50% Of Your Emails Are Tracked And Trackbuster Wants To Stop It

Discussion in 'privacy technology' started by Dermot7, Jul 28, 2015.

  1. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://www.forbes.com/sites/katevinton/2015/07/28/50-of-your-emails-are-tracked-and-trackbuster-want-to-stop-it/

    https://trackbuster.com/about-us
     
    Last edited: Jul 28, 2015
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    This is good news. But any content in messages that's pulled from remote sources can serve as a tracker. To be sure, use a local mail client, and disable HTML rendering. Just read text. If that's HTML code, so be it ;)
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    Which content besides pictures (one-pixel and similar) can be used to track users? Downloading pictures from external sources can be disabled in Gmail settings... The same can be set in most email clients also.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Sounds good to me, I always wondered why no one bothered to offer such a service.
     
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Basically, anything that would involve communications with hosts, URLs, email addresses, etc that can be specified by the email sender or an intermediary. HTML element attributes and CSS properties that take a URL, for example. Thus the recommendations to treat email messages as plain text. Note, however, that most email clients/interfaces make an exception for hyperlinks and allow those to be clicked on. Since such a click can (and frequently WILL) expose you to tracking, you will have to independently assess links and what will happen if you click on them.

    Return receipts, email confirmations, whatever your email client/interface may call them: make sure these are not supported or at least disabled.

    Then there is the general case of emails and their contents being exposed to third parties. Commercial firms, such as email providers, CRM firms, and various other types of cloud and as-a-service firms. Plus government agencies too, obviously. There are many pieces of info within emails that can be used for tracking/profiling, so minimizing exposure of emails to third parties is paramount. Many of these exposures would occur during the origination/transmission phase and before the email even hits your email server let alone email client. In which case, I think protection would largely boil down to making the sender change their behavior or ceasing all relationships with the sender.
     
    Last edited: Jul 28, 2015
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    Thanks, I was more interested in witch HTML elements are automatically downloaded from external sources when opening HTML without user input - click on links and similar.

    From article:
    I don't think that this is entirely correct. I believe that email has to be delivered to inbox before it can be "cleaned" by their service and not the other way around. I don't know how they could intercept email between a sender and your inbox.
    In this case Google indexing email can index those links and by this downloading or checking external content. By this it would trigger tracking but tracker would get false data about user.
     
  7. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    This is ridiculous.

    So what?

    The "cure" for this "concern"? Hand all of your e-mail contents (and access to your e-mail account) over to some company:
     
  8. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    I understand. If I had compiled such a list, or knew of where you could find one, I would have included it. FWIW, a few searches turned up these:

    https://github.com/cure53/HTTPLeaks
    https://stackoverflow.com/questions...of-html-tag-attributes-which-have-a-url-value
    http://www.pageresource.com/dhtml/cssprops.htm

    Of course, after identifying all of the ways it might happen in a BROWSER context, you'd want to determine which of those ways would work for whichever EMAIL client/interface you are interested in.
     
    Last edited: Jul 29, 2015
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    Thank you for these links. I will check them out.
     
  10. PallMall

    PallMall Guest

    I agree. Moreover a service such as Trackbuster has access to all incoming emails and this means confidence or not in the company. Neither skeptical neither confident : I just don't know and, therefor, why would I choose to be confident. Reading email (first) in text format with a local email client remains the best choice, IMO.
     
  11. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,003
    Location:
    USA
    Just curious. . . is Trackbuster compatible with all email providers, or just gmail?
     
  12. PallMall

    PallMall Guest

    Trackbuster's FAQ
     
  13. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    why would you use this service and then also GMail? lol
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    I didn't think about this, but the idea itself is interesting. Perhaps it should be offered by mail providers themselves, that would make more sense.
     
