other forms of [total range encrypted] communication,” replies Cooper Quintin.

Both experts also point out that the common perception that email is not encrypted is, as Måns Jonasson says, a truth with modification.

Much of the email traffic today is encrypted via TLS/SSL. Email protocols were originally designed to be unencrypted, and for a long time all email traffic on the internet was completely unencrypted, but today Gmail, Outlook, and the other big giants are encrypted, at least from server to server. And in the longer term, almost 100 percent of email traffic will certainly be encrypted.

The traffic between users’ devices and the email servers is almost always encrypted, and since most people today have their email hosted by Google or Microsoft, Cooper Quintin says this often means that emails are encrypted all the way.

If you’re a Gmail user and you email another Gmail user, the email will never leave Google’s servers.

Major providers like Gmail and Outlook also encrypt emails when they are sent between the companies’ servers, so with few exceptions, emails you send will be encrypted all the way from you to the recipient. However, the companies handling the email can see the content, and also scan all emails for malware, child pornography, and spam. If the messages were fully encrypted, no such scanning could take place.

According to Cooper Quintin, this means that the threat to your privacy is that the police can, for example, request your emails during a criminal investigation, “so you might not want to send things via email that you don’t want to hear read out during a trial.”

The bottom line is that Signal, WhatsApp, Imessage, and other messaging services with full-strength encryption are better for exchanging secrets between friends, but other than tracking for marketing purposes, regular users don’t need to be particularly worried about email.

“Not loading images in unknown emails and not clicking on links in such emails goes a long way,” says Mr Jonasson.

This article was translated from Swedish to English and originally appeared on pcforalla.se.

Author: Anders Lundberg, Skribent