By Tyler W.
March 10, 2021
Stopping Email Tracking Pixels
Don't let the convenience of a visually pleasing email be the reason your inbox habits become public knowledge of those clever enough to embed a tracking pixel in your emails.
This is not a post to hate on email again, but simply a public service announcement why you need to enable a particular setting. You need to do this, because I have used this technique to track emails previously, and is also a popular OSINT technique. What am I talking about? A simple setting of not enabling the auto loading of images in your emails. I know we all like a pretty email, but the images that can give an aesthetically positive feeling to email are also how marketers track clicks and engagements, as well as opens. Again, this is a technique we have used for both offensive reasons, and genuine marketing reasons. Even as I share this with you now, I know not enough of you will use this setting for the level of ‘inconvenience’ it will generate, or the ‘I have nothing to hide mindset’. This is not about convenience or transparency but the right to privacy we all should expect in our inbox.
A tracking what?
It is common practice for marketers (and security professionals) to embed a tracking pixel inside of an email which is:
“An email tracking pixel is a 1px by 1px square image created by a line of code that is inserted into an email message. It’s not obvious to the recipient that email tracking pixels are present because they are often transparent and placed somewhere discreet in the header or footer of the email….Some email tracking pixels have more advanced, strategic functions, such as remarketing pixels, which deliver the user personalized advertising around the Internet.” – source nutshell.com
You will hear marketers and social media campaigners attempt to frame these spy pixels as a positive and that they improve & personalise your overall internet experience. The fact that most of us are uncomfortable when Facebook, Instagram, Amazon seem to know so much about us and follow us around the web, suggests, to me, these arguments are flawed and incorrect.
Before you start deleting your email accounts it is important to understand a tracking pixel is not like a cookie and tracking pixels can only provide information on:
- The type of device you were using to open the email
- When the email was opened
- How many times the email was reopened
- How long you kept the message open for
- If you clicked on any links from within the email message
As a basic tracking / spy pixel does not gain access to your root folder system, tracking pixels do not and cannot collect sensitive information about the user such as IP addresses, passwords or safe and secure data stored on the device. Your bank data is safe in spite of these privacy invasions. In order for a tracking pixel to be genuinely malicious, the code would have to get access to the recipient’s cookies (text files that save to your computer when you visit a particular website and collect information on your online behavior). Tracking pixels do not save to your computer and don’t collect any information outside of your engagement with the email they were embedded in.
I am all in on private internet usage, and commonly say “we all have the right to an expectation of privacy when online”. To me no place is more sacred than my inbox; I do not need people snooping on me. I will add the caveat, that I am aware I am being somewhat hypocritical having used pixel embedding in prior engagements, but these have been just, and besides, these methods are easily thwarted, by following these steps:
Gmail
- Log in to Gmail
- Click the gear / setting icon in the top right corner
- Select “See all settings”
- In the “General” tab scroll down and at the images select “Ask before displaying external images”
- Save
Outlook 365 (Desktop)
- Select File
- Select options at the bottom left of the window.
- Select Trust Center
- Click Trust Center Settings
- Ensure all boxes are ticked, thereby prohibiting downloading.
How your Outlook desktop application should look.
In Outlook on the web, there is not a global setting to always download images/pictures for every message. You will need to manage this at the message level or add the message sender to your safe sender’s list.
Apple Mail
- Select Mail then navigate down to preferences.
- Click on the Viewing tab.
- Uncheck the option to “Load remote content in messages”
The 5th box needs to be unchecked in order to maximise your email privacy when using Apple Mail.
This covers how to protect yourself on the major email applications that most people use. To take your privacy one step further we encourage to resist the urge of receiving email on your mobile devices, however we appreciate not all share this sentiment. It is possible for your mail application on your mobile device to prohibit images in the same vein, and all you need to do (generally) is to navigate to settings and search for ‘images’ and from there you can disable the application loading remote content.
As more and more email applications are now coming with these restrictions as default you may already be secure, however, always worth checking, especially when dealing with your inbox privacy. I do implore you to undertake these steps and restore some privacy to your inbox. The ‘inconvenience’ of this will be outweighed by your privacy gains. An even simpler approach is to use an email client that does not use html at all, which will effectively cause these tracking pixels to be null and void from the receivers end.
We do hope this strategy will prove useful for you, and not just to keep the marketers from knowing too much but from also keeping ‘bad actors’ at bay. An innocent tool and technique can easily be twisted for bad, and this is why we are constantly looking to introduce tweaks as we have discussed here to our clients and stakeholders.