What is a tracking pixel and can strangers really spy on me through email?

Share All sharing options for: What is a tracking pixel and can strangers really spy on me through email?

Is it true that an app called Superhuman lets me spy on people using email?

That’s what we heard, too: When you sent an email using this $30-a-month invite-only app, it automatically tracked every time a recipient looks at that email, and even showed you their location. That’s because it uses hidden pixel trackers, according to a viral blog post from Mike Davidson, former VP of design at Twitter.

BTW we love your energy here, already assuming you’re going to be the one spying. That’s an excellent analogy for what Superhuman was doing with email trackers. They were on by default, tracking anyone you send email to, whether that was your intention or not.

Of course it’s a good analogy. You wrote both the question and the answer!

Just like how Superhuman decided that you’d like to spy on people, and that they wouldn’t mind getting spied on. We’re so glad you get it.

What is a tracking pixel and can I use it to destroy my enemies?

You know how every image on the internet is stored on a server, and your computer automatically downloads them as you browse? Years ago, some genius figured out that your computer’s image requests can let those same servers track your activity across the web — and when it comes to email, they can let the sender see when you’ve opened a given message just by sneaking in an image.

It’s remarkably simple: when you open the email, you automatically download that image, and that image request immediately lets the server know that you’ve opened it.

So if your enemies are “people you want to catch in a lie about having read your email,” absolutely.

Did you read my email? Please read my email.

We always read your emails. Promise.

Do tracking pixels have other names? What do they look like? How do I spot one? What are some other names for tracking pixels?

The Wikipedia page says they’re also called web beacons, web bugs, tracking bugs, web tags, page tags, pixel tags, 1 x 1 GIFs, and clear GIFs. With email, sometimes the overall concept’s known as “open tracking.” “Read receipts” are a related idea.

You probably haven’t seen a tracking pixel, at least not with your naked eyes, because they can literally be a single 1 x 1 pixel image buried somewhere in an email or webpage. Did we mention they’re often completely invisible, because they’re transparent? Oh, and they might actually be embedded in that image of the sender’s signature — or even the fancy font they’re using. Really, anything that sends a request to a remote server can be used as a tracking tool.

This meme feels apt:

Because you wouldn’t want to just admit you’re spying on whether someone’s opened your email, right?

What does this mean if I forward the email for someone else to lol at?

We like the cut of your jib.

Theoretically, it should show that the email was opened at the time and place that they opened it, too.

Are there other kinds of pixels tracking me?

Maybe your Google Pixel phone?

Can any pixels be trusted?!?

*maniacal laugh*

You said this was years old. Why is everyone upset about this old-ass technology now?

Partly because a lot of people don’t realize that tracking pixels exist. Nothing wrong with that.

Partly because a former Twitter VP of design wrote a blog post, and it got a lot of buzz on Twitter.

Partly because Superhuman was letting users monitor people’s locations just by sending them an email, and because it did so by default.

Isn’t it good to know if people have read my emails? All my messaging apps have read receipts and they can be handy...

Disclaimer: some Verge staffers believe read receipts are obnoxious

Messenger read receipts are like tracking pixels if they weren’t trying to be so sneaky. Both the sender and the recipient can clearly see whether their own messages are being read or ignored. And if you’re texting a friend or relative, you might be within your rights, socially speaking, to nudge them if they haven’t responded in a while.

But with Superhuman and the like, we’re talking about letting a perfect stranger have the power to send you an email out of the blue, and force you to give up your location every time you read that email, all without you knowing. Seems bad, probably!

How the heck do these companies know my location?

IP addresses, most likely. When you download that tracking pixel from a server, it records your IP address, which is how the internet knows where your computer is both physically and digitally. It’s often possible to figure out your exact street address using nothing but your IP, and we’re talking city-level accuracy at the very least. It’s pretty eerie.

How can creeps abuse this?

The classic example: if someone knows when you’re home and when you’re away, robberies become a bit easier. Spammers and phishers can use the technique to know which email subject lines got you to click. And there are loads of vulnerable people (including women and minorities) who really, really don’t want some random person on the internet tracking their moves just by sending some emails.

And that’s before they start triangulating data, combining the when and where with data about what people click on, what websites they browse — because your browser cookies can theoretically pass along your online advertising profile, too.

I hate this. Is Superhuman the only company doing this?

No, definitely not. Wired wrote a great piece about email tracking in 2017, specifically highlighting an app called Streak that’s been openly offering tracking for nearly six years now, and a quick web search for “email tracking” shows even Streak is just the tip of the iceberg.

