Sophos Cloud Optix
A new, free Google Chrome browser extension called Streak lets email senders using Google accounts see when recipients open email.
And, oh my, it also lets senders see who, exactly, opened the email, and where the recipient is located.
The extension, part of a customer relationship management (CRM) system that includes tools for sales, support and hiring, places email recipients on a map, with big red dots indicating their locations. It also gives users real-time location updates.
Streak is a bit creepy. But it’s not, of course, “changing the email game”, as has been somewhat breathlessly claimed.
Streak may well be in the business of giving marketers the ability to eyeball our whereabouts and our email-opening schedules, but it certainly didn’t invent email tracking – not by a long shot.
Email tracking is already used by individuals, email marketers, spammers and phishers to understand where people are, validate email addresses, verify that emails are actually read by recipients, find out if they were forwarded and discover if a given email has made it past spam filters.
The bad news is that if you’re thinking that you can just avoid installing Streak if you don’t want marketers, creeps, phishers and spammers to see when and where you opened your email, so sorry to tell you, but that’s just an irrational thought coming from la-la land.
You know that place, right? It’s the place where opt-in is the norm.
In the place where we all actually live, recipients don’t have to install anything for email tracking to work and nor will they know if their locations and email openings are being tracked.
It’s easy as pie – just sit back, open email as usual, and the email trackers will churn their wheels, no recipient involvement required.
Thankfully it’s not all bad news.
Because email is actually quite simple, there are only a very small number of techniques that systems like Streak can use to track you – and they’re easy for you to disrupt.
Emails are fundamentally inert (in the vernacular they are not executable) so they can’t make your computer run code.
For an email to pull off something like tracking it needs considerable cooperation from your email client and, since you control your email client, that puts you in the driving seat.
Somebody who wants to track you can do two things; they can either send an email with a read receipt, or they can send an email with an embedded image (sometimes referred to as a bug or beacon).
Read receipt requests are included in an email’s meta data (its headers). Because the meta data is passive it amounts to no more than a plea to your email software to please ask for a read receipt.
Different email clients don’t agree on what a read receipt header should look like so there’s no guarantee your read receipt will even be recognised as one.
If it is recognised then, overwhelmingly, email clients will prompt users and ask if they want to let the sender know that they’ve read the email. It’s not a great technique for email marketeers trying to keep your tracking secret.
You are much more likely to be tracked by embedded images.
A tracking email has to be written in HTML. This allows it to reference an image on a remote server owned by the sender (this part isn’t underhand, it’s just how HTML works).
When the email is opened, the email software loads the image from the remote server by sending it an HTTP request.
A spammer or marketeer sending a mass mailing can choose to give each email an image with a unique URL so they can tell which recipients have opened their emails.
Like all HTTP requests, the one sent by your email software will contain your IP address. Because IP addresses are allocated geographically, that’s tantamount to providing location data accurate to what city you’re in.
The HTTP request will also contain a user-agent header which provides a brief description of your browser and operating system.
So, from one embedded image systems like Streak can determine:
- Who opened their email
- What time the email was opened
- Where it was opened
- What sort of device it was opened on
The answer to protecting yourself from this kind of tracking is straightforward – don’t load the images.
You can do this by forcing all your email to render as plain text or by allowing it to render HTML without images.
Most email clients are well disposed to help you with this and will actually do the latter by default, giving you the option to download the images if you decide you want them.
The most notable exception to this is Gmail which loads remote content automatically unless you take back control of your images.
For your part you need only understand that loading images in emails means “tell the sender you’ve just opened their email and you’d like them to send you the rest of the message”.
So, if you don’t trust marketers and stalkers with your location and email-reading schedule, it’s time to take back remote content loading.
Below are instructions on how to switch off image loading in seven of the most popular email clients:
iOS Mail
- Click the Settings icon
- Click Mail, Contacts, and Calendars
- Toggle Load Remote Images to off.
Outlook (Desktop – 2007)
- Click the Tools menu
- Click Trust Center
- Click Automatic Download
- Check Don’t download pictures automatically in HTML e-mail messages or RSS items.
Outlook (Desktop – 2010)
- Click File | Options
- Click the Trust Center on the left
- Click the Trust Center Settings button on the right
- Click the Automatic Download (default) link on the left
- Uncheck the top checkbox
Outlook.com
- Click on the Settings icon (cog)
- Click More Email settings
- Click Filters and Reporting under Junk Email
- Select Block attachments, pictures, and links for anyone not in my safe senders list.
Apple’s Mail
- Click Mail
- Click Preferences
- Click Viewing
- Uncheck Display remote images in HTML messages.
