Tracker pixels in emails are now an ‘endemic’ privacy concern

Critics suggest the practice is marketing gone too far.
Written by Charlie Osborne, Contributing Writer

Invisible pixels used to track email activity are now an "endemic" issue that breaches our privacy, analysts suggest. 

This week, the Hey messaging service analyzed its traffic following a request from the BBC and discovered that roughly two-thirds of emails sent to its users' private email accounts contained what is known as a "spy pixel."

Spy pixels, also known as tracking pixels or web beacons, are invisible, tiny image files -- including .PNGs and .GIFs -- that are inserted in the content body of an email. 

They may appear as clear, white, or another color to merge with the content and remain unseen by a recipient and are often as small as 1x1 pixels.

The recipient of an email does not need to directly engage with the pixel in any way for it to track certain activities. Instead, when an email is opened, the tracking pixel is automatically downloaded -- and this lets a server, owned by a marketer, know that the email has been read. Servers may also record the number of times an email is opened, the IP address linked to a user's location, and device usage. 

Similar pixels are also widely used on web domains to track visitors. 

Tracking pixels have been around for some time but are not well-known. For marketers, pixels can be an invaluable method to measure engagement levels, estimate the success of marketing campaigns, and potentially to send follow-ups and more personalized notes when a message has been read, but not responded to. 

However, according to Hey co-founder David Heinemeier Hansson, they also represent a "grotesque invasion of privacy."

Hansson told the publication that on average, the company processes one million emails and over 600,000 pixel tracker attempts are blocked every day. If you bring these levels up to the millions and millions of emails processed by services such as Gmail or Outlook, the suggestion that pixel tracker usage is "endemic" may be realistic. 

In Europe, GDPR demands that organizations tell recipients of the use of such pixels. However, the water has been muddied surrounding the transparency necessary to implement pixel tracking, as consent is not always required -- and when it is, this could be 'obtained' automatically when a user signs up to an email service and is asked to read a privacy notice published on a website.

The UK's own Information Commissioner's Office (ICO), which acts as a data protection watchdog, uses pixels to track email openings in its newsletter, as noted by the publication. Users are clearly told of the trackers at sign-up; however, the ICO intends to remove this functionality soon. 

It is possible to prevent tracking pixels from triggering by disallowing automatic image uploads in your web browser, or by downloading email and browser add-ons to block trackers.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards