How emails can be used to track your location and how to stop it

Filed Under: Featured, Google, Google Chrome, Phishing, Privacy, Spam, Web Browsers

A new, free Google Chrome browser extension called Streak lets email senders using Google accounts see when recipients open email.

And, oh my, it also lets senders see who, exactly, opened the email, and where the recipient is located.

The extension, part of a customer relationship management (CRM) system that includes tools for sales, support and hiring, places email recipients on a map, with big red dots indicating their locations. It also gives users real-time location updates.

Streak

Streak is a bit creepy. But it's not, of course, "changing the email game", as has been somewhat breathlessly claimed.

Streak may well be in the business of giving marketers the ability to eyeball our whereabouts and our email-opening schedules, but it certainly didn't invent email tracking - not by a long shot.

Email tracking is already used by individuals, email marketers, spammers and phishers to understand where people are, validate email addresses, verify that emails are actually read by recipients, find out if they were forwarded and discover if a given email has made it past spam filters.

The bad news is that if you're thinking that you can just avoid installing Streak if you don't want marketers, creeps, phishers and spammers to see when and where you opened your email, so sorry to tell you, but that's just an irrational thought coming from la-la land.

You know that place, right? It's the place where opt-in is the norm.

In the place where we all actually live, recipients don't have to install anything for email tracking to work and nor will they know if their locations and email openings are being tracked.

It's easy as pie - just sit back, open email as usual, and the email trackers will churn their wheels, no recipient involvement required.

Thankfully it's not all bad news.

Gmail icon and green eyeBecause email is actually quite simple, there are only a very small number of techniques that systems like Streak can use to track you - and they're easy for you to disrupt.

Emails are fundamentally inert (in the vernacular they are not executable) so they can't make your computer run code.

For an email to pull off something like tracking it needs considerable cooperation from your email client and, since you control your email client, that puts you in the driving seat.

Somebody who wants to track you can do two things; they can either send an email with a read receipt, or they can send an email with an embedded image (sometimes referred to as a bug or beacon).

Read receipt requests are included in an email's meta data (its headers). Because the meta data is passive it amounts to no more than a plea to your email software to please ask for a read receipt.

Different email clients don't agree on what a read receipt header should look like so there's no guarantee your read receipt will even be recognised as one.

If it is recognised then, overwhelmingly, email clients will prompt users and ask if they want to let the sender know that they've read the email. It's not a great technique for email marketeers trying to keep your tracking secret.

You are much more likely to be tracked by embedded images.

A tracking email has to be written in HTML. This allows it to reference an image on a remote server owned by the sender (this part isn't underhand, it's just how HTML works).

When the email is opened, the email software loads the image from the remote server by sending it an HTTP request.

A spammer or marketeer sending a mass mailing can choose to give each email an image with a unique URL so they can tell which recipients have opened their emails.

Like all HTTP requests, the one sent by your email software will contain your IP address. Because IP addresses are allocated geographically, that's tantamount to providing location data accurate to what city you're in.

The HTTP request will also contain a user-agent header which provides a brief description of your browser and operating system.

So, from one embedded image systems like Streak can determine:

  • Who opened their email
  • What time the email was opened
  • Where it was opened
  • What sort of device it was opened on

The answer to protecting yourself from this kind of tracking is straightforward - don't load the images.

You can do this by forcing all your email to render as plain text or by allowing it to render HTML without images.

Most email clients are well disposed to help you with this and will actually do the latter by default, giving you the option to download the images if you decide you want them.

The most notable exception to this is Gmail which loads remote content automatically unless you take back control of your images.

For your part you need only understand that loading images in emails means "tell the sender you've just opened their email and you'd like them to send you the rest of the message".

So, if you don't trust marketers and stalkers with your location and email-reading schedule, it's time to take back remote content loading.

Below are instructions on how to switch off image loading in seven of the most popular email clients:

iOS Mail

  1. Click the Settings icon
  2. Click Mail, Contacts, and Calendars
  3. Toggle Load Remote Images to off.

Outlook (Desktop - 2007)

  1. Click the Tools menu
  2. Click Trust Center
  3. Click Automatic Download
  4. Check Don't download pictures automatically in HTML e-mail messages or RSS items.

