How many times a day do you check email? We know that web trackers snoop and stalk us when we surf, but the same could be said of email tracking. In fact, it’s much more intense than you likely realized according to “I never signed up for this! Privacy implications of email tracking” (pdf); the paper was written by Princeton University researchers Steven Englehardt, Jeffrey Han and Arvind Narayanan for the PETS 2018 (Proceedings on Privacy Enhancing Technologies).
The researchers called email tracking “pervasive” as 85% contained embedded third-party content; of those, 70% are the same ones that are involved in web tracking.
As Englehardt explained, by simply opening an email, “This allows those third parties to track you across the web and connect your online activities to your email address, rather than just to a pseudonymous cookie.”
The trackers “can connect email addresses to browsing histories and profiles, which leads to further privacy breaches such as cross-device tracking and linking of online and offline activities.”
Their OpenWPM web crawler visited 15,700 sites which offered commercial mailing list subscription forms and managed to sign up for 12,618 mailing lists from 902 senders. They found “a network of hundreds of third parties that track email recipients via methods such as embedded pixels. About 30% of emails leak the recipient’s email address to one or more of these third parties when they are viewed. In the majority of cases, these leaks are intentional on the part of email senders, and further leaks occur if the recipient clicks links in emails.”
How much of it is intentional? The paper said, “62% of the 100,963 leaks to third parties are intentional.” The privacy risk is even worse “if the leaked email address is associated with a tracking cookie, as it would be in many webmail clients.” The tracking cookie picked up by viewing an email can link email addresses to tracking profiles even after users clear their…