It may be an understatement to say “the simple act of viewing emails contains privacy pitfalls.” But that’s the main theme of “I never signed up for this! Privacy implications of email tracking,” a research paper delivered at the Federal Trade Commission’s PrivacyCon 2018 this week.
The authors — Steven Englehardt and Arvind Narayanan — put tracking, a widely used email marketing tool, under a harsh light. And they tie it to the spread of personally identifiable information (PII).
For this research, the writers identified “a network of hundreds of third parties that track email recipients via methods such as embedded pixels.”
The problem is that “about 30% of emails leak the recipient's email address to one or more of these third parties when they are viewed.”
These leaks are intentional in most cases, and “further leaks occur if the recipient clicks links in emails,” the authors continue.
“This is of concern not only because can learn the recipient’s IP address, when emails were opened, and so on, but also because these third parties are by and large the same ones that are involved in web tracking,” they warn.
And they add: “This means that trackers can connect email addresses to browsing histories and profiles, which leads to further privacy breaches such as cross-device tracking and linking of online and offline activities.”
To continue: “these are downloaded an rendered by the email client when the user views the email (unless they are proxied by the user’s email server; of the providers we studied, only Gmail and Yandex do so).
We agree with some of what this trio say: it’s a clear violation to track — or do much of anything — if these are not permission-based subscriber lists. But do they mean to say that cross-device tracking — a measurement and attribution tool — is a privacy violation?
It probably is under General Data Protection Regulation — that is, when it occurs without notification and transparency. And the FTC may see it the same way.
The authors note that “email began as a non-interactive protocol for sending simple textual messages.” But they add that “modern email clients support much of the functionality of the web, and the explosion of third-party web tracking has also extended to emails, especially mailing lists.”
Yet “nearly 91% of URLs containing leaks of emails are sent in plaintext.”
The purpose of this report is not to help companies, but to warn the public of this purported violation. And it includes the government as a possible violator.
“The NSA is known to piggyback on advertising cookies for surveillance, and our work suggests one way in which a surveillance agency might attach identities to web activity records,” it states.
But doesn’t hashing work to protect passwords and email addresses? No.
“Hashing of PII, including emails, is not a meaningful privacy protection,” the research team states. “This is folk knowledge in the security community, but bears repeating.”
What’s the flaw in hashing? When user records in a database are keyed by hashed email address, looking up the record for a given email address is trivial: simply hash it first and look it up (indeed, this is the whole point of storing hashed email addresses at all).”
In addition, “data associated with a hash of an unknown email address is also likely to be recoverable.”
In the future, the authors want to zero in on mailing list managers.
“It would be helpful to better understand the relationship between email senders and mailing list managers (such as Constant Contact). To what extent is email tracking driven by senders versus mailing list managers? When a sender sets up a marketing campaign with a mailing list manager, is the tracking disclosed to the sender?”
Their solution to the whole dilemma?
“We propose…a new defense, namely stripping tracking tags from email based on enhanced versions of existing web tracking protection lists.”
Here’s the link if you want to delve into the extended technical discussion.