Your Emails Are Spying on You, Including My Newsletter
8 min read

Your Emails Are Spying on You, Including My Newsletter

I want you to know that my newsletter is spying on you, and you have the power to stop it.
Gary Oldman as George Smiley in the 2011 film "Tinker Tailor Soldier Spy."
Gary Oldman as the iconic British spymaster George Smiley in Tinker Tailor Soldier Spy (2011). On the one hand, Oldman is not as good as Alec Guinness from the 1979 BBC version, but on the other, I do love looking at that orange wall.

While browsing the web over the past five years or so, you've probably gotten used to seeing notifications that ask you to review and accept a website's cookie policy. Like most of us, I don't often bother to read these. I just reflexively accept, and click through with a bit of mild annoyance at the interruption.

But in my more reflective moments, I consider the alternative. I think I'd be more annoyed if they didn't bother notifying me, and just went ahead with the cookies anyway.

I think it's good practice to let your audience know how and why they're being tracked, and to give them an opportunity to opt out. And I don't mean hiding it in an unreadably long and boring privacy policy. I think that if you're going to participate in the modern web's surveillance economy, you should inform your audience, in plain language, about just what you're up to.

That's why I want to make it clear that my newsletter is spying on you, and you have the power to stop it.

Email is Just Text (Except When it Isn't)

Email is old technology, practically Paleolithic in Internet terms. Our relationship to email has changed a lot over the decades, but the core tech is largely the same as it was in the 1970s. One modern "convenience" notably missing from the email spec is a feature allowing the sender to track what the recipient does with a message: did they open it? how many times? where? when? with what device? etc.

But the one thing you can do with email is send text. And html, the language of the web, is just plain text that uses some some syntax. Your browser or email client knows how to transform that syntax into the structure, formatting, and embedded content you've come to expect from the modern web. And while the text of an html document cannot report back to its sender about whether it's been read, it can refer to content elsewhere on the internet, like an image. And the image can tell on you. Or more precisely, the server where the image lives can tell on you.

When you receive an email message that "includes" an embedded image, that image is usally not attached to the message itself. It exists somewhere else, on a server, waiting for someone to request it. That request is sent when your email client gets a messge with some html, tries to render that html as content, notices that it contains a url for that image, and sends the server a request for the image so it can display it.

And that request is where the tracking happens.

The server holding the image keeps a record of every request it got, and those requests include some information about the requestor: what time the request was sent, what IP address it was sent from, and what kind of device sent it. Which means the server knows about every time you've requested the image--that is to say, every time you've opened the email.

The sneakiest way of doing this doesn't even rely on a visible image at all, but a tiny 1 pixel by 1 pixel image with no content, called a tracking pixel. Because the pixel is inconspicuous to the point of invisibility, a recipient can inspect the message closely without ever realizing that an image has been requested and loaded. And for extra sneakiness, each email recipient can be sent a different (albeit identical) copy of the pixel. That way, the sender knows not only that the email was opened, but which of the many pixels (out of perhaps thousands or tens of thousands) was requested, and therefore which recipient opened the email, allowing them to build a detailed profile of how you engage with their email.

This might not sound like valuable informaiton on its own, but when cross-referenced against the various other data points the sender might have collected on you (either because you've given it to them, or they've bought it from someone else), it can amount to a detailed dossier on your online habits. That's a valuable resource for marketing purposes.

The Spy Who Emailed Me

The current incarnation of my newsletter is run through Ghost (a blogging and newsletter platform that is kind of like WordPress or Substack). Like most content platforms that generate emails, Ghost has tools that monitor when an email is opened. Ghost's interface does not allow me to see every request in the gory level of detail described above, but I imagine that this data is accessible somewhere on the server.

When I started with Ghost, I had an option to enable or disable these tracking features. I enabled them, primarily out of curiosity. I don't open every email I receive, so I'm naturally interested in whether you're opening the ones I send. So far, I've only sent one newsletter, so my data set is limited, but in the interest of full disclosure I wanted to show you what I can see when I use these tools.

The chart from Ghost's Dashboard, showing email open rates
The chart from Ghost's Dashboard, showing email open rates. Not much data here, yet.

As you can see from the dashboard, I currently have 45 "members", none of which are on the paid tier (which makes sense, because I don't offer anything to paid members, and I'm not sure whether I ever will). At the time I sent the first newsletter, I only had 38. The open rate is 79%, meaning 30 of those 38 recipients opened the newsletter.

Ghost's Members list, showing member name, email, date joined, and open rate
Ghost's Members list, showing member name, email, date joined, and open rate. Again, data is sparse, so far, but eventually I'll be able to see whether an individual member is in the habit of opening my emails, or ignoring them.

