Tracking pixels: Concerns raised over ‘grotesque invasion of privacy’ - and how to know if you’re being watched when you open emails

Companies can track when an email was opened, where it was opened from, and what device was used

Adam Smith
Wednesday 17 February 2021 15:56 EST
Comments
(Unsplash)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Two thirds of emails sent to personal accounts include a tracking pixel that reveals how the user responded to the message.

Email client Hey analysed its traffic in collaboration with the BBC, and found that many companies could trace if and when an email was opened, how many times it was opened, what device it was opened from, and a general idea of the user’s location from their IP address.

Many of the world’s biggest companies use tracking pixels in their emails, analysis has shown.

Hey processes one million emails a day, according to co-founder David Heinemeier Hansson, out of a total 306.4 billion sent every day in 2020. According to the company, of those million emails received by the top 10 per cent of users, more than 50 contain tracking pixels.

The average user, meanwhile, gets 24 emails with tracking pixels - equating to 600,000 tracking attempts per day.

Tracking emails in this way is a “grotesque invasion of privacy”, Mr Hansson says. “It’s not like there’s a flag saying ‘this email includes a spy pixel’ in most email software”.

In order to stop this happening, users can purchase a subscription to Hey, which offers the feature for premium users.

There are also free extensions for Google Chrome (and other Chromium browsers such as Brave) and Microsoft Edge available - but it is always worth checking exactly how these extensions might use consumer data by reading the privacy policy before installing.

Tracking pixels are not a new phenomenon. In 2017, Wired reported that nearly one fifth of all email communication is tracked. The “ice breaker”, email intelligence company OMC co-founder Florian Seroussi said at the time, was Gmail.

When sponsored links appeared in users’ emails, targeted using advertising data, it seemed invasive; but soon it became “common knowledge and everyone’s fine with it.”

The way these pixels work is the same way that finding images on the internet works. A user’s computer requests an image from a server, and when the server returns the image it is tracked by software. When a user downloads an email, the server can tell what has happened to it through similar means.

Tracking pixels also go by many names - web beacons, web bugs, tracking bugs, web tags, page tags, pixel tags, 1 x 1 GIFs, and clear GIFs - but users are unlikely to actually see them.

This is because the tracking pixel can literally be as small as one pixel, which can also be made transparent and embedded in email signatures or even a font.

Use of tracking pixels in the UK is governed by the 2003 Privacy and Electronic Communications Regulations (Pecr) and as well as General Data Protection Regulation (GDPR).

This states that organisations should inform recipients of the pixels and obtain content - similar to how users have to actively turn on read receipts in messaging apps.

However, the enforcement of this regulation is lacklustre and even if companies do attempt to inform users in legal documents, few users actually read such oblique terms and conditions.

“Solely placing something in a privacy notice is not consent, and it is hardly transparent,” Pat Walshe from Privacy Matters told the BBC, who also pointed out that the ICO uses a tracking pixel within its own emailed newsletter.

“We’re working with our provider to remove the pixel functionality and this should be completed soon,” an ICO spokesperson told the BBC.

Email services are not the only ones to use tracking pixels. Facebook had to introduce a tool that let users choose whether their “off-Facebook activity” is gathered by the tech giant and used to target them with ads, because the social media giant has its own tracking pixel for everyone on the internet.

“We can also use the fact that they visited a site or app to show them an ad from that business – or a similar one – back on Facebook,”  the site’s product management director, David Baser, wrote in 2018.

Mr Baser’s blog post also made it clear that Facebook was tracking people even if they were not logged into Facebook or did not use it at all.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in