Tracking pixels: Concerns raised over ‘grotesque invasion of privacy’ - and how to know if you’re being watched when you open emails

Companies can track when an email was opened, where it was opened from, and what device was used

Adam Smith@adamndsmith
Wednesday 17 February 2021 20:56

Two thirds of emails sent to personal accounts include a tracking pixel that reveals how the user responded to the message.

Email client Hey analysed its traffic in collaboration with the BBC, and found that many companies could trace if and when an email was opened, how many times it was opened, what device it was opened from, and a general idea of the user’s location from their IP address.

Many of the world’s biggest companies use tracking pixels in their emails, analysis has shown.

Hey processes one million emails a day, according to co-founder David Heinemeier Hansson, out of a total 306.4 billion sent every day in 2020. According to the company, of those million emails received by the top 10 per cent of users, more than 50 contain tracking pixels.

The average user, meanwhile, gets 24 emails with tracking pixels - equating to 600,000 tracking attempts per day.

Tracking emails in this way is a “grotesque invasion of privacy”, Mr Hansson says. “It’s not like there’s a flag saying ‘this email includes a spy pixel’ in most email software”.

In order to stop this happening, users can purchase a subscription to Hey, which offers the feature for premium users.

There are also free extensions for Google Chrome (and other Chromium browsers such as Brave) and Microsoft Edge available - but it is always worth checking exactly how these extensions might use consumer data by reading the privacy policy before installing.

Tracking pixels are not a new phenomenon. In 2017, Wired reported that nearly one fifth of all email communication is tracked. The “ice breaker”, email intelligence company OMC co-founder Florian Seroussi said at the time, was Gmail.

When sponsored links appeared in users’ emails, targeted using advertising data, it seemed invasive; but soon it became “common knowledge and everyone’s fine with it.”

The way these pixels work is the same way that finding images on the internet works. A user’s computer requests an image from a server, and when the server returns the image it is tracked by software. When a user downloads an email, the server can tell what has happened to it through similar means.

Tracking pixels also go by many names - web beacons, web bugs, tracking bugs, web tags, page tags, pixel tags, 1 x 1 GIFs, and clear GIFs - but users are unlikely to actually see them.

This is because the tracking pixel can literally be as small as one pixel, which can also be made transparent and embedded in email signatures or even a font.

Use of tracking pixels in the UK is governed by the 2003 Privacy and Electronic Communications Regulations (Pecr) and as well as General Data Protection Regulation (GDPR).

This states that organisations should inform recipients of the pixels and obtain content - similar to how users have to actively turn on read receipts in messaging apps.

However, the enforcement of this regulation is lacklustre and even if companies do attempt to inform users in legal documents, few users actually read such oblique terms and conditions.

“Solely placing something in a privacy notice is not consent, and it is hardly transparent,” Pat Walshe from Privacy Matters told the BBC, who also pointed out that the ICO uses a tracking pixel within its own emailed newsletter.

“We’re working with our provider to remove the pixel functionality and this should be completed soon,” an ICO spokesperson told the BBC.

Email services are not the only ones to use tracking pixels. Facebook had to introduce a tool that let users choose whether their “off-Facebook activity” is gathered by the tech giant and used to target them with ads, because the social media giant has its own tracking pixel for everyone on the internet.

“We can also use the fact that they visited a site or app to show them an ad from that business – or a similar one – back on Facebook,”  the site’s product management director, David Baser, wrote in 2018.

Mr Baser’s blog post also made it clear that Facebook was tracking people even if they were not logged into Facebook or did not use it at all.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments