Apple Mail and Hidden Tracking Images

John Gruber, writing at DaringFireball: In my piece yesterday about email tracking images ("spy pixels" or "spy trackers"), I complained about the fact that Apple -- a company that rightfully prides itself for its numerous features protecting user privacy -- offers no built-in defenses for email tracking. A slew of readers wrote to argue that Apple Mail does offer such a feature: the option not to load any remote resources at all. It's a setting for Mail on both Mac and iOS, and I know about it -- I've had it enabled for years. But this is a throwing-the-baby-out-with-bath-water approach. What Hey offers -- by default -- is the ability to load regular images automatically, so your messages look "right", but block all known images from tracking sources (which are generally 1 x 1 px invisible GIFs).

Typical users are never going to enable Mail's option not to load remote content. It renders nearly all marketing messages and newsletters as weird-looking at best, unreadable at worst. And when you get a message whose images you do want to see, when you tell Mail to load them, it loads all of them -- including trackers. Apple Mail has no knowledge of spy trackers at all, just an all-or-nothing ability to turn off all remote images and load them manually. Mail's "Load remote content in messages" option is a great solution to bandwidth problems -- remember to turn it on the next time you're using Wi-Fi on an airplane, for example. It's a terrible solution to tracking. No one would call it a good solution to tracking if Safari's only defense were an option not to load any images at all until you manually click a button in each tab to load them all. But that's exactly what Apple offers with Mail. "Don't get me started on how predictable this entire privacy disaster was, once we lost the war over whether email messages should be plain text only or could contain embedded HTML. Effectively all email clients are web browsers now, yet don't have any of the privacy protection features actual browsers do," he adds.

And now shut the fuck up about 1x1 pixel images..

[delirious.net]

any image can and will be used to track you, a logo, content, anything that is a link to some server somewhere.

Re: And now shut the fuck up about 1x1 pixel image

[Anonymouse Cowtard]

Indeed. Any assets with unique names can do this.

Re:

[saloomy]

This. I use Apple Mail on MacOS and my iOS device, and I have remote content disabled. If the content is something I want to view, I simply can click "load remote content". When I want to see something of interest to me, that's exactly what I do. I embed my signature as BASE64 encoded assets, so that I don't need it loaded. Quite a few associates of mine have asked me to help them craft their messages that way. Most of the time though, my signature is simply a block of useful text.

Re: And now shut the fuck up about 1x1 pixel imag

[Guy Smiley]

Same here, I use Mac Mail and turn off all images, manually fetching the very few images that I actually care about. Since any image can be used for tracking, skipping only 1x1 images is a false sense of security. Then spammers will use 1x2, 2x2, ... images to get around it.

Re:

[runningduck]

Not to mention that the Mail app has to fetch the image to see that it is a 1x1. If only more software implemented the Evil Bit! https://www.ietf.org/rfc/rfc35... [ietf.org]

Re:

[93 Escort Wagon]

Not to mention that the Mail app has to fetch the image to see that it is a 1x1.

Well, Gruber is a blogger - he can't be expected to sweat the technical details.

Plus, getting around any sort of "don't load 1x1 images" filter would be trivially easy for spammers - if that practice ever became widespread, they would all migrate to 2x2, 2x3, 3x4 tracking images. Or perhaps use larger PNGs which happen to be completely transparent.

Re:

[Lonewolf666]

Yes, that is the bigger problem. If you could inspect the image before revealing your IP address to the server, there would be a lot of options to filter it. Such as "may not be smaller than 8x8" or "must have at least X non-transparent pixels" for formats that support transparent pixels.

This gives me an idea for what a mail provider could do, if their customers request it:
Rewrite external links in mail to link to their own servers and fetch the images for the mail user. Essentially a proxy server for remot

Re: And now shut the fuck up about 1x1 pixel imag

[Dumass]

Gmail has been doing this for years. https://gmail.googleblog.com/2... [googleblog.com] Not sure if it works when using Gmail in IMAP clients, though.

