Tracking pixels are rampant. Here’s what you can do about them
It’s 3pm on a Friday, and an email containing an offer for a set of headphones drops into your inbox. Excited – it’s payday – you open it, scanning the offers for the pair you want, clicking through to the headphone company’s website. What you might not know is, marketing emails like this are tracking you. During this short interaction, the headphone company has gathered a huge amount of data about you. This could include the time you opened the email as well as your IP address, which can be used to determine your location. The majority of email tracking happens under the radar via hidden pixels you might not notice embedded in images or links – and all of it takes place so marketers can better target you. So much tracking happens that it’s been called “endemic”.
This invisible email tracking is intrusive, unwelcome and annoying, so how can it be stopped? Apple is making some big changes to help people avoid being targeted by stealthy email tracking. In June, the iPhone maker announced Mail Privacy Protection features in iOS 15 and MacOS Monterey at its WWDC conference. When it launches this Autumn, Apple’s software will allow you to hide your IP address and download remote content privately in the background by default, whether you engage with the email or not. It will be routed through multiple proxy services, with an IP address randomly assigned to you by Apple. This will respond to the region you are in, rather than your specific location. However, the launch is still a few months away. Here’s what you can do until then, or if you’d rather not use Apple’s system. How you are tracked Tracking pixels are typically a single and often invisible 1×1 image inserted into an email’s header, footer or body. You might not see them, but the pixels load when you open the message and feed information back to the sender, allowing them to track you.
By using these tracking pixels, marketing companies are taking advantage of the fact that many email providers allow remote images to be loaded by default. The pixels can collect a lot of data about you. “It could reveal your device type and even your IP address,” says Laurie Graham, director of cyber intelligence at tech consultancy 6point6. Other information collected can include whether you read the message, your web browser version and your time zone. “These can be combined to form a unique fingerprint,” Graham says. Of the huge amounts of information that can be gathered from tracking pixels, perhaps the most concerning is your location, says Andy Yen, founder and CEO of encrypted email service ProtonMail. “The data gathered can be used to analyse your daily habits and figure out where you live and work. But the most invasive part is, it’s happening without your knowledge or consent.” The ability to track users via email allows just about any business to obtain a detailed profile of its customers, especially when the companies collecting your information “conspire together”, says Jon Callas, director of technology projects at the Electronic Frontier Foundation.
“If a clothing and a book store collaborate, the clothing store learns about your reading habits and can use this data to market clothes to you based on what your books say about you. This combined information gathering is what makes adverts seem spooky at times.” Tracking companies also have the ability to rewrite all links within messages. This means when you click on a link to verify an account or complete a website registration, you can be taken to a marketing server URL before being redirected to the true destination. Regulation exists to stop email tracking without your consent. In Europe, pixels are covered by the Privacy Electronic Communications Regulations 2003 (Pecr) and the EU’s General Data Protection Regulation (GDPR). Under these regulations, consent is required unless pixels are needed for service delivery, says Emily Overton, managing director of records management consultancy RMGirl. However, the rules haven’t been widely enforced in this area, and businesses may say people consented to receive the email by signing up to the service, or that the use of pixels is okay because it is outlined in their privacy notice. What to do about it When it’s made available in Autumn this year, Apple’s Mail Privacy Protection will not be enabled by default.
You’ll need to turn it on in Settings, Mail, Privacy Protection and toggle on Protect Mail Activity. In macOS Monterey, go to Mail, Mail Preferences, Privacy and toggle on Protect Mail Activity. Until the iOS and MacOS updates launch, you can set your email client to not load pictures by default, since images are where tracking pixels usually reside. On an iPhone, the option is in your iPhone Settings, Mail, Load Remote Images. If you are a Gmail user, you can find the option in Settings, Images, Ask Before Displaying External Images. It’s also worth noting that since 2013, Google serves images in Gmail through its own proxy servers, which in many cases hides your IP address. Meanwhile, the browser version of Outlook.com automatically loads external images using a proxy, but you can’t stop these from loading altogether so some data may still be gathered. More granular controls are available in Microsoft Outlook for Windows 10 (via File, Options, Trust Center, Trust Center Settings) and for Mac (in File, Preferences, Reading). Blocking remote image loading will improve your privacy, but it could also impact your experience – you won’t see images on any emails, including newsletters, until you manually download them.
As Overton warns: “Not everyone is using alt text, so images may contain information you won’t be able to read without accepting the pixels.” And of course, switching off remote image loading doesn’t stop marketers collecting data when you do load images on an email, Callas says. True fixes have to be done by the email provider or email client. “Gmail could do it, but Google is also the world’s largest ad company,” Callas adds. Instead there are other options. You could use a free service such as Cloudflare’s WARP app, which is similar to a VPN, Graham says. “This way, whenever you click on a link, your real IP address isn’t revealed.” An add-on such as Ugly Email is another option for Chrome and Firefox that works with Gmail in your browser by scanning your inbox for emails containing tracking pixels, and blocking them. There are also some other privacy-focused email providers that offer remote image blocking by default, such as ProtonMail.
DuckDuckGo is launching an email privacy solution to block tracking later this year. Another option is to pay for Basecamp’s consent based email service Hey, which blocks tracking pixels and informs you if the message includes tracking. Or there is Mozilla’s Thunderbird email client, which does not load remote content automatically, instead showing a notification bar to indicate it has blocked it. In addition, AirMail is a paid product for iOS offering multiple privacy tools, Overton says. “AirMail has more stringent privacy practices and if you turn a protection off, it warns you about the impact it will have.”