By now you probably know that browsing the web leaves you open to tracking by Internet service providers, website operators and advertisers. But less well known is that you can be tracked simply by opening an email. Merely clicking or tapping to open a message can transmit to the sender not only that you opened it, but also where you were when you did so and on what device, among other things.
The technology has been used by email marketers and Nigerian fraudsters for more than a decade. But more recently, it has become a tool used by employers, sales people, bill collectors, lawyers, political candidates, nonprofit fund-raisers and maybe also that guy you met at a bar and regrettably gave your contact information to.
Here's how it works: The sender of the email embeds a so-called web bug or pixel tracker into the content of the message or possibly inside an attached PDF, Word or PowerPoint. These bugs are 1-by-1 pixel images (tinier than tiny), which are invisible to the recipient. When the email or document is opened, the bug triggers your device to contact the sender's server and convey all sorts of information.
"What it does is lure you into an online environment and the collection that goes on there without alerting you that it's happening," said Ryan Calo, a professor of law at the University of Washington Law School in Seattle who specializes in privacy issues.
There are some things you can do to avoid having your email activity monitored. Perhaps the easiest defense is to adjust the settings of your email program so there is no image rendering.
It used to be set that way by default but last year, in a boon to marketers, Gmail made the setting an opt-out feature and many other email providers followed suit. Disabling images will sift and block images from incoming emails, including those tiny, pixel-size tracking bugs. You can click on the missing images you want to see and which ones you don't.
"A more advanced technique is to construct a personal firewall that blocks images," said Gerald Friedland, director of audio and multimedia research at the International Computer Science Institute at the University of California, Berkeley.
Or, he said, you could simply turn off your Wi-Fi while opening and reading email messages. This, of course, assumes you aren't checking your email on your provider's website but rather using a retrieval program like Apple Mail or Outlook.
And don't click on any attachment while connected, nor a link within the message, even if it's the unsubscribe button. "The unsubscribe link is the most clicked item in emails so it's often what they use to track you," said H.D. Moore, a senior researcher with the Internet security consultant Rapid7. "As soon as you click on it, they know everything about you."
Besides when, where and on what device you opened the message, an email sender can also tell how long you looked at the message and if you opened other windows while you had the message displayed. Also transmitted is if you saved, forwarded or deleted the message, how many times you subsequently opened the message plus various details about your device's operating system and settings.
Analysis of this kind of tracking data is a standard service offered by bulk email providers like Constant Contact, MailChimp or HubSpot. These companies facilitate sending emails to large mailing lists and generate tracking reports so their customers can assess how well their messages are received.
"If a business learns what email content resonates, then you'll get better content," said Gail Goodman, the chief executive of Constant Contact.
Indeed, email marketing services argue that the tracking actually helps recipients because senders use the data to craft more relevant messages as well as to determine the best viewing format and delivery time.
Sales people who track emails through services like Yesware and Tout-App say the practice allows them to call customers soon after they have opened messages, while the pitch is still fresh. Or perhaps they can conveniently bump into customers at Starbucks or drop by their office, where the sales person knows the customer just opened an email.
Within the last couple of years, mobile apps like Bananatag and MailTracker have made email tracking available to just about anyone. Email tracking apps and services, whether intended for professional or personal use, can cost up to $35 a month depending on the number of emails users want tracked and the detail of the tracking data.
The legality of the practice is unclear. Email trackers argue it is the same data you give away when you visit a website with cookies. Opponents say it is a matter of expectation and consent. Websites are legally required to have a privacy policy that visitors can read to understand what data is being collected.
"People don't have that same understanding when they open an email," said Professor Calo at the University of Washington.