Yahoo Mail
- Click the Settings icon
- Click Settings
- Click Security
- Locate Show images in email
- Select Never by Default.
Gmail
- Click the Settings icon
- Stay in the General tab
- Scroll down to the Images section
- Choose Ask before displaying external images
- Click Save Changes.
Android Gmail app
- Tap the menu button
- Tap Settings
- Tap on your email address
- Scroll to the bottom of the screen
- Tap Images
- Select Ask before showing.
Although this article is mostly about how emails you receive can leak information about you, it’s worth understanding that emails you send can too.
When you send an email, each server your message passes through will stamp the email with its IP address. The first IP address in that list is normally yours – the one that can be used to locate what city you’re in.
The only way we can think of to avoid this is to use a webmail service (and you have to use its web interface).
In our quick and dirty testing I found that Gmail, FastMail and Outlook will all keep your IP address secret but Yahoo, the perennial late comers to the security and privacy party, won’t.
Google claims that its practice of caching images on its own proxy servers defeats the tracking mechanisms you describe. Is this true?
Seems like it would defeat basic mechanisms, but as that page says: “In some cases, senders may be able to know whether an individual has opened a message with unique image links.” So the location tracking would be gone, but they’d still know when you opened it.
Yup you’re right man, I’ve tried this technique.
Take a look at this :
February 28, 2014, 1:52 am
IP: 66.249.80.XXX
Useragent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (via ggpht.com GoogleImageProxy)
Yeah, When the recipient got that Email, it will appear this message : Images are not displayed. Display images below – Always display images from blahblah@email.com
So this method can’t be used for Gmail.
I wouldn’t be so certain, If the robots file prevent google from spidering it, and/or there was a no cache tag then when ever display images was clicked wouldn’t it have to pull the image from the remote server?
As stated in Streak’s Faq:
————————————————-
Why don’t I see the viewer’s location?
Google recently made a change to Gmail that makes them a “middle man” for the image requests. What happens is that when the recipient opens the email, the email client loads a Google URL for the image, and Google then requests the image from our server. So we know when an email was opened, but we really have no idea who actually read the email, that’s why it is all anonymous.
————————————————-
So we shall admit is no more active – having it back would it be of great help
Thank you – that is so useful. Rather worrying the lengths companies will stoop to just for marketing purposes.
Problem is, people got used to rich layouts in e-mail and much of the content itself is images.
Google defaulted to displaying images, but like the Blog post says:
” Instead of serving images directly from their original external host servers, Gmail will now serve all images through Google’s own secure proxy servers.”
My understanding is that marketers will see that the mail was opened and when (in case of uniquly generated images URIs), but they won’t see the where because it will be fetched from a Google proxy.
Yes, any requests sent through a proxy will come with the proxy’s IP address rather than the original address. Note that some proxies will add an X-Forwarded-For header which contains the original IP address.
But, but….if every image has a unique URL tied to the recipient, how would Google cache them?
If their cache operates in the normal way they won’t. Each URL will be treated as a unique object and each one will be cached (making the cache moot).
All of those unique URLs will be fetched on the users’ behalfs by the proxy. The server will get the proxy’s IP but it will get an individual request for each URL so it will know who opened their email and when but not where.
Given the technology that powers Google features like image search though, it is feasible that they have a means of identifying that different URLs will all display the same image, so don’t fetch them every time. It’s also feasible that the Google cache could automatically retrieve every image URL in an email as soon as the email arrives at Google, rendering the tracking useless.
(I still wouldn’t trust it though, I always view emails with image retrieval disabled)
Have to say people where doing this years ago I know people who where using this sort of thing about 8 years ago!
I just tried the Outlook.com tip. While I was there I saw this button (currently unchecked)…
“Don’t report – The Junk button will act just like the Delete button. Nothing will be reported to Microsoft or anyone else.”
Does this mean that if I delete a piece of junk mail, the sender COULD be notified and thus confirming it reached a target?
It’s the “anyone else” that caught my attention.
I think you’re misreading that statement. What I read is that the checkbox in question will change your Junk button to a Delete button. With the checkbox unchecked, when you click junk, it reports the selected message to Microsoft as spam to help train it’s Bayesian filters (or someone else’s).
Cliff and Simon are correct. I am not however sure when GMail will pull the image from the sender’s server. Upon receiving the image or when it is opened.
You should also add the following two lines to your hosts file:
127.0.0.1 mailfoogae.appspot.com
127.0.0.1 streak.com
These are where the offending images live.
Even the opener’s IP address may not help the marketeers as they are not all ‘fixed’ and some relate to towns many miles away. My external IP is changed every time I restart my router/modem and it could be given an IP that relates to a town or city up to 200 or so miles away, depending on availability at the time. So it could appear that I am in Birmingham, or London, or Bristol, or Cardiff but I am nowhere near any of those! As I live in a very rural area with poor ADSL, the connection is often renegotiated, resulting in a different IP every time!
