Spy pixels or tracker pixels are
hyperlink
In computing, a hyperlink, or simply a link, is a digital reference to data that the user can follow or be guided by clicking or tapping. A hyperlink points to a whole document or to a specific element within a document. Hypertext is text wit ...
s to remote image files in
HTML email
HTML email is the use of a subset of HTML to provide formatting and semantic markup capabilities in email that are not available with plain text: Text can be linked without displaying a URL, or breaking long URLs into multiple pieces. Text is ...
messages that have the effect of spying on the person reading the email if the image is downloaded.
They are commonly embedded in the HTML of an email as small, imperceptible, transparent graphic files.
[Sipior, Janice C., Burke T. Ward, and Ruben A. Mendoza. 2011. “Online Privacy Concerns Associated with Cookies, Flash Cookies, and Web Beacons.” ''Journal of Internet Commerce'' 10(1):1–16.] Spy pixels are commonly used in marketing, and there are several countermeasures in place that aim to block email tracking pixels. However, there are few regulations in place that effectively guard against
email tracking
Email tracking is a method for monitoring whether the email messages is read by the intended recipient. Most tracking technologies use some form of digitally time-stamped record to reveal the exact time and date that an email was received or open ...
approaches.
History
Invented in 1971 by
Ray Tomlinson
Raymond Samuel Tomlinson (April 23, 1941 – March 5, 2016) was an American computer programmer who implemented the first email program on the ARPANET system, the precursor to the Internet, in 1971; It was the first system able to send mail be ...
, emails have made it much more convenient to send and receive messages as opposed to traditional postal mail.
[Hossin. M. 2019. ]
Email Tracking Beacon: Concerns and Solutions
” ''International Journal of Engineering Research And'' V8(06). In 2020, there were 4 billion email users worldwide and approximately 306 billion emails sent and received daily. The email sender, however, still has to wait for a reply email from the recipient in order to confirm that their message was delivered. There are some situations where the recipient doesn't respond to the sender even when they have read the email, which is why the email tracking method emerged. Most email services do not provide indicators as to whether an email was read, so third-party applications and plug-ins have provided the convenience of email tracking. The most common method is the email tracking beacon or spy pixel.
Spy pixels were described as "endemic" in February 2021. The "Hey" email service, contacted by ''
BBC News
BBC News is an operational business division of the British Broadcasting Corporation (BBC) responsible for the gathering and broadcasting of news and current affairs in the UK and around the world. The department is the world's largest broadca ...
'', estimated that it blocked spy pixels in about 600,000 out of 1,000,000 messages per day.
Mechanism
HTML email
HTML email is the use of a subset of HTML to provide formatting and semantic markup capabilities in email that are not available with plain text: Text can be linked without displaying a URL, or breaking long URLs into multiple pieces. Text is ...
messages typically contain
hyperlink
In computing, a hyperlink, or simply a link, is a digital reference to data that the user can follow or be guided by clicking or tapping. A hyperlink points to a whole document or to a specific element within a document. Hypertext is text wit ...
s to online resources. Common
software used by a recipient of email may, by default, automatically download remote image files from hyperlinks, without asking the user for confirmation. After downloading an image file, the software displays the image to the recipient. A spy pixel is an image file that is deliberately made small, often of a single pixel and of a colour that makes it "impossible to spot with the naked eye even if you know where to look."
Any email user can be reached via email tracking due to the open nature of email.
[Xu, Haitao, Shuai Hao, Alparslan Sari, and Haining Wang. 2018. ]
Privacy Risk Assessment on Email Tracking
” ''IEEE INFOCOM 2018 - IEEE Conference on Computer Communications''.
The tracking process begins when a sender inserts an image tag, represented as
, into an HTML-based email. The image tag is linked to a tracking object stored on the server of the sender through a reference
Uniform Resource Locator
A Uniform Resource Locator (URL), colloquially termed as a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identifi ...