Ghost also lets me see a list of members, with name and email, and shows the average open rate for each member--how often that particular member opens my newsletters. The average open rate is only calculated after the member has received five emails from me, so at this point everyone has an open rate of zero. But in the future, I'll be able to see that John Smith reads every one of my newsletters whereas Jane Doe has never opened a single one.

Is it Okay that I am Doing This?

I think it is, but maybe you disagree.

This kind of email tracking is standard practice across a wide variety of businesses. Every company marketing email you get, every newsletter you subscribe to, and every political email list you sign up for, can and most likely does track the way you interact with their email.

My assumption is that most people know this already, and have either accepted it or taken steps to block tracking pixels.

Wait, "Steps to Block Tracking Pixels"? What Steps?

Good catch. There are three major ways (that I know of) to prevent me, or any other sender, from monitoring your interaction with our email via tracking pixels. Here they are:

  1. Don't open any email from me. If you find this tracking practice morally intolerable, this might be your best option. Just don't interact with people or organizations whose online conduct you find unacceptable. You should probably unsubscribe if this is your preferred method.
  2. Use an app that detects and/or blocks tracking pixels, like Ugly Email or Trocker. I don't use either of these so I cannot personally vouch for them. Hat tip to Wired, whose great 2021 article on tracking pixels brought these to my attention.
  3. Block all images in your email client by default. This is arguably the most drastic and blunt solution, but it's the one that most thoroughly protects you from tracking while still giving you access to your email. It may, however, make your emails look ugly. Depending on what email client you use, there may be settings to block all images in all emails from all senders, or only particular senders, or to whitelist certain senders. Also keep in mind that if you have multiple email clients (say, if you use the web version of Gmail on your desktop, but you have an email app on your phone) then you will need to configure settings in each app separately.

Personally, I block all images in all emails. If I'd like images to load, I can always choose to allow it on a per-email basis.

If you choose to go this route and block images, be assured that you are not missing anything significant from my emails. I don't plan to include a lot of images in any of my newsletters going forward, and if I do, they will always contain descriptive "alt" text that will display when the image is disabled. This alt text is completely internal to the email, meaning it doesn't send any trackable requests anywhere.

You Have a Right to Block Trackers...

You might be wondering why I even bother tracking this data if I'm just going to advise you to thwart me. And maybe I'd feel differently if I had a financial interest in tracking you, as most marketing operations do. In my case, email tracking is motivated by idle curiosity, so it's not much of a blow to me if you decide to avoid it.

The main reason I bring all ths up is because it's what I'd like to hear from the people who are email-tracking me. I think senders have a right to engage in this kind of tracking, but recipients also have a right to know about it, and to block it if they are not interested in being tracked.

I wish more people thought this way, so I'm modeling the behavior I want to see in the world.

... and Ads.

I'm sure I have friends in the world of ad-supported journalism who will find this take objectionable, but in my opinion this applies just as much to blocking ads in a web browser as it does to blocking trackers in an email. This is especially true since there is increasingly no difference between these two things: most modern browser ads are tracking you, and in more invasive and sinister ways than the tracking pixels I've described in this post.

If you happen to use an ad blocker in your web browsing, like I do, then you're probably used to another kind of obnoxious alert: the "please disable your ad blocker" alert, usually accompanied by a guilt trip about how the site's business relies on their ability to serve you ads.

Which is fair enough because in most cases, that's absolutely true. And sites are well within their rights to try to get me to look at their ads however they can. But I maintain that I'm also within my rights to try and avoid invasive "ads" that track me (and, in many cases, degrade my browser's performance simply by loading). If a site's business model requires that it spies on its users, I think it's fair to ask whether that site's business model really ought to exist at all.

On a technical level, when I visit your website, the transaction that's occuring is this: my browser sends you a request for something, and your server responds by sending something. But by sending that request, I am not entering into a sacred contract that obliges me to display whatever you send in just the way it was designed to be displayed. I can instruct my browser to do whatever I want it to do with the content you send me. That includes blocking ads, or in the case of email newsletters, tracking pixels.

You have a right to market to me, but that doesn't mean I have an obligation to receive your marketing. Nor do my subscribers have an obligation to submit to my curiosity about whether they are reading my email. Which is why I'm disclosing the tracking behavior, and encouraging you to act accordingly.

How Wrong Am I?

Maybe you think I've got it all wrong.

Perhaps you think its unethical for me to use these tracking features at all? Or, on the flip side, maybe you think that content blocking is a form of piracy which I am wrong to engage in and encourage?

If that's the case, I'm happy to hear from you and I'm certainly open to persuasion. My email address is tom [at] nowwearealltom [dot] com.

Just don't expect me to display whatever images you might choose to send me.