Re:

[Megane]

Even if you went through some sort of proxy, a unique file name would be enough to confirm that you opened it.

Re:

[Lonewolf666]

Good point. But that could be made meaningless if the proxy always opens the images and caches them for you. This way the sender would have zero useful information.

Re:

[tlhIngan]

This gives me an idea for what a mail provider could do, if their customers request it:
Rewrite external links in mail to link to their own servers and fetch the images for the mail user. Essentially a proxy server for remote content.

I believe Gmail already does this.

But I don't see what's the point - the URL the image lives at already contains tracking information - the only difference is that it comes from a Google IP - the marketing people already know you opened the mail and all that stuff. Even if you c

Re:

[jeremyp]

I know several Mac users including me and in my not scientifically selected sample, 100% of us have remote content disabled.

Re:

[bloodhawk]

which is exactly why they should allow you to selectively download images and/or have known tracking site block lists.

Re:

[flyingfsck]

Done. Just for you - A known tacking site blocklist: https://someonewhocares.org/ho... [someonewhocares.org]

Re: And now shut the fuck up about 1x1 pixel image

[Z00L00K]

I'd say that it depends. If the image data is embedded in the message using base-64 encosing and not linked from the message from an external server it's fine.

If the image is linked from an external server it's a tracking image, including if it's a web mail server outside your control. You don't know what statistics the mail provider builds on you from that.

Re:

[v1]

the ability to load regular images automatically, so your messages look "right", but block all known images from tracking sources (which are generally 1 x 1 px invisible GIFs).

I hate it when TFA's authors are clueless. He starts out by saying he was wrong to begin with, then makes a "correcting" statement like that, just turning right around and going back to wrongville.

Pretty close to 100% of the "marketing emails" I have opted into (or decided not to opt-out from) have "metadata" in their URLs, both for

Re:

[g01d4]

I'd prefer you show me things that are relevant to my life.

If that's working out for you then you're quite the outlier.

And that's exactly what this metadata and tracking is designed to do.

No it's not. It's designed to create another straw for a very large haystack. The bigger the haystack the more likely your little bit of staw will appear as some random advertiser's pin. It's cheaper to grab handfuls of straw than build a working magnet.

Re:

[fermion]

This is key. In iOS you have to click a banner to load images. This is the only way to prevent tracking. As far as âlooking rightâ(TM). Firms mostly use images for propaganda. If there is an image critical to the mail, it is advertisement, and by definition tracking. It also breaks usability.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Unrealistic expectations

[dwater]

I was under the impression that Gmail loaded all images on its proxy irrespective of if the client loads them or not, so that the tracking can't tell one way or the other. Is that incorrect?

Re:

[what2123]

That is not correct. Google only fetches when the user asks. There are some occssions where gmail or gsuite will pre fetch but that's based on the users previous behaviour and their likelihood of opening messages being high. The proxy does masks the IP of the end user so you lose some location data if thats important but otherwise its not a big deal.

Re:

[martynhare]

Gmail proxies everything but that still allows analytics to find out when you opened a given email. To prevent tracking you have to make Gmail ask before loading remote elements, just like with iCloud Mail. People keep talking like email offers any privacy whatsoever. It does not, the battle was lost the moment HTML was permitted.

If you want privacy, only accept GPG or S/MIME protected messages which were delivered through TLS protected connections, signed by DKIM and on the list of permitted sender serv

Re:

[Tom]

No it doesn't.

The trackers and the message are typically distinct. Tracking is a service that you contract out, while the message is something your marketing department writes.

Embedding the message in the outsourced service would actually dramatically raise the costs of tracking. And that's a good thing.

But yes, the real solution is to make tracking illegal, dissolve the companies that are doing it, put their CEOs and owners in jail, then bomb the countries that the new tracking companies are operating out

Re:

[Alumoi]

You may want to add the marketing departments of every company and politicians to the list.