(URL). Once the mail client is opened, the recipient receives the email through a process whereby the
mail user agent
The mail or post is a system for physically transporting postcards, letters, and parcels. A postal service can be private or public, though many governments place restrictions on private systems. Since the mid-19th century, national postal syst ...
(MUA) synchronizes updates from the recipient's
message transfer agent
Within the Internet email system, a message transfer agent (MTA), or mail transfer agent, or mail relay is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host ...
(MTA) with the local mail repository. When the recipient opens the email, the mail client requests the file that is referenced by the image tag. As a result, the web server where the file is stored logs the request and returns the image to the recipient. In order to track individual behavior, the tracking object or reference URL has to contain a tag that is unique to each email recipient. Oftentimes, the hash of the recipient's email is used. In contrast, IP address and device information collected from non-tracking images does not reveal specific users' email addresses.
[Haupt, Johannes, Benedict Bender, Benjamin Fabian, and Stefan Lessmann. 2018. “Robust Identification of Email Tracking: A Machine Learning Approach.” ''European Journal of Operational Research'' 271(1):341–56.]
When a single email is sent to multiple recipients, the tracking report will normally show the number of emails that have been opened but not the specific recipients who have done so.
Email tracking vs. web tracking
Although both
web tracking
Web tracking is the practice by which operators of websites and third parties collect, store and share information about visitors’ activities on the World Wide Web. Analysis of a user's behaviour may be used to provide content that enables the ...
and email tracking employ similar mechanisms, such as the usage of tracking images or cookies, information that is collected via web tracking cannot be traced back to any individual without consent. In contrast, email addresses can often reveal an individual's affiliation to a particular organization, browsing history, online social media profile, and other PII.
This can lead to cross-tracking across devices, where third-party services link devices that share common attributes such as
IP addresses
An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
,
local networks, or login information.
[Englehardt, Steven, Jeffrey Han, and Arvind Narayanan. 2018. ]
I Never Signed up for This! Privacy Implications of Email Tracking
” ''Proceedings on Privacy Enhancing Technologies'' 2018(1):109–26.
Usage
Personal use
Individuals and business owners may want to use email tracking for a variety of reasons, such as lead generation, event invitations, promotions, newsletters, one-click polls, and teacher-parent communications. They can use services like Yet Another Mail Merge (YAMM), a Google Sheets add-on, to create and send personalized mail merge campaigns from
Gmail
Gmail is a free email service provided by Google. As of 2019, it had 1.5 billion active users worldwide. A user typically accesses Gmail in a web browser or the official mobile app. Google also supports the use of email clients via the POP an ...
. The sender has the option to enable the tracker and see email open rates, clicks, replies, and bounces. According to YAMM's website: "YAMM embeds a tiny, invisible tracking image (a single-pixel gif, sometimes called a web beacon) within the content of each message. When the recipient opens the message, the tracking image is scanned, referenced and recorded in our system."
Marketing
Tracking the behavior of users through mediums like email newsletters and other forms of marketing communication is a competitive advantage in
online marketing
Online advertising, also known as online marketing, Internet advertising, digital advertising or web advertising, is a form of marketing and advertising which uses the Internet to promote products and services to audiences and platform users. ...
. In fact, it is so valuable that there are companies that sell online user data or offer email tracking as a service, such as Bananatag, Mailtrack.io, and Yet Another Mail Merge.
[Fabian, Benjamin, Benedict Bender, Ben Hesseldieck, Johannes Haupt, and Stefan Lessmann. 2021. “Enterprise-Grade Protection against e-Mail Tracking.” ''Information Systems'' 97:101702.]This is because by learning more about the user based on their clicking histories and demographics, websites and companies can tailor messages to each user. The more information on the individual-level preferences of a user, the better. Customized communications in marketing can then result in heightened customer loyalty, lock-in, and satisfaction, which translates to increased cash flows and profitability. Using data to map out the competitive landscape can also help companies derive a competitive strategy and gain a competitive advantage. However, adverse effects from behavioral marketing can include discrimination, including price discrimination.
