The privacy implications of email tracking

Emails are a widely used means for third parties to tie your email address to your activities across the web, Princeton University researchers have discovered.

email tracking

The extent of email tracking

Email tracking was originally aimed at allowing senders to know whether the recipient has read the sent email. Unfortunately, many third parties also receive this information.

“Email tracking is possible because modern graphical email clients allow rendering a subset of HTML,” Steven Englehardt, Jeffrey Han, and Arvind Narayanan explained.

“JavaScript is invariably stripped, but embedded images and stylesheets are allowed. These are downloaded and rendered by the email client when the user views the email. Crucially, many email clients, and almost all web browsers, in the case of webmail, send third-party cookies with these requests, allowing linking to web profiles. The email address is leaked by being encoded as a parameter into these third-party URLs.”

The researchers decided to test which third parties receive this information and how often, by signing up for mailing lists on 15,700 sites and waiting for emails to be sent. They received a total of 12,618 emails from 902 distinct senders, and an analysis of them allowed them to discover that:

  • 85% of those emails contained embedded third-party content, and 70% contain resources categorized as trackers by popular tracking-protection lists
  • There are an average of 5.2 and a median of 2 third parties per email which embeds any third-party content, and the top ones are Google-owned (Doubleclick, Google APIs, etc.)
  • 29% of emails leak the user’s email address to at least one third party.
  • Clicking on links in the emails opens pages in a web browser, and 11% of links contain embedded content requests that leak the email address to a third party.

Much of the time, leaks of email addresses to third parties are intentional on the part of commercial email senders, the researchers found.

“The resulting links between identities and web history profiles belie the claim of ‘anonymous’ web tracking. The practice enables onboarding, or online marketing based on offline activity, as well as cross-device tracking, or linking between different devices of the same user. And although email addresses are not always shared with third parties in plaintext—sometimes they are hashed—we argue that hashing does little to protect privacy in this context.”

Defenses against email tracking

There are ways to block this third party email tracking, and they can be deployed by web browsers, mail servers, or mail clients:

email tracking

For web browsers, adding the URLs that receive leaked email addresses to a block list is a simple enough solution to prevent cookie setting, referrer headers from being sent or requests from being answered.

The researchers’ paper contains a helpful table delineating the privacy impacting features of 16 email clients and servers (i.e. web-based email services), but they point out that, while each of them deploys some of the defenses, no setup offers complete protection against email tracking.

One way for users to prevent email tracking is to use email clients that support blocking images by default. But, this could render some emails unreadable. “Perhaps the best option for privacy-conscious users today is to use webmail and install tracker-blocking extensions such as uBlock Origin or Ghostery,” the researchers noted.

But, they argue, it would be best to implement tracking protection via HTML filtering on the server or via request blocking on the client. It’s good to note, though, that the effectiveness of these defenses depends on up-to-date filter or tracking protection lists.