Plus those who use an internal network with NAT will be using a different IP to that shown externally by the router/modem.
And all that the act of opening the message does is indicate, perhaps, that it has been opened but not by whom! Think about it, I’m on holiday and my PA opens my emails in my absence in case there is anything needing urgent attention. So I didn’t but the system discussed here thinks I did – wrongly.
Oh, and what about when I use the VPN? I’m not in the office where that appears to be and can be anywhere in the world connecting to my company VPN – or using a VPN service offered by some service companies. So I could appear to be in New York but actually be in Cape Town. (I’ve been offered discount theatre tickets in NY while actually in Melbourne, Australia. One of our VPN servers sits in NY office, we have others too.)
Just curious would the end country that the email was opened in at least give you the country the person is in who opened it, even with Gmail? I am curious because it seems depending on where you are it can go through the US then either to Bristol or Europe depending on the email. So would this mean regardless that the person is definitely in the UK for one and Europe for the other emails? At least pin pointing countries using Gmail is good if this is the true area they are in even if not exact proximity. So if a person was in the US as an example the last opened email would show US as the destination country? Does anyone know the answer to this?
The person who receives an email can see the path it took to arrive (there’s a list of the servers it went through along the way, though you can never be sure how accurate it is). The sender can’t tell how the email was routed after they send it… and all the recipient can see is that it “came from some Google server somewhere”, which doesn’t show where it really originated.
The way most companies track your email is explained in the article – they use some kind of web link that is downloaded directly from your computer after the email has arrived and you have opened it, so the tracking is now happening outside Gmail. Fortunately most modern email programs don’t download email links (not even images such as company logos) by default, which reduces the extent to which you can be tracked that way.
Curious: So what do you (in Apple mail) once you have unchecked the box, but receive an email with content you DO want to see? Does one have to constantly go back to preferences and check the box just to see a desired (html+ images) email from a known source?
A “Load Images” button is shown allowing you to manually load the images in that message. Annoyingly, every *subsequent* time you one loads the same message one needs to press the same button. A more sensible option would be to only ask the first time. I believe this is what Outlook 2010 does, for example.
Mozilla’s Thunderbird is another client that by default will not load remote images without your specific consent *unless the source is in your address book*. It’s fairly user-friendly … you get a warning plus an “show image” button which you can ignore. There’s also an “always allow from …” link which essentially sets up a new addy-book entry for that site … I created an “image database” folder for that purpose.
KMail:
1. Setting => Security
2. Deselect “Prefer HTML to plain text”
3. Deselect “Allow messages to load external references from the Internet”
The steps aren’t quite right for “Outlook (Desktop”. It seems to be a hybrid of Outlook 2007 and 2010 steps. For 2010:
Click File | Options.
Click the Trust Center link on the left.
Click the Trust Center Settings button on the right.
Click the Automatic Download link on the left.
Check the top checkbox.
By default, all of the boxes are checked. Read the descriptions of the other checkboxes to see if you really want to allow those items, in addition to checking the main checkbox.
Thanks Jim, we have updated the article.
I have Streak on my gmail account and know someone else other than the intended is reading a lot of email I send. How do I catch and report this person? I have a good idea who it may be. Do I go to Google, my Internet provider or try to determine who the suspected offered has as an Internet provider?
I discovered yesterday that even when using the GMail web interface with a Google Apps account that my real IP address is sent.
An email I sent was first opened at a location in US and then a few minutes later at a location in Canada.
Does this mean two different individuals opened my email? Could there be another explanation?
So if I send my boyfriend a picture and we both have gmail emails how the hell can he track my location but I can’t see his and how please tell me ther is a way to turn it off so I can send pics WITHOUT it giving out my information…. ? And how do I see when he reads my emails ? He’s a computer genius as I am not and don’t send them from a computer I use my iPhone please help me!
Hi, if i reply to the sender (using yahoomail), will they know my location?
I can’t answer that because I haven’t looked at exactly how Yahoo’s web mail service routes and handles email, or what it puts in its headers. In theory, because the email will be sent from somewhere in Yahoo’s cloud, it could have an IP address (network number) from anywhere in the world – and definitely not where you live, unless you live in a data centre :-) But the server your email gets sent from might say *something* about where you are, e.g. if EU email is sent from an EU server.
Of course, if the sender got your email address (e.g. for advertising emails) from a mailing list, legally or illegally acquired, they might know a fair bit about you anyway, based on information you shared with some third party at some earlier time…