Malicious emails
Some emails contain malicious content or attachments, and email tracking is used to detect how fast these viruses or malicious programs can spread.
At the same time, generally, the deliverability of tracked emails is reduced up to 85%, as the firewalls of company servers embed algorithms to filter out emails with suspicious contents.
Research
Web tracking
Web tracking is the practice by which operators of websites and third parties collect, store and share information about visitors’ activities on the World Wide Web. Analysis of a user's behaviour may be used to provide content that enables the ...
and tracking software are used by researchers who need to gather data for their research, especially in information seeking studies. In fact, tracking technologies can be used for good, offering valuable information for the development of websites, portals, and digital libraries. It can also be used to improve
user interfaces
In the industrial design field of human–computer interaction, a user interface (UI) is the space where interactions between humans and machines occur. The goal of this interaction is to allow effective operation and control of the machine fr ...
,
search engines
A search engine is a software system designed to carry out web searches. They search the World Wide Web in a systematic way for particular information specified in a textual web search query. The search results are generally presented in a ...
, menu items, navigational features, online help, and intelligent software agents,
information architecture
Information architecture (IA) is the structural design of shared information environments; the art and science of organizing and labelling websites, intranets, online communities and software to support usability and findability; and an emerging ...
, content description,
metadata
Metadata is "data that provides information about other data", but not the content of the data, such as the text of a message or the image itself. There are many distinct types of metadata, including:
* Descriptive metadata – the descriptive ...
, and more. These finds can be useful in marketing and
e-commerce
E-commerce (electronic commerce) is the activity of electronically buying or selling of products on online services or over the Internet. E-commerce draws on technologies such as mobile commerce, electronic funds transfer, supply chain manageme ...
and may be important to people like library and information professionals, educators, and database designers.
Spying effect
The spying effect is that, without the email recipient choosing to do so, the result of the automatic download is to report to the sender of the email: if and when an email is read, when (and how many times) it is read, the
IP address
An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
and other identity details of the computer or smartphone used to read the email, and from the latter, the
geographical location
In geography, location or place are used to denote a region (point, line, or area) on Earth's surface or elsewhere. The term ''location'' generally implies a higher degree of certainty than ''place'', the latter often indicating an entity with an ...
of the recipient.
This information provides insights into users' email reading behaviors, office and travel times, as well as details about their environment.
By doing a reverse lookup of an IP address, the log entry can provide information on which organizations a user is affiliated with.
[Fabian, Benjamin, Benedict Bender, Ben Hesseldieck, Johannes Haupt, and Stefan Lessmann. 2021. “Enterprise-Grade Protection against e-Mail Tracking.” ''Information Systems'' 97:101702.] For example, a board member of a major technology company was caught forwarding confidential information when an email log entry, IP address, and location information were examined simultaneously. Additionally, if spammers send emails to random email addresses, they can identify active accounts in this manner.
There exist many companies that offer email tracking services to senders. According to a study done by three researchers at Princeton University, about 30% of the emails they analyzed leaked recipients' email addresses to third parties via methods like embedded pixels, the majority of them intentionally. 85% of emails in their corpus of 12,618 gathered using a web crawler contained embedded third-party content, with 70% categorized as trackers. Top third-party domains include "doubleclick.net," "mathtag.com," "dotomi.com," and "adnxs.com," and the top organizations that collect leaked email addresses include The Acxiom, Conversant Media, LiveIntent, Neustar, and Litmus Software.
Reloading an email increases the chance of the recipient's information being leaked to third parties. The study also found that tracking protection was helpful: it reduces the number of email addresses leaked by 87%.