Re:

[Cmdln Daco]

That would desolate the market for tasselated shoes. Think of the whole sectors of the economy who pander to the marketing critters. Young children would starve!

Re:

[Megane]

My (local, not a mega-) bank has sent me a few e-mails with tracking URLs. To be fair it was from their commercial services division, for reasons, but it still shouldn't have been sent to me for other reasons. I don't care if I do business with you, spam for an unrelated service is still spam. The part that bothered me was when the link to their security policy also had its URL rewritten. At least I sent an e-mail to their security contact that this wasn't kosher, and smelled a bit too much like phishing. O

Re:

[MariaSohee]

I look for the good man. I would be your Mistress!! Punish me! =>> https://lst.to/qaack [lst.to]

Re:

[AmiMoJo]

Sounds like a sure-fire way to make sure people delete your messages without reading them.

Also many spam filters don't like messages that are mostly images and little to no text, because spammers have been using that trick for years.

Simple solution is already there?

[278MorkandMindy]

Can't your mail provider simply load all images via a proxy, then display those images to you when you open the message?

Tracking is no good if every message is opened as soon as it is sent, from the same IP for everyone?

Re:

[stikves]

They will still know that *you* opened that email.

The main purpose of tracking pixels is for tracking mall mail adoption. There are legitimate uses (non-profit having a opt-in mailing list, and keeping track of how many members actually read their content vs rsvp to events, etc), but also not-so-nice ones.

The bottom line, it establishes a link between an email address and a time of opening the email content.

Re:Simple solution is already there?

[Actually, I do RTFA]

You're missing the concept. The idea is as soon as the email is received at all, whether it's been opened or not, the image is loaded. This is how GMail works. It doesn't matter whether you ever open the email, as soon as GMail got it they fetched the image.

Re:

[278MorkandMindy]

Which is good, right? If every email sent to Gmail is "opened" then that metric is unreliable and thus unusable?

Re:

[Actually, I do RTFA]

Right. I've heard (but not confirmed) that GMail even fetches the images that are sent to non-accounts, so you cannot even tell if the account exists. Of course, that seems pretty expensive to run for non trillion dolalr companies.

Re:

[ArmoredDragon]

I doubt it would be expensive, just hash each image and replace the real link with a link to a shared cache. Chances are hundreds if not hundreds of thousands of people are getting the exact same emails, only with the urls varying for tracking purposes, or maybe even similar emails in a mailing list that always have the same images with the same url so you wouldn't necessarily need to download+hash them every time. Doing anything less would never scale even if money were infinite.

Re:

[Actually, I do RTFA]

Oh, I was just thinking of running datacenters pulling down all the hundreds of millions of images every hour and hashing them, not even storage. You're right though, the storage probably quickly devolves into much fewer images.

Re:

[AmiMoJo]

It probably saves them money; anyone trying to spam them gets hit with a massive DDOS from Google's cloud, setting their tracking image server on fire.

That should discourage dictionary attacks.

Re:

[Actually, I do RTFA]

Oh, it's a good thing. I just couldn't host an email service and afford to DDOS attack myself. The millions of fetches from one newsletter seem prohibitively costly for a small provider.

Re:

[stikves]

Gmail already proxies the images, but does not cache them:
https://support.google.com/mai... [google.com]

It would make all external content essentially into attachments, and eat from your storage quota. It will also make dynamic content much less useful.

So the image loads by Gmail at the time you open the message. They don't get your cookies (yes), but they get to learn when it was first opened.

Re:

[Actually, I do RTFA]

I question the value of dynamic content in an email. But apparently what I thought was a prefetch was only a cache. That's... less exciting by a lot.

Re:

[Tom]

There is NO legitimate use of tracking my e-mail reading times or habits. None. If your non-profit wants to know how many mailing list members engage with the content, they can ask. They can offer a price to raise the rate of answers, that's been a common method for at least a century.

You do NOT have a right to information from or about other people.

