Jump to content

How emails can be used to track your location and how to stop it


Recommended Posts

A new, free Google Chrome browser extension called Streak lets email senders using Google accounts see when recipients open email.

And, oh my, it also lets senders see who, exactly, opened the email, and where the recipient is located.

The extension, part of a customer relationship management (CRM) system that includes tools for sales, support and hiring, places email recipients on a map, with big red dots indicating their locations. It also gives users real-time location updates.

Streak is a bit creepy. But it's not, of course, "changing the email game", as has been somewhat breathlessly claimed.

Streak may well be in the business of giving marketers the ability to eyeball our whereabouts and our email-opening schedules, but it certainly didn't invent email tracking - not by a long shot.

Email tracking is already used by individuals, email marketers, spammers and phishers to understand where people are, validate email addresses, verify that emails are actually read by recipients, find out if they were forwarded and discover if a given email has made it past spam filters.

The bad news is that if you're thinking that you can just avoid installing Streak if you don't want marketers, creeps, phishers and spammers to see when and where you opened your email, so sorry to tell you, but that's just an irrational thought coming from la-la land.

You know that place, right? It's the place where opt-in is the norm.

In the place where we all actually live, recipients don't have to install anything for email tracking to work and nor will they know if their locations and email openings are being tracked.

It's easy as pie - just sit back, open email as usual, and the email trackers will churn their wheels, no recipient involvement required.

Thankfully it's not all bad news.

Because email is actually quite simple, there are only a very small number of techniques that systems like Streak can use to track you - and they're easy for you to disrupt.

Emails are fundamentally inert (in the vernacular they are not executable) so they can't make your computer run code.

For an email to pull off something like tracking it needs considerable cooperation from your email client and, since you control your email client, that puts you in the driving seat.

Somebody who wants to track you can do two things; they can either send an email with a read receipt, or they can send an email with an embedded image (sometimes referred to as a bug or beacon).

Read receipt requests are included in an email's meta data (its headers). Because the meta data is passive it amounts to no more than a plea to your email software to please ask for a read receipt.

Different email clients don't agree on what a read receipt header should look like so there's no guarantee your read receipt will even be recognised as one.

If it is recognised then, overwhelmingly, email clients will prompt users and ask if they want to let the sender know that they've read the email. It's not a great technique for email marketeers trying to keep your tracking secret.

You are much more likely to be tracked by embedded images.

A tracking email has to be written in HTML. This allows it to reference an image on a remote server owned by the sender (this part isn't underhand, it's just how HTML works).

When the email is opened, the email software loads the image from the remote server by sending it an HTTP request.

A spammer or marketeer sending a mass mailing can choose to give each email an image with a unique URL so they can tell which recipients have opened their emails.

Like all HTTP requests, the one sent by your email software will contain your IP address. Because IP addresses are allocated geographically, that's tantamount to providing location data accurate to what city you're in.

The HTTP request will also contain a user-agent header which provides a brief description of your browser and operating system.

So, from one embedded image systems like Streak can determine:

Who opened their email

What time the email was opened

Where it was opened

What sort of device it was opened on

The answer to protecting yourself from this kind of tracking is straightforward - don't load the images.

You can do this by forcing all your email to render as plain text or by allowing it to render HTML without images.

Most email clients are well disposed to help you with this and will actually do the latter by default, giving you the option to download the images if you decide you want them.

The most notable exception to this is Gmail which loads remote content automatically unless you take back control of your images.

For your part you need only understand that loading images in emails means "tell the sender you've just opened their email and you'd like them to send you the rest of the message".

So, if you don't trust marketers and stalkers with your location and email-reading schedule, it's time to take back remote content loading.

Below are instructions on how to switch off image loading in seven of the most popular email clients:

iOS Mail

Click the Settings icon

Click Mail, Contacts, and Calendars

Toggle Load Remote Images to off.

Outlook (Desktop)

Click the Tools menu

Click Trust Center

Click Automatic Download

Check Don't download pictures automatically in HTML e-mail messages or RSS items.


Click on the Settings icon (cog)

Click More Email settings

Click Filters and Reporting under Junk Email

Select Block attachments, pictures, and links for anyone not in my safe senders list.

Apples Mail

Click Mail

Click Preferences

Click Viewing

Uncheck Display remote images in HTML messages.

Yahoo Mail

Click the Settings icon

Click Settings

Click Security

Locate Show images in email

Select Never by Default.


Click the Settings icon

Stay in the General tab

Scroll down to the Images section

Choose Ask before displaying external images

Click Save Changes.

Android Gmail app

Tap the menu button

Tap Settings

Tap on your email address

Scroll to the bottom of the screen

Tap Images

Select Ask before showing.

Although this article is mostly about how emails you receive can leak information about you, it's worth understanding that emails you send can too.

When you send an email, each server your message passes through will stamp the email with its IP address. The first IP address in that list is normally yours - the one that can be used to locate what city you're in.

The only way we can think of to avoid this is to use a webmail service (and you have to use its web interface).

In our quick and dirty testing I found that Gmail, FastMail and Outlook will all keep your IP address secret but Yahoo, the perennial late comers to the security and privacy party, won't.


Edited by anuseems
Link to comment
Share on other sites

  • Replies 2
  • Views 1.1k
  • Created
  • Last Reply

Top Posters In This Topic



  • anuseems


  • DesiPirate


Popular Days

Top Posters In This Topic

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...