A separate study found that 24.7% of 44,449 emails analyzed were embedded with at least one tracking beacon. Emails categorized as travel, news/media, and health had the highest prevalence of tracking, with 57.8%, 51.9%, and 43.4% containing at least one tracking beacon respectively. On the other hand, emails categorized as email client, social networking, and education have the least tracking, with 0.6%, 1.6%, and 3.8% containing at least one tracking beacon respectively. Through a survey, the authors also found that 52.1% of participants who checked email quite often were unaware that they could be tracked from simply opening an email. 86% of participants consider email tracking as a serious privacy threat.
According to poll results from
Zogby International
John J. Zogby (born September 3, 1948) is an American public opinion pollster, author, and public speaker. He is founder of the Zogby International poll, and he serves as a senior partner at John Zogby Strategies, a full-service marketing and ...
, 80% of consumers are either "somewhat" or "very" concerned about online tracking.
Consumers who perceive a lack of business or governmental regulation will try to regain power through a variety of responses, such as fabricating personal information, using privacy-enhancing technologies, and refusing to purchase.
At the same time, some argue that people's perceptions about privacy have changed with the times. For example, Mark Zuckerberg, founder of
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
, said, "People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time."
Ironically, Facebook was also at the center of the
Facebook-Cambridge Analytica data scandal in 2018.
Cambridge Analytica
Cambridge Analytica Ltd (CA), previously known as SCL USA, was a British political consulting firm that came to prominence through the Facebook–Cambridge Analytica data scandal. It was started in 2013, as a subsidiary of the private intelli ...
used a third-party app called “thisisyourdigitallife” to collect information from over 50 million Facebook users. Access to users' emails can expose them to data leaks. Four researchers from the
University of Iowa
The University of Iowa (UI, U of I, UIowa, or simply Iowa) is a public university, public research university in Iowa City, Iowa, United States. Founded in 1847, it is the oldest and largest university in the state. The University of Iowa is org ...
and the
Lahore University of Management Sciences
Lahore University of Management Sciences (LUMS) () is a private research university, located in Lahore, Punjab, Pakistan.
In 1983, Syed Babar Ali, a renowned businessman in Pakistan, recognized the shortage of qualified managers in the countr ...
designed and deployed CanaryTrap, which identifies data misuse by third-party apps on online social networks. It does this by linking a
honeytoken In the field of computer security, honeytokens are honeypots that are not computer systems. Their value lies not in their use, but in their abuse. As such, they are a generalization of such ideas as the honeypot and the canary values often used in ...
to a user’s social media page and then watches for unrecognized usage. Specifically, the authors shared email addresses as honeytokens and watched for any unrecognized use of those email addresses. After performing an experiment on 1,024 Facebook pages, the authors discover multiple counts of data misuse. 422 unrecognized emails were received on honeytokens shared with 20 Facebook apps. Within those 422 emails, 76 were categorized as malicious or spam. Furthermore, third-party trackers can be considered as “adversaries” to Internet users because the use of
HTTP cookies
HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's we ...
,
Flash cookies
A local shared object (LSO), commonly called a Flash cookie (due to its similarity with an HTTP cookie), is a piece of data that websites that use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions of ...
, and
DOM storage
Web storage, sometimes known as DOM storage (Document Object Model storage), is a standard JavaScript API provided by web browsers. It enables websites to store persistent data on users' devices similar to cookies, but with much larger capacity ...
breaks data confidentiality between the users and the websites they interact with.
Overall, researchers at
Carnegie Mellon University
Carnegie Mellon University (CMU) is a private research university in Pittsburgh, Pennsylvania. One of its predecessors was established in 1900 by Andrew Carnegie as the Carnegie Technical Schools; it became the Carnegie Institute of Technology ...
and
Qualcomm
Qualcomm () is an American multinational corporation headquartered in San Diego, California, and incorporated in Delaware. It creates semiconductors, software, and services related to wireless technology. It owns patents critical to the 5G, 4 ...
found that many users don't see tracking as black and white. Many want control over tracking and think that it has its benefits, but don't know how to control tracking or distrust current tools. Out of 35 participants in the study, fourteen saw tracking as conditionally positive, eight saw it as generally neutral, nine saw it as generally negative, and the remaining four had mixed feelings. Twelve participants felt resigned to tracking.
