50% of high-ranked domains can see when you open an email

Tracking user habits over the internet has become the baseline for businesses operating in today’s data-driven economy, where every click on a website adds to the dossier on how individual consumers operate online.

Now, a study that makes use of temporary email services – also known as ‘disposable email’, or ‘tempmail’ – has revealed the extent to which this tracking is also taking place in user’s inboxes.

“Most people haven’t looked at email tracking because it is so much more difficult to get data to analyze,” said Gang Wang, assistant professor in the department of computer science at Virginia Tech.

“We think there should be some development against anti-tracking techniques on the email side.”

At this week’s IEEE Symposium in San Francisco, Wang and fellow researchers Hang Hu and Peng Peng presented an academic paper demonstrating how approximately 50% of high-ranked domains were performing email tracking.

Pixel perfect

Unlike web tracking, where a cookie collects various bits of information, email tracking involves a tiny, 1px-by-1px image being embedded into the body of an email.

The image sends a message to the server indicating that the email has been opened, along with other data such as time, location, device type, and operating system.

“When you interact with online services, they send you an email and track what kind of messages that you are likely to open, as a way to profile your behavior and preferences,” Wang explained.

“So we looked at different tracking techniques, and how prevalent those type of tracking behaviors are among different services and third parties.”

Perhaps unsurprisingly, Facebook, Twitter, and PayPal were all in favor of deploying email tracking, Wang said, but less popular services didn’t bother with the extra analytics. At least one tracking link was found in 24.6% of the 2.3 million emails analyzed by the researchers.

Disposable emails – services that maintain public, password-free inboxes that can be accessed by anyone – were used to collect the data needed to measure surveillance of regular email.

“We chose seven popular disposable email services to look at the messages and then use those collected messages to study email tracking,” said Hang Hu, who presented the research on Monday.

“But it’s our impression that users of these services aren’t aware of the potential risks related to them.”

Disposable interests

Ill-fitted privacy policies ran amok throughout the disposable email services studied, including instances where messages that were meant to be deleted after a certain period were still readily available.

“Some of them [disposable email services] also do not tell users that the service is public,” said Wang.

“This means that users could input some sensitive information and not realize that others are using the inboxes.”

Wang, Hu, and Peng all recommend inbox isolation to mitigate the risks related to disposable email service use.

Email tracking should be taken into account for any future data protection policy, they added.

“When the senders are tracking receivers we hope that, just like web tracking, you have to inform users,” said Hu. “But currently we have not seen anyone doing that.”

Hiding in plain sight

It should be noted that webmail providers have already implemented various technical mitigations to pixel-based email tracking.

Users, for example, will be familiar with the ‘click here to enable images’ message from their email client. Without images enabled, the pixel tracking will not execute.

In addition, other services such as Gmail automatically fetch images to their own servers, rendering any image-based tracking data less effective.

The IEEE Symposium on Security and Privacy continues this week in San Francisco. The Daily Swig will be back with more coverage over the coming days.

RELATED Certificate Transparency: A case study for system-wide change