We particularly liked this sales pitch for ContactMonkey.com, which explains how much better it is to be an email stalker! “There’s no way for them to opt out before opening your message,” the company proudly boasts.

Is this legal?

Unclear, but GDPR privacy laws now require consent before you can collect personal data from an EU citizen, and early GDPR working groups (we’re talking 2006) figured that secret tracking pixels would automatically be thrown out on their ass as a result. Theoretically, you’re giving some form of consent when you subscribe to a newsletter, but it may depend on what you click.

Am I creepy for wanting to use these anyhow?

The urge seems… understandable? The company’s called Superhuman, and tracking when, where, and whether people have opened your email definitely seems like a superpower.

Kind of like X-ray vision. Which is an amazingly creepy idea in 2019, even if it may have seemed harmless when Superman took a peek at Lois Lane’s underwear in 1978. Think about it.

Doesn’t my email app have a way to block these pixels?

There’s good news for Gmail users: Google reroutes every image request through its own proxy servers. Tracking pixels will still know when you’ve read an email, but they generally can’t sniff out your location or get your advertising profile because they can’t see your IP or cookies. (They see Google’s IP instead.)

You can also turn off automatic image loading in many email clients, but then, well, your email won’t automatically load images. Here’s our guide on how to set that up. There are also browser extensions like Ugly Email and PixelBlock that try to sniff out pixel trackers before you open an email, and remove them entirely.

Those are some pretty hefty, unlikely to be broadly adopted workarounds, though.

How about ad blockers?

Sure, but you’ll need to set them up for each tracker you want to block. Here’s a guide to disabling some of the more popular ones.

Also: please whitelist The Verge if you use an ad blocker? We kinda rely on ads to pay the bills around here, and we try to keep them relevant.

Why do the big browser companies tolerate tracking pixels? They’ve been doing a pretty decent job cracking down on annoying autoplay videos and insecure Flash…

Probably because big web companies have used these trackers in their own businesses for years, and nobody’s made a huge enough stink. There’s a Facebook Pixel, a Google Tag Manager, and an Amazon pixel just for starts, though most of those are used on the web, not email. On the email side of things, it’s estimated that the lion’s share of newsletter services (example: MailChimp) have basic tracking by default. Tracking pixels are generally considered part of how the sausage is made, just like tracking cookies that keep a record of which websites you’ve visited.

But who knows: in a post-Cambridge Analytica world where tech companies are working hard to regain your trust, we’re seeing browsers begin to push back against cookies. Maybe they’ll crack down on tracking pixels as well. Researchers have suggested that it wouldn’t be hard for email clients to automatically strip them out.

When might read receipts and tracking pixels be totally useful and understandable and not just creepy?

Anyone who works in sales or public relations has a critical interest in who has opened their emails. Journalists could probably make a case for them as a reporting tool. (When the high-ranking government official reads your request for information and ignores it, that’s worth knowing.) And publishers depend on tracking pixels to determine the open rate of their newsletters, which are becoming an increasingly important distribution mechanism for journalism.

That said, recipients deserve easier ways to opt out of being tracked. And while it’s one thing to know that an email has been opened, other tracking features — including the number of times an email was opened, and the locations in which it was opened — are much less defensible.

Why does anyone need to know WHERE I opened an email?

That is a fantastic question. Superhuman didn’t respond to our DMs and email, but they’ve since decided the answer to that question is effectively “we fucked up”.

Right, what does Superhuman have to say about all this?

Initially, there was barely a peep out of the company — except this reply from founder Rahul Vohra about how Superhuman users can turn off tracking if they want.

But half an hour after we published this FAQ, the company came out with a full apology and promise to immediately stop tracking locations and turn read receipts off by default.

Can I use tracking pixels against the people tracking me?

Sure. But do you want this to be an arms race?

What’s the best way to annoy someone into turning email tracking off?

If you’re a secret email tracker, it’d be pretty frustrating to know you’d been completely foiled and found out, no? Maybe use an extension like Ugly Email to see when you’re being tracked, and don’t open those emails — instead, set an email filter to automatically reply to each and every one, letting them know you’re onto them.

Is finding the pixel tracker like grabbing the seeker in Quidditch?

The Golden Snitch seems more apt: always present but hard to find, worth a lot to the right person, but something you may want to avoid if that person isn’t you.

Plus, it’s called a “snitch.” Right there in the name.

Update, 7:05 PM ET: Superhuman has issued a full apology, says it will no longer track location, and will turn read receipts off by default, effective immediately.