New research details the privacy implications of email tracking

How many times a day do you check email? We know that web trackers snoop and stalk us when we surf, but the same could be said of email tracking. In fact, it’s much more intense than you likely realized, according the research paper “I never signed up for this! Privacy implications of email tracking” (pdf) by Princeton University researchers Steven Englehardt, Jeffrey Han and Arvind Narayanan for the PETS 2018 (Proceedings on Privacy Enhancing Technologies).

The researchers called email tracking “pervasive,” as 85 percent contained embedded third-party content. Of those, 70 percent are the same ones that are involved in web tracking.

As Englehardt explained, simply opening an email, “allows those third parties to track you across the web and connect your online activities to your email address, rather than just to a pseudonymous cookie.”

The trackers “can connect email addresses to browsing histories and profiles, which leads to further privacy breaches, such as cross-device tracking and linking of online and offline activities.”

Their OpenWPM web crawler visited 15,700 sites that offered commercial mailing list subscription forms and managed to sign up for 12,618 mailing lists from 902 senders. They found “a network of hundreds of third parties that track email recipients via methods such as embedded pixels. About 30 percent of emails leak the recipient’s email address to one or more of these third parties when they are viewed. In the majority of cases, these leaks are intentional on the part of email senders, and further leaks occur if the recipient clicks links in emails.”

How much of it is intentional? The paper said, “62 percent of the 100,963 leaks to third parties are intentional.” The privacy risk is even worse “if the leaked email address is associated with a tracking cookie, as it would be in many webmail clients.” The tracking cookie picked up by viewing an email can link email addresses to tracking profiles even after users clear their cookies.

Example of email tracking

Using an example email from the deal website LivingSocial, the researchers discovered the following:

When the email is opened, client will make requests to 24 third parties across 29 third-party domains. A total of 10 third parties receive an MD5 hash of the user’s email address, including major data brokers Datalogix and Acxiom. Nearly all of the third parties (22 of the 24) set or receive cookies with their requests. In a webmail client, the cookies are the same browser cookies used to track users on the web, and indeed many major web trackers (including domains belonging to Google, comScore, Adobe, and AOL) are loaded when the email is opened. While this example email has a large number of trackers relative to the average email in our corpus, the majority of emails (70 percent) embed at least one tracker.

Top recipients of leaked email addresses

The top 5 organizations that received leaked email addresses are LiveIntent, Acxiom, Litmus Software, Conversant Media and Neustar.

If a user were to actually click on a link in the email, then the user’s email address can be leaked to third parties. The researchers found that the top 10 leak recipient organizations are Google, Facebook, Twitter, Adobe, Microsoft, Pinterest, LiveIntent, Akamai, Acxiom and AppNexus.

Privacy-impacting features of email clients

The researchers built an email privacy tester to determine privacy-impacting features of 16 email clients.

According to the researchers, Gmail accessed via the web, Android and iOS app, blocks proxies content, only blocks images on the web if the message is considered spam, blocks referrers and cookies in all three, but only the web version offers extended support.

The Outlook web app, outlook.com and Outlook 2016 desktop version do not block proxies content. Outlook.com blocks images only if the message is flagged as spam even though the web app and Outlook 2016 do block images. Unlike the Outlook web app and outlook.com, Outlook 2016 does block referrers. None of the three blocks cookies, and only Outlook 2016 does not offer extended support.

The only yes under Windows mail on desktop is that it blocks referrers.

Apple mail via iOS and desktop do not block proxies content or images – unless they are considered spam – but both do block referrers and cookies. Neither offers extended support.

Thunderbird on desktop does not block proxies content, does block images and referrers, can block cookies if the default is changed from “no” to “yes,” and does offer extended support.

Defenses against email tracking

The researchers came up with five possible defenses against email tracking: “content proxying, HTML filtering, cookie blocking, referrer blocking, and request blocking.”

Using an email client that blocks images can cut down on the privacy risks, but it can also potentially cause mail meant to display images to be unreadable.

Besides using an email client that blocks images by default, browser extensions such as uBlock Origin, Privacy Badger or Ghostery help to block the tracking requests. They reduce the tracking to about half but don’t prevent all tracking.

Englehardt wrote:

We found that the tracking protection lists EasyList and EasyPrivacy reduce the number of email leaks that occur when an email is viewed by 87 percent. Perhaps the best option for privacy-conscious users today is to use webmail and install tracking protection tools, such as uBlock Origin or Ghostery. Users who want to use a standalone client must find one that supports privacy extensions. Of the clients we studied, the only one that supports such extensions is Thunderbird. Having tracking protection tools installed in the browser will also provide protection when email links are clicked.

The researchers made the code and data from this study available on GitHub.