  15. PallMall

    PallMall Guest

    Especially when the email provider already reads your email, while it's at it for commercial purposes adding an anti-tracking feature for the user's sake would be just fine.
    GMail : we do have a look at your email but it's also for your security would sound nice :)
     
  16. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Your email provider would already have access to the email, so theoretically they could do it without creating any additional party exposures. However, commercial companies are notorious for their use of third party processors/providers. It has become riskier to assume that an email provider isn't sharing email [metadata] with some external firm offering an anti-spam, anti-malware, cloud backup, and/or other type of service. By extension, it would be risky to assume that this type of service would be operated in house. You'd want to investigate such things.

    The URLs that are used for tracking/bugging email views, link clicking, etc usually contain a unique identifier that is linkable to other information. Such as an account you have with a commercial company that sent the email. Sometimes, there is other sensitive information embedded within the URLs. These are arguably some of the worst URLs to expose to other parties (including email providers, especially if they are known for datamining).

    FWIW, it is possible to identify tracking bugs, use of third-party relays and/or links, etc on the client device. Possibly even in webmail contexts as well, where a browser addon and/or API could be leveraged. Some would settle for the ability to post-process locally archived email, which is even easier. If it sounds interesting to someone, they should search around and see if they can find something that already exists. Many many scripts and tools have been created to analyze email for evidence of spam. That, too, involves identifying servers/parties involved in the email delivery and identifying URLs within the message. So if you can't find an existing solution that does everything you want, and you have programming experience, you might be able to extend something that is available.

    While reviewing an email client I was reminded that some clients support mapping the location of email senders based on attached vCard, mapping people in your address book based on location fields, stuff like that. I'm not sure if there are any scenarios where an incoming email could automatically trigger a remote lookup, but I thought I'd mention this.
     
  17. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Part of why I like Fastmail so much. By default, opening an email won't lead to any tracking.

    Fastmail blocks third party scripts, and by default requires you to click "View as HTML" and then "Load Images" before loading content from emails. Since I prefer webmail over a dedicated email program, my emails are subject to uBlock and MBAE as well. Personally don't find it a hassle.

    With the email aliases where you can setup alternative addresses - the risk of phishing is drastically reduced because for example all my finances go to a particular address.
     
  18. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Ah, now that you mention it... something like uBlock would seem to be helpful in a webmail context. Assuming the user is blocking third-party requests while viewing the email on the webmail host's domain, and the webmail host isn't prefetching for some reason.

    I wanted to look at known IP addresses and host/domain names associated with an email marketing/CRM firm, and chose to search for ExactTarget at https://www.senderbase.org/. Here are some domains (hostname suffixes) that caught my eye:

    accountonline.com
    americanexpress.com
    anthem.com
    bankofamerica.com
    capitaloneemail.com
    discover.com
    e-vanguard.com
    email-alliancehealth.com
    farmers.com
    fidelity.com
    geico.com
    intuit.com
    lendingclub.com
    medscape.com
    merrilledge.com
    progressive.com
    searscard.com
    unitedhealthcare-hmhb.com
    webmd.com
    webmdhealth.com
    webmdprofessional.com
    zillow.com

    If people saw a mailserver and/or URL hostname under one of those domains, most would probably allow it based on the assumption that it is owned/operated by the well-known company they are doing business with. In general, that is even more likely if the situation involves a financial, insurance, health, or other type of company that would be expected to protect communications as best as possible. Rather than make assumptions, one should investigate the hostname and try to determine who really does own/operate the machine(s) behind it. That way, they'll make more informed decisions about allowing or blocking things.

    FWIW, I think ExactTarget is one of the outfits that doesn't use encryption when sending email (STARTTLS). It would be good if people investigate the encryption status of their email as well. Edit: I attempted to clarify language, and wanted to mention the following. In addition to inspecting server logs or Received lines for encryption info, another source of information would be https://www.google.com/transparencyreport/saferemail/data/. I wish it included fraction encrypted for individual email servers, but it is something.
     
    Last edited: Aug 2, 2015
Loading...