Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Apple

Apple Mail and Hidden Tracking Images (daringfireball.net) 84

John Gruber, writing at DaringFireball: In my piece yesterday about email tracking images ("spy pixels" or "spy trackers"), I complained about the fact that Apple -- a company that rightfully prides itself for its numerous features protecting user privacy -- offers no built-in defenses for email tracking. A slew of readers wrote to argue that Apple Mail does offer such a feature: the option not to load any remote resources at all. It's a setting for Mail on both Mac and iOS, and I know about it -- I've had it enabled for years. But this is a throwing-the-baby-out-with-bath-water approach. What Hey offers -- by default -- is the ability to load regular images automatically, so your messages look "right", but block all known images from tracking sources (which are generally 1 x 1 px invisible GIFs).

Typical users are never going to enable Mail's option not to load remote content. It renders nearly all marketing messages and newsletters as weird-looking at best, unreadable at worst. And when you get a message whose images you do want to see, when you tell Mail to load them, it loads all of them -- including trackers. Apple Mail has no knowledge of spy trackers at all, just an all-or-nothing ability to turn off all remote images and load them manually. Mail's "Load remote content in messages" option is a great solution to bandwidth problems -- remember to turn it on the next time you're using Wi-Fi on an airplane, for example. It's a terrible solution to tracking. No one would call it a good solution to tracking if Safari's only defense were an option not to load any images at all until you manually click a button in each tab to load them all. But that's exactly what Apple offers with Mail.
"Don't get me started on how predictable this entire privacy disaster was, once we lost the war over whether email messages should be plain text only or could contain embedded HTML. Effectively all email clients are web browsers now, yet don't have any of the privacy protection features actual browsers do," he adds.
This discussion has been archived. No new comments can be posted.

Apple Mail and Hidden Tracking Images

Comments Filter:
  • by delirious.net ( 595841 ) on Friday February 26, 2021 @08:34PM (#61104456)
    any image can and will be used to track you, a logo, content, anything that is a link to some server somewhere.
    • Indeed. Any assets with unique names can do this.
      • This. I use Apple Mail on MacOS and my iOS device, and I have remote content disabled. If the content is something I want to view, I simply can click "load remote content". When I want to see something of interest to me, that's exactly what I do. I embed my signature as BASE64 encoded assets, so that I don't need it loaded. Quite a few associates of mine have asked me to help them craft their messages that way. Most of the time though, my signature is simply a block of useful text.
        • Same here, I use Mac Mail and turn off all images, manually fetching the very few images that I actually care about. Since any image can be used for tracking, skipping only 1x1 images is a false sense of security. Then spammers will use 1x2, 2x2, ... images to get around it.
          • Not to mention that the Mail app has to fetch the image to see that it is a 1x1. If only more software implemented the Evil Bit! https://www.ietf.org/rfc/rfc35... [ietf.org]
            • Not to mention that the Mail app has to fetch the image to see that it is a 1x1.

              Well, Gruber is a blogger - he can't be expected to sweat the technical details.

              Plus, getting around any sort of "don't load 1x1 images" filter would be trivially easy for spammers - if that practice ever became widespread, they would all migrate to 2x2, 2x3, 3x4 tracking images. Or perhaps use larger PNGs which happen to be completely transparent.

            • Yes, that is the bigger problem. If you could inspect the image before revealing your IP address to the server, there would be a lot of options to filter it. Such as "may not be smaller than 8x8" or "must have at least X non-transparent pixels" for formats that support transparent pixels.

              This gives me an idea for what a mail provider could do, if their customers request it:
              Rewrite external links in mail to link to their own servers and fetch the images for the mail user. Essentially a proxy server for remot

              • Gmail has been doing this for years. https://gmail.googleblog.com/2... [googleblog.com] Not sure if it works when using Gmail in IMAP clients, though.
              • by Megane ( 129182 )
                Even if you went through some sort of proxy, a unique file name would be enough to confirm that you opened it.
                • Good point. But that could be made meaningless if the proxy always opens the images and caches them for you. This way the sender would have zero useful information.

              • by tlhIngan ( 30335 )

                This gives me an idea for what a mail provider could do, if their customers request it:
                Rewrite external links in mail to link to their own servers and fetch the images for the mail user. Essentially a proxy server for remote content.

                I believe Gmail already does this.

                But I don't see what's the point - the URL the image lives at already contains tracking information - the only difference is that it comes from a Google IP - the marketing people already know you opened the mail and all that stuff. Even if you c

        • by jeremyp ( 130771 )

          I know several Mac users including me and in my not scientifically selected sample, 100% of us have remote content disabled.

      • which is exactly why they should allow you to selectively download images and/or have known tracking site block lists.
    • I'd say that it depends. If the image data is embedded in the message using base-64 encosing and not linked from the message from an external server it's fine.

      If the image is linked from an external server it's a tracking image, including if it's a web mail server outside your control. You don't know what statistics the mail provider builds on you from that.

    • by v1 ( 525388 )

      the ability to load regular images automatically, so your messages look "right", but block all known images from tracking sources (which are generally 1 x 1 px invisible GIFs).

      I hate it when TFA's authors are clueless. He starts out by saying he was wrong to begin with, then makes a "correcting" statement like that, just turning right around and going back to wrongville.

      Pretty close to 100% of the "marketing emails" I have opted into (or decided not to opt-out from) have "metadata" in their URLs, both for

      • by g01d4 ( 888748 )

        I'd prefer you show me things that are relevant to my life.

        If that's working out for you then you're quite the outlier.

        And that's exactly what this metadata and tracking is designed to do.

        No it's not. It's designed to create another straw for a very large haystack. The bigger the haystack the more likely your little bit of staw will appear as some random advertiser's pin. It's cheaper to grab handfuls of straw than build a working magnet.

    • by fermion ( 181285 )
      This is key. In iOS you have to click a banner to load images. This is the only way to prevent tracking. As far as âlooking rightâ(TM). Firms mostly use images for propaganda. If there is an image critical to the mail, it is advertisement, and by definition tracking. It also breaks usability.
  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Friday February 26, 2021 @08:35PM (#61104458)
    Comment removed based on user account deletion
    • by Tom ( 822 )

      No it doesn't.

      The trackers and the message are typically distinct. Tracking is a service that you contract out, while the message is something your marketing department writes.

      Embedding the message in the outsourced service would actually dramatically raise the costs of tracking. And that's a good thing.

      But yes, the real solution is to make tracking illegal, dissolve the companies that are doing it, put their CEOs and owners in jail, then bomb the countries that the new tracking companies are operating out

      • by Alumoi ( 1321661 )

        You may want to add the marketing departments of every company and politicians to the list.

        • That would desolate the market for tasselated shoes. Think of the whole sectors of the economy who pander to the marketing critters. Young children would starve!

      • by Megane ( 129182 )
        My (local, not a mega-) bank has sent me a few e-mails with tracking URLs. To be fair it was from their commercial services division, for reasons, but it still shouldn't have been sent to me for other reasons. I don't care if I do business with you, spam for an unrelated service is still spam. The part that bothered me was when the link to their security policy also had its URL rewritten. At least I sent an e-mail to their security contact that this wasn't kosher, and smelled a bit too much like phishing. O
    • I look for the good man. I would be your Mistress!! Punish me! =>> https://lst.to/qaack [lst.to]
    • by AmiMoJo ( 196126 )

      Sounds like a sure-fire way to make sure people delete your messages without reading them.

      Also many spam filters don't like messages that are mostly images and little to no text, because spammers have been using that trick for years.

  • by 278MorkandMindy ( 922498 ) on Friday February 26, 2021 @08:47PM (#61104486)

    Can't your mail provider simply load all images via a proxy, then display those images to you when you open the message?

    Tracking is no good if every message is opened as soon as it is sent, from the same IP for everyone?

    • by stikves ( 127823 )

      They will still know that *you* opened that email.

      The main purpose of tracking pixels is for tracking mall mail adoption. There are legitimate uses (non-profit having a opt-in mailing list, and keeping track of how many members actually read their content vs rsvp to events, etc), but also not-so-nice ones.

      The bottom line, it establishes a link between an email address and a time of opening the email content.

      • by Actually, I do RTFA ( 1058596 ) on Friday February 26, 2021 @09:31PM (#61104612)

        You're missing the concept. The idea is as soon as the email is received at all, whether it's been opened or not, the image is loaded. This is how GMail works. It doesn't matter whether you ever open the email, as soon as GMail got it they fetched the image.

        • Which is good, right? If every email sent to Gmail is "opened" then that metric is unreliable and thus unusable?

          • Right. I've heard (but not confirmed) that GMail even fetches the images that are sent to non-accounts, so you cannot even tell if the account exists. Of course, that seems pretty expensive to run for non trillion dolalr companies.
            • I doubt it would be expensive, just hash each image and replace the real link with a link to a shared cache. Chances are hundreds if not hundreds of thousands of people are getting the exact same emails, only with the urls varying for tracking purposes, or maybe even similar emails in a mailing list that always have the same images with the same url so you wouldn't necessarily need to download+hash them every time. Doing anything less would never scale even if money were infinite.

              • Oh, I was just thinking of running datacenters pulling down all the hundreds of millions of images every hour and hashing them, not even storage. You're right though, the storage probably quickly devolves into much fewer images.

            • by AmiMoJo ( 196126 )

              It probably saves them money; anyone trying to spam them gets hit with a massive DDOS from Google's cloud, setting their tracking image server on fire.

              That should discourage dictionary attacks.

              • Oh, it's a good thing. I just couldn't host an email service and afford to DDOS attack myself. The millions of fetches from one newsletter seem prohibitively costly for a small provider.

        • by stikves ( 127823 )

          Gmail already proxies the images, but does not cache them:
          https://support.google.com/mai... [google.com]

          It would make all external content essentially into attachments, and eat from your storage quota. It will also make dynamic content much less useful.

          So the image loads by Gmail at the time you open the message. They don't get your cookies (yes), but they get to learn when it was first opened.

          • I question the value of dynamic content in an email. But apparently what I thought was a prefetch was only a cache. That's... less exciting by a lot.

      • by Tom ( 822 )

        There is NO legitimate use of tracking my e-mail reading times or habits. None. If your non-profit wants to know how many mailing list members engage with the content, they can ask. They can offer a price to raise the rate of answers, that's been a common method for at least a century.

        You do NOT have a right to information from or about other people.

    • by Ichijo ( 607641 )

      For that reason, Gmail downloads all images before you even open the e-mail.

      • For that reason, Gmail downloads all images before you even open the e-mail.

        And again when you open it, so it doesn't help ;)

  • by Frosty Piss ( 770223 ) * on Friday February 26, 2021 @08:50PM (#61104498)

    Hi, Iâ(TM)m here to *WHINE* about Apple because they are just exactly not the way I want them.

    • You forgot to include the "sent from my iPhone" message at the bottom.

      • Mine says 'Sent from my MicroVAX 78032'.
        • Ha. For some reason I was reminded of when Commodore bit the dust, at least for consumer stuff. Shortly after I worked with T1 boards, and settin' there, purty as a doily, was a 6510. I laughed and was glad that they were able to pay the bills somehow.

          Update: I wiki'd up on the 65xx to make sure I was remembering the right series, and lonebehold, the things are still in production. Impressive. Sorry about your mVaxes, though.

          "Sent from my VT100 running TOPS-20"

  • It's a feature (Score:5, Insightful)

    by ceoyoyo ( 59147 ) on Friday February 26, 2021 @08:51PM (#61104502)

    It renders nearly all marketing messages and newsletters as weird-looking at best, unreadable at worst.

    Yeah, it's great. One of the best features.

    • I like using noscript for that, too. It mangles over-designed 'content' that prissy 'Web developers' have fussed over.

      Back when Gmail didn't engage in an arms war to block downloading email content into Sylpheed (or thunderbird) I used it to 'break' html messages. Now that the Gmail regime has declared war on third party mail readers I have just abandoned Gmail. I read my Gmail once or twice a week. Anybody important has my fastmail email address. It's worth $30 a year to ditch Gmail.

  • by termigator ( 595635 ) on Friday February 26, 2021 @08:53PM (#61104512)
    If images are desired, then include in email. MHTML allows you to use cid URLs to reference image attachments where you want on the page. There is no reason to allow loading of remote resources in email. And there should never be reasons to allow JavaScript or other scripting languages in email.
  • I am atypical (Score:5, Insightful)

    by cybersquid ( 24605 ) on Friday February 26, 2021 @08:55PM (#61104522) Homepage
    ... because I have unset "Load remote content in messages".
    I click the "Load remote content" only if the message interests me and I trust the sender.
    Not arguing that I am atypical. Just sharing a data-point.
    • Yeah, me too. If the message has nothing useful to me without images it just gets shitcanned. But hey, I still use Lynx as my primary web browser. (I don’t get the fascination with online porn...)

    • by bidule ( 173941 )

      Heck, I don't even.
      I "click here" to open in a web browser if I ever care about the content.

      There's dozens of us, literally dozens!

    • by Kejiro ( 2803123 )

      You're definitely not atypical.

      tbh. I don't understand why there is an option to load remote content at all. If you want to make a nice html mail there is no problem attaching images.
      In my opinion, the only reason the remote content support even exist is to track the receipient, even if it's only a simple did-read notification, ok, granted, some Mail-apps seem to use a regular webviewer for the email, which automatically allow all remote content and other attack vectors normally not supported in a mail wi

      • by j-beda ( 85386 )

        You're definitely not atypical.

        tbh. I don't understand why there is an option to load remote content at all. If you want to make a nice html mail there is no problem attaching images.

        Size issues make it a bit of a resource drain to push a bunch of images around as attachments, when links to online images do not. I would certainly prefer getting links to images rather than stupid images in people's signatures filling up my email archives.

    • Iinm, this is the default for Fast ail. I've often wondered if there was a way to change the default, but never bothered to look.

  • Everything's about Twatbook these days. Nice to see someone complaining about email, even if it's a silly complaint.
  • I've been having MailScanner disarm tracking elements since soon after the idea was invented. Same goes for links that have an href different than the link text, when the link text is a URL.

    You don't need the client to defang the messages if you use a suitable email provider.

    Everybody probably thinks I never open mail. Some days that's true though.

  • Cry me a river. I've never enabled this. The way email works, it's dead easy to associate the message you sent with the image your mail application downloaded, and there really is no way to prevent this. The idea that blocking tracking pixels is saving you is naive. Every commercial email message you get with images in it has trackers in the URL string to see who got the mail. Tracking pixels are just a way of doing that without showing you an actual image. If you don't want to be tracked, disable image dow

  • once we lost the war over whether email messages should be plain text only or could contain embedded HTML

    Wait a minute — plain text-only e-mail was good, and would've been good, if only we haven't lost our resolve, but disabling all remote images is "throwing baby out with the water?

  • Red herring (Score:5, Informative)

    by jcochran ( 309950 ) on Friday February 26, 2021 @10:07PM (#61104688)

    I can see people using 1x1 pixel images for tracking because it's simple and has low bandwidth requirements. But I also see no way to specifically exclude loading 1x1 images. The "width" and "height" parameters to the "img" tag can be omitted, and without those parameters, there is no way of knowing the size of the image about to be loaded prior to actually sending a request to the server for the image. And once the request is sent, it's too late. The tracking image has done its job and actually downloading it is irrelevant. And as others have stated, any uniquely named resource can be used as a tracker, not just images. It's just that 1x1 images are one of the least resource intensive methods.

    • That's because the entire premise of TFA is fucking stupid.
    • The vast majority of spammy marketing newsletter emails that I get - of which virtually all I did not actually subscribe to, have every single image and URL in the email with some tracking ID. Therefore, if you load any image in the email, or follow any link, then the marketing types know you opened and interacted with their spammy email. As such, there's really no use for a 1-pixel tracking image - the entire email and everything in it is a giant tracker. It's really an all-or-nothing affair, you can't

  • Load resources and store them on Apple servers, problem solved.

  • The only option for privacy is not to display ANY image. I have looked at the HTML code of marketing emails and every single one of all the images are being tracked (have unique URLs). If someone does not want to track you, he uses embedded pictures. Totally easy to do. Nearly no marketing agency does it. Why? Because they want to track you in as many ways as possible.

    So either you care for privacy, then you do not let your email agent show you any pictures that have to be downloaded or you do and then you

    • by mseeger ( 40923 )

      Argh... got interrupted and messed up one sentence:

      So either you care for privacy, then you do not let your email agent show you any pictures that have to be downloaded or you do not care accept the images.

  • by BAReFO0t ( 6240524 ) on Saturday February 27, 2021 @08:42AM (#61105458)

    Sorry, but like antivirus, your "block only the web beacons" solution can never work. Because every ass worth his money will check against your solution first and make sure his stuff goes through before sending it.
    You will only catch the stuff that nobody cared about, because it is outdated or because the creator is an idiot.

    A whitelist is the only way to go.
    Block all external resources, and allow one to make exceptions. Ideally with some hard rules regarding behavior.

  • Another solution, since Apple now has the privacy proxy server, is to just allow routing image loading through that?

  • Comment removed based on user account deletion
  • I was hoping they would revamp theirs email app but it sucks big time. Like showing unread messages everywhere requires some weird Smart Folders. On the other hand Thunderbird is bloated.

  • Comment removed based on user account deletion

You know you've landed gear-up when it takes full power to taxi.

Working...