Outlook (Desktop - 2010)

  1. Click File | Options
  2. Click the Trust Center on the left
  3. Click the Trust Center Settings button on the right
  4. Click the Automatic Download (default) link on the left
  5. Uncheck the top checkbox

Outlook.com

  1. Click on the Settings icon (cog)
  2. Click More Email settings
  3. Click Filters and Reporting under Junk Email
  4. Select Block attachments, pictures, and links for anyone not in my safe senders list.

Apple’s Mail

  1. Click Mail
  2. Click Preferences
  3. Click Viewing
  4. Uncheck Display remote images in HTML messages.

Yahoo Mail

  1. Click the Settings icon
  2. Click Settings
  3. Click Security
  4. Locate Show images in email
  5. Select Never by Default.

Gmail

  1. Click the Settings icon
  2. Stay in the General tab
  3. Scroll down to the Images section
  4. Choose Ask before displaying external images
  5. Click Save Changes.

Android Gmail app

  1. Tap the menu button
  2. Tap Settings
  3. Tap on your email address
  4. Scroll to the bottom of the screen
  5. Tap Images
  6. Select Ask before showing.

Although this article is mostly about how emails you receive can leak information about you, it's worth understanding that emails you send can too.

When you send an email, each server your message passes through will stamp the email with its IP address. The first IP address in that list is normally yours - the one that can be used to locate what city you're in.

The only way we can think of to avoid this is to use a webmail service (and you have to use its web interface).

In our quick and dirty testing I found that Gmail, FastMail and Outlook will all keep your IP address secret but Yahoo, the perennial late comers to the security and privacy party, won't.



, , , , ,

You might like

26 Responses to How emails can be used to track your location and how to stop it

  1. Cliff · 235 days ago

    Google claims that its practice of caching images on its own proxy servers defeats the tracking mechanisms you describe. (https://support.google.com/mail/answer/145919?p=display_images&rd=1). Is this true?

    • Andrew Ludgate · 235 days ago

      Seems like it would defeat basic mechanisms, but as that page says: "In some cases, senders may be able to know whether an individual has opened a message with unique image links." So the location tracking would be gone, but they'd still know when you opened it.

    • Dwi X-Cisadane · 234 days ago

      Yup you're right man, I've tried this technique.
      Take a look at this :

      February 28, 2014, 1:52 am
      IP: 66.249.80.XXX
      Useragent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (via ggpht.com GoogleImageProxy)

      Yeah, When the recipient got that Email, it will appear this message : Images are not displayed. Display images below - Always display images from blahblah@email.com
      So this method can't be used for Gmail.

      • Anonymous · 234 days ago

        I wouldn't be so certain, If the robots file prevent google from spidering it, and/or there was a no cache tag then when ever display images was clicked wouldn't it have to pull the image from the remote server?

        • William R. · 3 days ago

          As stated in Streak's Faq:

          -------------------------------------------------
          Why don't I see the viewer's location?

          Google recently made a change to Gmail that makes them a "middle man" for the image requests. What happens is that when the recipient opens the email, the email client loads a Google URL for the image, and Google then requests the image from our server. So we know when an email was opened, but we really have no idea who actually read the email, that's why it is all anonymous.

          -------------------------------------------------
          So we shall admit is no more active - having it back would it be of great help

  2. Thank you - that is so useful. Rather worrying the lengths companies will stoop to just for marketing purposes.

  3. Simon · 235 days ago

    There's a summary of some email providers who will hide your IP address when sending mail here: http://www.raymond.cc/blog/hide-sender-ip-address-in-email-headers/

  4. Simon · 235 days ago

    Problem is, people got used to rich layouts in e-mail and much of the content itself is images.

    Google defaulted to displaying images, but like the Blog post says:
    " Instead of serving images directly from their original external host servers, Gmail will now serve all images through Google’s own secure proxy servers."

    My understanding is that marketers will see that the mail was opened and when (in case of uniquly generated images URIs), but they won't see the where because it will be fetched from a Google proxy.

    • Yes, any requests sent through a proxy will come with the proxy's IP address rather than the original address. Note that some proxies will add an X-Forwarded-For header which contains the original IP address.

      • Laurence Marks · 234 days ago

        But, but....if every image has a unique URL tied to the recipient, how would Google cache them?

        • If their cache operates in the normal way they won't. Each URL will be treated as a unique object and each one will be cached (making the cache moot).

          All of those unique URLs will be fetched on the users' behalfs by the proxy. The server will get the proxy's IP but it will get an individual request for each URL so it will know who opened their email and when but not where.

