John Gruber over at Daring Fireball has argued that Apple Mail should block tracking pixels in emails. I agree 100%. This seems to me to be a much-needed feature that would be completely in line with Apple’s strong privacy stance.
For anyone not familiar with email tracking pixels, these are usually links to single-pixel images hidden inside HTML emails. They are usually either transparent, or part of an email graphic in the footer, so they are invisible to the user…
When we open the email, it triggers a download request to fetch the image from a remote server. That means the email sender can see that we’ve opened the email – but they can often see very much more.
For example, from our IP address, they can get an approximation of our physical location. In some cases, that might be very approximate – like the other side of a city – but in other cases, it can be extremely specific.
If you want to get an idea of the location info revealed by your IP address, do any Google search, scroll down to the footer at the bottom, and see what is shown for your location. (Do this in a private/incognito window so you can be sure Google isn’t using your stored home address from Google Maps.)
Other info revealed by tracking pixels can include the type of device you are using and the number of times you opened the email.
Gruber notes that the Hey email service specifically touts tracking pixel blocking as a privacy feature.
When you open an email, the sender can find out if you opened it, how often you reopened it, where you physically were when you opened it, how long you spent reading it, if you were on a phone or a computer when you opened it, and even what kind of phone or computer you own […]
They typically do this by using a service that embeds a spy pixel in emails they send you […] If you use HEY, we’ll protect you against the vast majority of email spy trackers. In almost all cases, people sending you email with spy pixels to your HEY account won’t know if you opened their email, when you opened their email, how often you opened their email, etc. That’s your business, not theirs. HEY’s on your side, not theirs.
HEY [has] identified all the major spy-pixel patterns, so we can strip those out directly. When we find one of those pesky pixels, we’ll tell you exactly who put it in there, and from what email application it came. Second, we bulk strip everything that even smells like a spy pixel. That includes 1×1 images, trackers hidden in code, and everything else we can do to protect you. Between those two practices, we’re confident we’ll catch 98% of all the tracking that’s happening out there.
He believes Apple should do the same, and I absolutely agree.
Apple should do something similar: identify and block spy trackers in email by default, and route all other images through an anonymizing proxy service.1 And, like Hey, they should flag all emails containing known trackers with a shame badge. It’s a disgraceful practice that has grown to be accepted industry-wide as standard procedure, because the vast majority of users have no idea it’s even going on […]
Apple should offer defenses against email tracking just as robust as Safari’s defenses against web tracking.
It would be easy for Apple to do this for email that uses its own servers, namely @icloud.com, @me.com and @mac.com email addresses.
Indeed, it’s hard to understand why Apple hasn’t already done this. The company takes a strong stance on user privacy, and goes to great lengths to block tracking in Safari and apps, even at the cost of annoying large players that depend on the practice for their ad revenues. (Mail does allow you to block all remote content, but that would be a pain given how many legitimate emails include images.)
Doing it for external email domains is much trickier, since Apple would need to effectively scan email it doesn’t host in order to block the pixel trackers. That would raise a whole other set of privacy questions, not to mention the additional bandwidth requirements.
But Apple scanning email it already hosts for pixel trackers, and blocking them? That seems to me a no-brainer.
What’s your view? Should Apple do this for its own domains? Extend it to external email domains? Or not do it at all? Please take our poll, and share your thoughts in the comments.
Photo by Austin Distel on Unsplash
FTC: We use income earning auto affiliate links. More.