Countermeasures
Countermeasures include using a plain text
email client
An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.
A web application which provides message management, composition, and reception functio ...
, disabling automatic download of images, or, if reading email using a browser, installing an
add-on or
browser extension
A browser extension is a small software module for customizing a web browser. Browsers typically allow a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web p ...
.
The process of email-tracking does not require cookies, which makes it difficult to block without affecting user experience.
[Fabian, Benjamin, Benedict Bender, Ben Hesseldieck, Johannes Haupt, and Stefan Lessmann. 2021. “Enterprise-Grade Protection against e-Mail Tracking.” ''Information Systems'' 97:101702.] For example, disabling automatic download of images is easy to implement; however, the trade-off is that it often results in a loss of information, incorrect formatting, a decline in user experience, and incomprehension or confusion.
Three Princeton University researchers who analyzed 16 email clients found that none of the existing setups completely protects users from the threats of email tracking. Blocking extensions such as uBlock Origin, Privacy Badger, and Ghostery can filter tracking requests.
Four other researchers aimed to detect trackers by focusing on analyzing the behavior of invisible pixels. After crawling 84,658 web pages from 8,744 domains, they found that invisible pixels are present on more than 94.51% of domains and make up 35.66% of all third-party images. Filter lists such as EasyList, EasyPrivacy, and Disconnect are popular ways to detect tracking; they detect known tracking and advertising requests by keeping a "blacklist." However, they miss around 30% of the trackers that the researchers detected. Moreover, when all three filter lists were combined, 379,245 requests from 8,744 domains still tracked users on 68.70% of websites.
Recent research has focused on using machine learning to develop anti-tracking software for end-users.
Analyzing mail flows and aggregate statistical data can help protect user accounts by detecting abnormal email behavior such as viral propagation of malicious email attachments, spam emails, and email policy violations.
Privacy tools can have usability flaws which makes it difficult for users to make informed and meaningful decisions. For example, participants in a study thought that they had installed configured a tool successfully when they had not. Additionally, the rise of
ad-blockers and similar privacy tools have led to the emergence of anti ad-blockers, which seek out ad-blockers and try to disable them with various methods, in an escalating ad-blocker arms race.
Privacy regulations and policies
There are few regulation initiatives that exist to protect users from email tracking.
The help pages of many email clients, such as
Gmail
Gmail is a free email service provided by Google. As of 2019, it had 1.5 billion active users worldwide. A user typically accesses Gmail in a web browser or the official mobile app. Google also supports the use of email clients via the POP an ...
,
Yahoo! Mail
Yahoo! Mail is an email service launched on October 8, 1997, by the American company Yahoo (2017–present), Yahoo, Inc. The service is free for personal use, with an optional monthly fee for additional features. Business email was previously av ...
, and
Thunderbird
Thunderbird, thunder bird or thunderbirds may refer to:
* Thunderbird (mythology), a legendary creature in certain North American indigenous peoples' history and culture
* Ford Thunderbird, a car
Birds
* Dromornithidae, extinct flightless birds ...
may mislead users into thinking that privacy risks associated with email tracking are limited by stating that the threat is restricted to the ''email sender'' receiving recipients' information rather than third-parties also being able to access that information.
United States
The U.S. currently does not have comprehensive
privacy rights
The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 150 national constitutions mention the right to privacy. On 10 December 194 ...
in place. The
Fourth Amendment, which guarantees "the right of the people to be secure in their persons, houses, papers and effects. against unreasonable searches and seizures, shall not be violated" does not explicitly apply to private companies and individuals. California's state constitution, however, grants individuals explicit privacy rights from both government and private action. There are regulations that target specific sectors, such as the
Gramm-Leach-Bliley Financial Modernization Act of 1999 directed towards the financial services sector, the
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1 ...
of 1996 for the healthcare sector, and the U.S. Department of Commerce's Safe Harbor framework which assists US companies' compliance with the EU's Directive on Data Protection.