Re:

[Ichijo]

For that reason, Gmail downloads all images before you even open the e-mail.

Re:

[Carewolf]

For that reason, Gmail downloads all images before you even open the e-mail.

And again when you open it, so it doesn't help ;)

Article Summary

[Frosty Piss]

Hi, Iâ(TM)m here to *WHINE* about Apple because they are just exactly not the way I want them.

Re:

[sysrammer]

You forgot to include the "sent from my iPhone" message at the bottom.

Re: Article Summary

[dwater]

I keep wondering what that mess is all about. Is it one more thing to blame Apple for?

Re:

[Cmdln Daco]

Yes, there is a checkbox buried deep in the Apple gadget's configuration to turn off non-standard 'smart quotes (tm)'

But in the Apple subculture it's a matter of pride to foster differentiating brokenness.

Re:

[flyingfsck]

Mine says 'Sent from my MicroVAX 78032'.

Re:

[sysrammer]

Ha. For some reason I was reminded of when Commodore bit the dust, at least for consumer stuff. Shortly after I worked with T1 boards, and settin' there, purty as a doily, was a 6510. I laughed and was glad that they were able to pay the bills somehow.

Update: I wiki'd up on the 65xx to make sure I was remembering the right series, and lonebehold, the things are still in production. Impressive. Sorry about your mVaxes, though.

"Sent from my VT100 running TOPS-20"

It's a feature

[ceoyoyo]

It renders nearly all marketing messages and newsletters as weird-looking at best, unreadable at worst.

Yeah, it's great. One of the best features.

Re:

[Cmdln Daco]

I like using noscript for that, too. It mangles over-designed 'content' that prissy 'Web developers' have fussed over.

Back when Gmail didn't engage in an arms war to block downloading email content into Sylpheed (or thunderbird) I used it to 'break' html messages. Now that the Gmail regime has declared war on third party mail readers I have just abandoned Gmail. I read my Gmail once or twice a week. Anybody important has my fastmail email address. It's worth $30 a year to ditch Gmail.

Include the junk in the email itself

[termigator]

If images are desired, then include in email. MHTML allows you to use cid URLs to reference image attachments where you want on the page. There is no reason to allow loading of remote resources in email. And there should never be reasons to allow JavaScript or other scripting languages in email.

I am atypical

[cybersquid]

... because I have unset "Load remote content in messages".
I click the "Load remote content" only if the message interests me and I trust the sender.
Not arguing that I am atypical. Just sharing a data-point.

Re:

[aaarrrgggh]

Yeah, me too. If the message has nothing useful to me without images it just gets shitcanned. But hey, I still use Lynx as my primary web browser. (I don’t get the fascination with online porn...)

Re:

[sysrammer]

Mmm, ASCII porn.

Re: I am atypical

[BAReFO0t]

I don't get the fascination with letters, let alone colors. I still listen to my acoustic coupler. After a while, you recognize everyting... blond, redhat, JFIF...
I am so much better than you. ... /s

Re:

[bidule]

Heck, I don't even.
I "click here" to open in a web browser if I ever care about the content.

There's dozens of us, literally dozens!

Re:

[Kejiro]

You're definitely not atypical.

tbh. I don't understand why there is an option to load remote content at all. If you want to make a nice html mail there is no problem attaching images.
In my opinion, the only reason the remote content support even exist is to track the receipient, even if it's only a simple did-read notification, ok, granted, some Mail-apps seem to use a regular webviewer for the email, which automatically allow all remote content and other attack vectors normally not supported in a mail wi

Re:

[j-beda]

You're definitely not atypical.

tbh. I don't understand why there is an option to load remote content at all. If you want to make a nice html mail there is no problem attaching images.

Size issues make it a bit of a resource drain to push a bunch of images around as attachments, when links to online images do not. I would certainly prefer getting links to images rather than stupid images in people's signatures filling up my email archives.

