How emails can be used to track your location and how to stop it
Join thousands of others, and sign up for Naked Security’s newsletter
Don’t show me this again
A new, free Google Chrome browser extension called Streak lets email senders using Google accounts see when recipients open email.
And, oh my, it also lets senders see who, exactly, opened the email, and where the recipient is located.
The extension, part of a customer relationship management (CRM) system that includes tools for sales, support and hiring, places email recipients on a map, with big red dots indicating their locations. It also gives users real-time location updates.
Streak is a bit creepy. But it’s not, of course, “changing the email game”, as has been somewhat breathlessly claimed.
Streak may well be in the business of giving marketers the ability to eyeball our whereabouts and our email-opening schedules, but it certainly didn’t invent email tracking – not by a long shot.
Email tracking is already used by individuals, email marketers, spammers and phishers to understand where people are, validate email addresses, verify that emails are actually read by recipients, find out if they were forwarded and discover if a given email has made it past spam filters.
The bad news is that if you’re thinking that you can just avoid installing Streak if you don’t want marketers, creeps, phishers and spammers to see when and where you opened your email, so sorry to tell you, but that’s just an irrational thought coming from la-la land.
You know that place, right? It’s the place where opt-in is the norm.
In the place where we all actually live, recipients don’t have to install anything for email tracking to work and nor will they know if their locations and email openings are being tracked.
It’s easy as pie – just sit back, open email as usual, and the email trackers will churn their wheels, no recipient involvement required.
Thankfully it’s not all bad news.
Because email is actually quite simple, there are only a very small number of techniques that systems like Streak can use to track you – and they’re easy for you to disrupt.
Emails are fundamentally inert (in the vernacular they are not executable) so they can’t make your computer run code.
For an email to pull off something like tracking it needs considerable cooperation from your email client and, since you control your email client, that puts you in the driving seat.
Somebody who wants to track you can do two things; they can either send an email with a read receipt, or they can send an email with an embedded image (sometimes referred to as a bug or beacon).
Read receipt requests are included in an email’s meta data (its headers). Because the meta data is passive it amounts to no more than a plea to your email software to please ask for a read receipt.
Different email clients don’t agree on what a read receipt header should look like so there’s no guarantee your read receipt will even be recognised as one.
If it is recognised then, overwhelmingly, email clients will prompt users and ask if they want to let the sender know that they’ve read the email. It’s not a great technique for email marketeers trying to keep your tracking secret.
You are much more likely to be tracked by embedded images.
A tracking email has to be written in HTML. This allows it to reference an image on a remote server owned by the sender (this part isn’t underhand, it’s just how HTML works).
When the email is opened, the email software loads the image from the remote server by sending it an HTTP request.
A spammer or marketeer sending a mass mailing can choose to give each email an image with a unique URL so they can tell which recipients have opened their emails.
Like all HTTP requests, the one sent by your email software will contain your IP address. Because IP addresses are allocated geographically, that’s tantamount to providing location data accurate to what city you’re in.
The HTTP request will also contain a user-agent header which provides a brief description of your browser and operating system.
So, from one embedded image systems like Streak can determine:
- Who opened their email
- What time the email was opened
- Where it was opened
- What sort of device it was opened on
The answer to protecting yourself from this kind of tracking is straightforward – don’t load the images.
You can do this by forcing all your email to render as plain text or by allowing it to render HTML without images.
Most email clients are well disposed to help you with this and will actually do the latter by default, giving you the option to download the images if you decide you want them.
The most notable exception to this is Gmail which loads remote content automatically unless you take back control of your images.
For your part you need only understand that loading images in emails means “tell the sender you’ve just opened their email and you’d like them to send you the rest of the message”.
So, if you don’t trust marketers and stalkers with your location and email-reading schedule, it’s time to take back remote content loading.
Below are instructions on how to switch off image loading in seven of the most popular email clients:
- Click the Settings icon
- Click Mail, Contacts, and Calendars
- Toggle Load Remote Images to off.
- Click the Tools menu
- Click Trust Center
- Click Automatic Download
- Check Don’t download pictures automatically in HTML e-mail messages or RSS items.
- Click on the Settings icon (cog)
- Click More Email settings
- Click Filters and Reporting under Junk Email
- Select Block attachments, pictures, and links for anyone not in my safe senders list.
- Click Mail
- Click Preferences
- Click Viewing
- Uncheck Display remote images in HTML messages.
- Click the Settings icon
- Click Settings
- Click Security
- Locate Show images in email
- Select Never by Default.
- Click the Settings icon
- Stay in the General tab
- Scroll down to the Images section
- Choose Ask before displaying external images
- Click Save Changes.
Android Gmail app
- Tap the menu button
- Tap Settings
- Tap on your email address
- Scroll to the bottom of the screen
- Tap Images
- Select Ask before showing.
Although this article is mostly about how emails you receive can leak information about you, it’s worth understanding that emails you send can too.
When you send an email, each server your message passes through will stamp the email with its IP address. The first IP address in that list is normally yours – the one that can be used to locate what city you’re in.
The only way we can think of to avoid this is to use a webmail service (and you have to use its web interface).