Email Read Receipts: Brilliant or Privacy-Invading?

Part 2: Is this a privacy breach?

Yes, if not consented. And it’s probably not consented.

An email is just the electronic equivalent of letters.

While we have delivery receipts, we generally expect mails to be read-only. It does not dial-back to the sender to inform them about your mail habits! This makes the most sense when we consider non-targeted spam mails/flyers. These are basically one-way, where the marketers can shove flyers down your mailbox but can never guarantee how many reads they have achieved. Did you come back to the flyer a few times to consider ordering that crust-filled pizza, or did you trash it straight away? Marketers cannot gauge your interests until you action on the flyers (enquire, place order, complain about the annoyance, etc).

I believe that is the general expectation the public has with emails. A general computer user clicking on marketing emails may not have anticipated that their information are immediately collected. Are you more likely to open emails of a certain category or product? Let’s send more targeted email ads your way! This sort of behaviour is currently prohibited under the GDPR1, but I doubt it is regulated much.

The Spike app can track the time at which mails are opened, which probably defeats excuses like “sorry your mail didn’t come through,” but is this really healthy? Do not forget that web beacons are not part of the original email protocols and are instead actively added. Not only are you tracking secretly without consent, this also borders on controlling behaviours. Are there any trust issues that compel you to obtain this information to have a leg up? Why else would you want this information secretly?

Actually, an email is more than just an electronic mail.

Unlike physical addresses, email addresses are pseudonyms that do not necessarily indicate your identity or location, apart from information leaked through country code top-level domains (eg. hotmail.co.uk) or region-specific services (eg. yandex.mail). A general computer user expects the anonymity and privacy provided by their username.

However, now that spam mails can be sent internationally, someone in another country and in another jurisdiction can learn about where you live and your computer habits. A research shows that about 70%2 of emails are tracked. These information are often sent to third parties for profiling and ad targeting purposes.

Part 3: Put an end to email tracking

I planned this article two years ago and there wasn’t too much attention on email tracking just yet. The quickest way is to block all external images on default and change your client settings to never send read receipts. In fact, ProtonMail does this by default. You can find instructions online on how to achieve this for your mail client. However, this is not foolproof for the following reasons:

  1. All images in your newsletter will not load. You can choose if you wish to load the contents, but you will give away your information at that point if you do not have a proxy or VPN set up.
  2. You can still be tracked if you click on links. Links in newsletters usually come with unique IDs as well.
ProtonMail blocks remote contents by default

Here are two of the more recent privacy-focused features that have came out recently. Browser plugins that remove trackers have also existed for a while but will not be discussed here.

Apple’s Mail Privacy Protection

Apple’s introduction of this feature in 2021 has helped to raise attention and discussions on mail tracking. In short, the mail client opens all new emails as they are available, and downloads all images and contents immediately by Apple servers into a cache store3. When you finally read that email, you are retrieving from the cache, and so trackers cannot tell who or when the email was actually opened. This feature is exclusive to Apple Mail users.

DuckDuckGo’s Email Protection

DuckDuckGo introduced a very interesting email redirection service. You can sign up for a @duck.com address which receives any mails, removes the trackers from the mail, and then forward it to an email address of your choosing. This means that it is not a separate inbox, and you still receive your mails in your personal mailbox.

DuckDuckGo Email Protection email

Assuming your duck address [email protected] forwards to [email protected], here is how it works:

  1. You sign up at store.com with your duck address [email protected]
  2. The store sends a newsletter with trackers from [email protected] to your duck address.
  3. DuckDuckGo receives the mail, scrubs it clean, and adds the tag at the top of the mail (see image above). These are all done in memory and not written to disk.
  4. DuckDuckGo sends the mail from [email protected] to [email protected] (you won’t receive this) and BCC to [email protected]

I tried forwarding the email from my roommate to my duck address. Notice how in the screenshot below, even though this is my personal mailbox, I can see that the ‘To’ address is the duck address. Also, the tracker was removed!

Forwarded email to my duck address

The tag at the top of the mail links to the following report.

Email protection report from DuckDuckGo

It’s also true that the information shown was not saved by DuckDuckGo, but was instead encoded in the URL:

https://duckduckgo.com/email/privacy-report/eyJzZW5kZXIiOiJzbGFja3luaWNrQHByb3Rvbm1haWwuY29tIiwiYWRkcmVzcyI6IlhYWFhYIiwiYWRkcmVzc190b2tlbiI6bnVsbCwidHJhY2tlcnMiOlt7Im5hbWUiOm51bGwsImhvc3RuYW1lIjoiYm9sdC5pbSIsImVtYWlsX2xlYWsiOmZhbHNlfV19

The text at the back, when base64 decoded, is a JSON object that reads:

{"sender":"[email protected]","address":"XXXXX","address_token":null,"trackers":[{"name":null,"hostname":"bolt.im","email_leak":false}]}

Interestingly, we see an email_leak key here, presumably performing similarly to haveibeenpwned.com, but toggling this key value to true has no effects for now.

This DuckDuckGo service is in beta and you can sign up here.

Closing Remarks

After the whole Snowden incident, I have hope that the general public is beginning to realise that privacy is a right that is slowly going away. Some people I talk to have started to subscribe to the idea that “privacy is dead.” In a way, it does feel like so, with how our actions online are closely monitored by either companies, governments, or malicious actors.

However, there are steps that we can take to protect ourselves, and we should not give up the fight just yet.

Oh, and my roommate stopped using the app after hearing my privacy concerns. He was also the one who introduced the DuckDuckGo Mail Protection service to me. I like him a lot.

References

  1. https://www.gdpreu.org/compliance/email-tracking/
  2. https://freedom-to-tinker.com/2017/09/28/i-never-signed-up-for-this-privacy-implications-of-email-tracking/
  3. https://www.litmus.com/blog/apple-mail-privacy-protection-for-marketers/

Leave a Reply

Your email address will not be published.