Re: I am atypical

[dwater]

Iinm, this is the default for Fast ail. I've often wondered if there was a way to change the default, but never bothered to look.

At least he's complaining about email.

[Known Nutter]

Everything's about Twatbook these days. Nice to see someone complaining about email, even if it's a silly complaint.

2004

[bill_mcgonigle]

I've been having MailScanner disarm tracking elements since soon after the idea was invented. Same goes for links that have an href different than the link text, when the link text is a URL.

You don't need the client to defang the messages if you use a suitable email provider.

Everybody probably thinks I never open mail. Some days that's true though.

Blocking images makes marketing mail look bad?

[mellon]

Cry me a river. I've never enabled this. The way email works, it's dead easy to associate the message you sent with the image your mail application downloaded, and there really is no way to prevent this. The idea that blocking tracking pixels is saving you is naive. Every commercial email message you get with images in it has trackers in the URL string to see who got the mail. Tracking pixels are just a way of doing that without showing you an actual image. If you don't want to be tracked, disable image dow

No HTML - good, no images - bad?

[mi]

once we lost the war over whether email messages should be plain text only or could contain embedded HTML

Wait a minute — plain text-only e-mail was good, and would've been good, if only we haven't lost our resolve, but disabling all remote images is "throwing baby out with the water?

Red herring

[jcochran]

I can see people using 1x1 pixel images for tracking because it's simple and has low bandwidth requirements. But I also see no way to specifically exclude loading 1x1 images. The "width" and "height" parameters to the "img" tag can be omitted, and without those parameters, there is no way of knowing the size of the image about to be loaded prior to actually sending a request to the server for the image. And once the request is sent, it's too late. The tracking image has done its job and actually downloading it is irrelevant. And as others have stated, any uniquely named resource can be used as a tracker, not just images. It's just that 1x1 images are one of the least resource intensive methods.

Re:

[Known Nutter]

That's because the entire premise of TFA is fucking stupid.

Re:

[toddestan]

The vast majority of spammy marketing newsletter emails that I get - of which virtually all I did not actually subscribe to, have every single image and URL in the email with some tracking ID. Therefore, if you load any image in the email, or follow any link, then the marketing types know you opened and interacted with their spammy email. As such, there's really no use for a 1-pixel tracking image - the entire email and everything in it is a giant tracker. It's really an all-or-nothing affair, you can't

Just preload tesources

[Pinky's Brain]

Load resources and store them on Apple servers, problem solved.

I call bullshit

[mseeger]

The only option for privacy is not to display ANY image. I have looked at the HTML code of marketing emails and every single one of all the images are being tracked (have unique URLs). If someone does not want to track you, he uses embedded pictures. Totally easy to do. Nearly no marketing agency does it. Why? Because they want to track you in as many ways as possible.

So either you care for privacy, then you do not let your email agent show you any pictures that have to be downloaded or you do and then you

Re:

[mseeger]

Argh... got interrupted and messed up one sentence:

So either you care for privacy, then you do not let your email agent show you any pictures that have to be downloaded or you do not care accept the images.

You're falling for the old blacklist fallacy.

[BAReFO0t]

Sorry, but like antivirus, your "block only the web beacons" solution can never work. Because every ass worth his money will check against your solution first and make sure his stuff goes through before sending it.
You will only catch the stuff that nobody cared about, because it is outdated or because the creator is an idiot.

A whitelist is the only way to go.
Block all external resources, and allow one to make exceptions. Ideally with some hard rules regarding behavior.

Why not just proxy?

[dannys42]

Another solution, since Apple now has the privacy proxy server, is to just allow routing image loading through that?

Re:

[account_deleted]

Comment removed based on user account deletion

Mail.app is bit dated

[AlchemyX]

I was hoping they would revamp theirs email app but it sucks big time. Like showing unread messages everywhere requires some weird Smart Folders. On the other hand Thunderbird is bloated.

Re:

[account_deleted]

Comment removed based on user account deletion