The Washington PostDemocracy Dies in Darkness

Companies know what you do inside your email inbox. Here’s how to block them.

Tiny invisible images inside emails are collecting information on you

iStock/Washington Post illustration (The Washington Post)
Placeholder while article actions load
correction

A previous version of this article incorrectly stated that Microsoft's Outlook blocks images by default in its corporate email accounts. It does not. The article has been corrected.

Privacy-protective email service ProtonMail just rolled out a feature that blocks companies from tracking you inside your inbox — which many of us didn’t know was happening in the first place.

Your inbox may feel like a cloistered environment, but it’s actually just another webpage, says Bill Fitzgerald, a privacy researcher who ran the education and privacy organization FunnyMonkey. Companies can put little chunks of code inside emails that report back on whether you looked at it, as well as your location and the time of day. And unless your email provider is end-to-end encrypted, there’s nothing stopping that provider from accessing your mail, as well.

“Emails in your inbox should be treated like calls where you don’t know the number,” Fitzgerald said. “Don’t answer, delete, block the number.”

As interest in data privacy grows and we learn about the many ways our apps and browsers keep tabs on us, it’s easy to assume that what we send and receive in our email accounts stays private. But email is fertile ground for tracking, and big providers do little to stop it, experts say.

Google, for one, downloads images in emails on its own servers, its spokeswoman Jenny Thomson said. That’s typically where tracking technology hides, but Thomson wouldn’t say whether Google’s method stops trackers from gathering data on you. Outlook doesn’t block tracking technology for personal or business accounts, though it does take steps to do so in its app for Windows, according to Lynn Ayres, Microsoft’s corporate vice president of Outlook.

Gmail retired its practice of reading your emails to better target you with ads in 2017. And Outlook has never done so, Ayres said. But features like auto-filled calendar events, as well as spam and scam protection, still depend on scanning incoming mail, according to Ayres. Because Google, Microsoft and Yahoo don’t encrypt your mail end-to-end, it’s tough to know for sure how much of it they access, privacy experts say.

Information on how you respond to different emails helps brands know what types of content and offers you like and show you more of the same. But it’s tough to know where that data goes after it flies out of your inbox, Fitzgerald said. A slew of digital ad companies keep profiles on you and are always adding to them, he said. Information about your email habits can become one more data point in an ever-growing collection.

Quit or pay: What to do when you run out of free Google storage

How does email tracking work?

For online advertisers, piecing together who interacted with a given ad can be a puzzle. But in email, it’s easy: Your email address is strongly associated with you across the whole Internet. Companies use big email service providers such as MailChimp or Twilio — which send and analyze email campaigns on their customers’ behalf — to shoot ads to your inbox and measure how you react.

Often, email tracking technology relies on pixels, which are the tiny colored squares that make up the images you see on screen. Tracking pixels are usually translucent, and each has a special file name that’s unique to you or to a particular marketing campaign. As soon as you load the images inside a newsletter or marketing email, that pixel loads too, and the sender often knows exactly who did it.

These tracking pixels can hand over your IP address, which tells companies your location, sometimes precisely, Proton chief technology officer Bart Butler said. They can reveal what type of device you’re using, which browser and what time of day you were checking email. This information goes not only to the company’s email provider, but to anyone the company and its provider choose to share it with going forward.

“All of that information — just by loading images — will go to one of these providers, and all that's valuable, right? Usually, this then gets sold to people making advertising profiles for you,” Butler said.

Twilio and MailChimp said they don’t monetize people’s data, but Twilio’s privacy policy says it shares your data with outside companies with permission from its clients, or the brands sending you emails. Mailchimp’s policy said it shares your data with its “affiliates and subsidiaries” — language that appears often in privacy policies to cloak the extent of a company’s data-sharing, Fitzgerald said.

Mailchimp might not sell your data, but it sells tools and services that rely on your data, said vice president of corporate communications Christina Scavone. Twilio spokesman Cris Paden would not say whether it does the same.

Email tracking pales in comparison to the tracking that happens on your favorite social media sites, said Alex Bauer, head of product marketing at advertising-technology company Branch. Any reputable company should write data-privacy protections into its contracts with those middlemen email service providers to prevent customer information from leaking into the broader data marketplace, he noted. But given the number of companies in our inboxes every day and the lack of transparency around data practices, figuring out if they are protecting your data is virtually impossible without some serious research.

Email spam is breaking through again. Here’s what you can do to minimize it.

What can you do about email tracking?

If you don’t want companies peeking into your email, you can stop some in their tracks simply by blocking images.

In Gmail on a desktop, go to Settings -> See all settings -> General -> Images. Hit “ask before displaying external images,” then scroll to the bottom and save your changes.

If you’re using the Windows app for Outlook, images are blocked by default. If you’re using a personal or business account on the Web, you can block some tracking pixels by going to Settings -> View all Outlook settings -> Mail -> Junk mail -> Filters. Choose to only accept attachments, images and links from people and domains in your safe senders list.

Another approach is to use a privacy protective email. Apple’s Mail app stops tracking pixels from gathering data on your location or the time you opened a message, the company says.

ProtonMail, an email service from Switzerland-based privacy company Proton, is end-to-end encrypted, which means your mail isn’t visible even to Proton itself. (And if the company gets hacked — an increasingly frequent problem in the digital world — the hackers couldn’t see your data, either.) Its new tracker-blocking feature will protect your IP address and other identifiers from data-hungry companies and their many technology partners.

You, another new search engine, hopes privacy can help it take on Google

Germany-based Tutanota is another privacy-oriented email service. It’s end-to-end encrypted and blocks all tracking pixels by default, says CEO and co-founder Matthias Pfau.

Last, you can adjust your email habits to hand over less information to companies. Fitzgerald recommends we start treating marketing emails like spam calls: Don’t open them if you can avoid it, and block or unsubscribe at every opportunity. (But keep in mind that if you love tailored coupons and content from brands, you’ll see less relevant stuff, Bauer noted.)

Good privacy habits can only take us so far in a world where companies can legally surveil us, profile us and use that information to influence our behavior, Fitzgerald said. But the more we focus on small habits, the more we start questioning the system as a whole.

“This is something that requires systemic change instead of individuals choosing differently,” he said.

Loading...