          • paintdry · 232 days ago

            Given the technology that powers Google features like image search though, it is feasible that they have a means of identifying that different URLs will all display the same image, so don't fetch them every time. It's also feasible that the Google cache could automatically retrieve every image URL in an email as soon as the email arrives at Google, rendering the tracking useless.

            • paintdry · 232 days ago

              (I still wouldn't trust it though, I always view emails with image retrieval disabled)

  5. Have to say people where doing this years ago I know people who where using this sort of thing about 8 years ago!

  6. David · 235 days ago

    I just tried the Outlook.com tip. While I was there I saw this button (currently unchecked)...
    "Don't report - The Junk button will act just like the Delete button. Nothing will be reported to Microsoft or anyone else."
    Does this mean that if I delete a piece of junk mail, the sender COULD be notified and thus confirming it reached a target?
    It's the "anyone else" that caught my attention.

    • Anonymous · 235 days ago

      I think you're misreading that statement. What I read is that the checkbox in question will change your Junk button to a Delete button. With the checkbox unchecked, when you click junk, it reports the selected message to Microsoft as spam to help train it's Bayesian filters (or someone else's).

  7. Cliff and Simon are correct. I am not however sure when GMail will pull the image from the sender's server. Upon receiving the image or when it is opened.

  8. Joe · 235 days ago

    You should also add the following two lines to your hosts file:

    127.0.0.1 mailfoogae.appspot.com
    127.0.0.1 streak.com

    These are where the offending images live.

  9. MikeP_UK · 234 days ago

    Even the opener's IP address may not help the marketeers as they are not all 'fixed' and some relate to towns many miles away. My external IP is changed every time I restart my router/modem and it could be given an IP that relates to a town or city up to 200 or so miles away, depending on availability at the time. So it could appear that I am in Birmingham, or London, or Bristol, or Cardiff but I am nowhere near any of those! As I live in a very rural area with poor ADSL, the connection is often renegotiated, resulting in a different IP every time!
    Plus those who use an internal network with NAT will be using a different IP to that shown externally by the router/modem.
    And all that the act of opening the message does is indicate, perhaps, that it has been opened but not by whom! Think about it, I'm on holiday and my PA opens my emails in my absence in case there is anything needing urgent attention. So I didn't but the system discussed here thinks I did - wrongly.

    • MikeP_UK · 234 days ago

      Oh, and what about when I use the VPN? I'm not in the office where that appears to be and can be anywhere in the world connecting to my company VPN - or using a VPN service offered by some service companies. So I could appear to be in New York but actually be in Cape Town. (I've been offered discount theatre tickets in NY while actually in Melbourne, Australia. One of our VPN servers sits in NY office, we have others too.)

  10. RF · 234 days ago

    Curious: So what do you (in Apple mail) once you have unchecked the box, but receive an email with content you DO want to see? Does one have to constantly go back to preferences and check the box just to see a desired (html+ images) email from a known source?

    • Anonymous · 233 days ago

      A "Load Images" button is shown allowing you to manually load the images in that message. Annoyingly, every *subsequent* time you one loads the same message one needs to press the same button. A more sensible option would be to only ask the first time. I believe this is what Outlook 2010 does, for example.

  11. Mike B · 234 days ago

    Mozilla's Thunderbird is another client that by default will not load remote images without your specific consent *unless the source is in your address book*. It's fairly user-friendly ... you get a warning plus an "show image" button which you can ignore. There's also an "always allow from ..." link which essentially sets up a new addy-book entry for that site ... I created an "image database" folder for that purpose.

  12. KMail:

    1. Setting => Security
    2. Deselect "Prefer HTML to plain text"
    3. Deselect "Allow messages to load external references from the Internet"

  13. Jim · 229 days ago

    The steps aren't quite right for "Outlook (Desktop". It seems to be a hybrid of Outlook 2007 and 2010 steps. For 2010:

    Click File | Options.
    Click the Trust Center link on the left.
    Click the Trust Center Settings button on the right.
    Click the Automatic Download link on the left.
    Check the top checkbox.

    By default, all of the boxes are checked. Read the descriptions of the other checkboxes to see if you really want to allow those items, in addition to checking the main checkbox.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.

About the author

Mark Stockley is the founder of independent web consultancy Compound Eye and he's interested in literally anything that makes websites better. Follow him on Twitter at @MarkStockley