Email tracking can be a shitty practice. I can’t think of a better way to describe the latest reports that Silicon Valley fad Superhuman — a $US30/mo email service — kept tabs on how many times email recipients opened a message.
You might be thinking, “Please, that’s not that big a deal. You’re reading an email. Who cares?” I had the same stance when I first saw the news. I get a lot of email, and it doesn’t really offend me if someone has slapped a tracking pixel on it to see if I’ve taken a look. When I dug deeper, though, it was easy to see why Superhuman’s tracking technique was terrible: It was counting the number of opens and providing a list of locations where the email was opened.
Mike Davidson, vice president of partnerships & community at InVision, summed up Superhuman’s problems perfectly in this example:
An ex-boyfriend is a Superhuman user who pens a desperate email. Subject: “I’ve been thinking about us”. He sends it to his former partner. She reads it when she gets to work in Downtown Los Angeles at 9am. She reads it again before dinner with friends in Pasadena at 7pm. She reads it again at home in Santa Monica at 1am. Over the weekend, she takes a trip to New York and reads it again. Twice. She decides not to answer the email, because her ex has stalked her in the past and she doesn’t want to communicate any further.
But because of the tracking pixel, her email is always communicating, and it’s sharing info she does not want to send and doesn’t even know she is sending. She didn’t reply, but her ex still knows she read his email five times, including most likely in her bed. And he knows she took a trip to New York.
To Superhuman’s credit, the company has since reversed course on that location-tracking aspect. In a blog post written shortly after this practice blew up all over the internet, founder and CEO Rahul Vohra said that location tracking is going away — better still, Superhuman is deleting any location data it previously collected related to email opens. He writes:
“Upon reading the commentary, I have come to understand that there are indeed nightmare scenarios involving location tracking. I should note that we deliberately do not show cities — we only show states or countries — but a determined attacker could still misuse this information.
I am so very sorry for this. When we built Superhuman, we focused only on the needs of our customers. We did not consider potential bad actors. I wholeheartedly apologise for not thinking through this more fully.”
This is all well and good, but you shouldn’t depend on companies being publicly shamed doing the right thing. The onus is on you to take control of your privacy online, and you probably haven’t really thought much about all the things embedded in your emails that you can’t see—and what they can reveal about you.
How to keep companies from tracking your email activity
The quickest and easiest way to put the brakes on most email tracking practices is to prevent your email app from loading images automatically. When they do that, opening an email also loads any minuscule tracking pixels a company has embedded inside. Depending on how your provider treats images in emails, this might reveal a bit (your IP address) or not much (that the image was simply loaded), which gives companies varying degrees of information about you. (Gmail, for example, loads images through a proxy server, so companies will be able to see that you opened the image, but they won’t be able to deduce your location.)
On the browser-based version of Gmail, this is as easy as going to its Settings, scrolling down to the “Images” line, and selecting “Ask before displaying external images.”
You can also set this option if you’re using the Android version of Gmail; iOS users will always have images load automatically on the Gmail iOS app, unfortunately.
(If you switch to iOS’ default Mail app and receive messages to your Gmail account that way, you can turn off automatic image loading by going to the Settings app > Mail, and unchecking “Load Remote Images” under the “Messages” section.)
Whether you’re on Outlook, Yahoo Mail, Thunderbird, Windows Mail, Mail (macOS), Mailbird, or whatever, take a few moments to explore your app’s settings and documentation to see if, or how, you can disable images from loading automatically. Sure, this will add an extra step when you want to see the images—and it won’t stop tracking pixels from firing off when you load those images—but it’ll at least give you a little more control over this process. That’s better than nothing, at least.
Of course, you have a few options for dealing with this dilemma, too. If you want to view images in emails — manually or automatically — but not trigger tracking pixels, consider using a browser extension. (This step obviously won’t work for desktop or mobile apps.)
Superhuman itself recommends two extensions: Ugly Mail and PixelBlock (or PixelBlock 2). Ugly Mail is available for both Firefox and Chrome, whereas Pixelblock only works with Chrome. Both are completely free to use, but they only work with Gmail—apologies to those of you who have yet to jump on Google’s train.
You could try using a more universal (and open-source) extension like uMatrix, which blocks everything that isn’t on your whitelist. It’s a bit complicated to figure out, but it’s a powerful option if you don’t mind doing a bit of work to block tracking pixels in any web-based email provider. You can also try setting up filters in an extension like uBlock Origin, but it’ll also require some legwork—you’ll have to know what to block before you block it, which feels like a Sisyphean task.
While you have quite a few technological tools you can use to prevent email tracking, you should also use common sense. If you don’t want a company to track you, don’t open the email—first of all. And if there are links scattered throughout the email, and you click on them, assume that the company now knows you did that (and that you opened the email, obviously).
Testing your privacy tweaks
One incredibly useful service for getting a glimpse of whether different email tracking methods work on your app or browser is the appropriately named Email Privacy Tester. Use it to send yourself an email—technically, a confirmation email at first, which then allows you to send yourself a test email that’s full of different tracking methods.
You can use the site to try out a bunch of different tracking techniques, including images and link prefetching (to name two). Once you’ve send yourself a test email, pull up your email app and open it. That’s all you have to do. (And if you can’t find said test email, be sure to check your spam folder first.)
You’ll then be able to see tracking results on the Email Privacy Tester site:
If you’re seeing a lot of red, perhaps it’s time to adjust your email settings and give yourself some extra privacy.