European Union
The European Union passed the Directive on Data Protection (
Directive 95/46/EC
The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union directive which regulates the processing of personal data within the European Union (EU) and the free movement of such data. The Data Pro ...
) in 1995 which requires member states to comply with certain privacy protection laws, focused on protecting the consumer. The directive forbids the exchange of data between EU member countries and countries that are not in accordance with the directive. Personal data can only be collected in certain circumstances and must be disclosed to individuals whose information is being collected. Additionally, PII can only be kept for as long as it is used for its original purpose.
The EU first introduction a set of regulations on tracking technologies in 2002. In 2009, the EU Directive mandated that websites ask for consent before using any type of profiling technology, such as
cookies
A cookie is a baked or cooked snack or dessert that is typically small, flat and sweet. It usually contains flour, sugar, egg, and some type of oil, fat, or butter. It may include other ingredients such as raisins, oats, chocolate chips, nuts ...
. As a result, most European websites implemented a "cookie bar." However, four researchers at the
Polytechnic University of Turin
The Polytechnic University of Turin ( it, Politecnico di Torino) is the oldest Italian public technical university. The university offers several courses in the fields of Engineering, Architecture, Urban Planning and Industrial Design, and is co ...
performed an experiment on 35,000 websites using a tool called CookieCheck and found that 49% of those websites do not follow the EU cookie directive and installed profiling cookies before the user gave consent. In conclusion, the authors argue that the EU regulatory framework has been ineffective in enforcing rules and has not done much in helping reduce users’ exposure to tracking technologies.
[Trevisan, Martino, Stefano Traverso, Eleonora Bassi, and Marco Mellia. 2019. ]
4 Years of EU Cookie Law: Results and Lessons Learned
” ''Proceedings on Privacy Enhancing Technologies'' 2019(2):126–45.
See also
*
Web beacon
A web beaconAlso called web bug, tracking bug, tag, web tag, page tag, tracking pixel, pixel tag, 1×1 GIF, or clear GIF. is a technique used on web pages and email to unobtrusively (usually invisibly) allow checking that a user has accessed s ...
*
Email privacy
Email privacy is a broad topic dealing with issues of unauthorized access to, and inspection of, electronic mail, or unauthorized tracking when a user reads an email. This unauthorized access can happen while an email is in transit, as well as w ...
*
Email fraud
Email fraud (or email scam) is intentional deception for either personal gain or to damage another individual by means of email. Almost as soon as email became widely used, it began to be used as a means to defraud people. Email fraud can take th ...
References
{{reflist, refs=
[{{cite news , last1= Kelion , first1= Leo , title= Spy pixels in emails have become endemic , date= 2021-02-17 , newspaper= ]BBC News
BBC News is an operational business division of the British Broadcasting Corporation (BBC) responsible for the gathering and broadcasting of news and current affairs in the UK and around the world. The department is the world's largest broadca ...
, url= https://www.bbc.com/news/technology-56071437 , access-date=2021-02-19 , archive-url= https://archive.today/wt101 , archive-date= 2021-02-17 , url-status=live
[{{cite news , last1= Charlie , first1= Osborne , title= Tracker pixels in emails are now an 'endemic' privacy concern , date= 2021-02-17 , newspaper= ]ZDNet
ZDNET is a business technology news website owned and operated by Red Ventures.
The brand was founded on April 1, 1991, as a general interest technology portal from Ziff Davis and evolved into an enterprise IT-focused online publication.
Hist ...
, url= https://www.zdnet.com/article/spy-pixels-in-emails-to-track-recipient-activity-are-now-an-endemic-privacy-concern , access-date=2021-02-19 , archive-url= https://archive.today/vAQ1I , archive-date= 2021-02-19 , url-status=live
Email
Privacy of telecommunications