Spy pixels in emails have become endemic

The use of «invi­si­ble» trac­king tech in emails is now «ende­mic», accor­ding to a messa­ging service that analy­sed its traf­fic at the BBC’s request.

Hey’s review indi­ca­ted that two-thirds of emails sent to its users’ perso­nal accounts contai­ned a «spy pixel», even after exclu­ding for spam.

Its makers said that many of the largest brands used email pixels, with the excep­tion of the «big tech» firms.

Defen­ders of the trac­kers say they are a common­place marke­ting tactic.

And seve­ral of the compa­nies invol­ved noted their use of such tech was menti­o­ned within their wider privacy poli­cies.

Emails pixels can be used to log:

This infor­ma­tion can then be used to deter­mine the impact of a speci­fic email campaign, as well as to feed into more detai­led custo­mer profi­les.

Hey’s co-foun­der David Heine­me­ier Hans­son says they amount to a «grotes­que inva­sion of privacy».

And other experts have also ques­ti­o­ned whet­her compa­nies are being as trans­pa­rent as requi­red under law about their use.

Trac­king pixels are typi­cally a .GIF or .PNG file that is as small as 1×1 pixels, which is inser­ted into the header, footer or body of an email.

Since they often show the colour of the content below, they can be impos­si­ble to spot with the naked eye even if you know where to look.

Reci­pi­ents do not need to click on a link or do anyt­hing to acti­vate them beyond open an email they are embed­ded in.

British Airways, Talk­Talk, Voda­fone, Sains­bury’s, Tesco, HSBC, Marks & Spen­cer, Asos and Unile­ver are among UK brands Hey detec­ted to be using them.

But their use was much more wides­pread despite many members of the public being unaware of it, said Mr Hans­son.

«It’s not like there’s a flag saying 'this email inclu­des a spy pixel’ in most email soft­ware, » he added.

Hey does offer such a faci­lity, but users must pay an annual subs­crip­tion.

Alter­na­ti­vely, users can install free plug-ins into other email programs to strip out many pixel trac­kers. Other opti­ons are to simply set their soft­ware to block all images by default, or to view emails as plain text.

«On average, every Hey custo­mer recei­ves 24 emails per day that attempt to spy on them, » Mr Hans­son said.

"The top 10% of users receive more than 50.

«We’re proces­sing over one million emails a day and we’re just a tiny service compa­red to the likes of Gmail, but that’s north of 600,000 spying attempts bloc­ked every day.»

The BBC also uses email pixels in some of its commu­ni­ca­ti­ons, although this was not picked up by Hey.

Trac­king pixels are a stan­dard feature of auto­ma­ted email servi­ces used by large and small busi­nes­ses, and in many cases the faci­lity is diffi­cult to turn off.

Two years ago Super­hu­man, a consu­mer-focu­sed email client, tried to extend their use to the public as a default feature of its own, but rever­sed course after a public outcry.

That had little impact on the marke­ting industry’s conti­nued reli­ance on the tech.

Clients can use them to track how many emails in a speci­fic campaign are opened in aggre­gate, as well as to auto­ma­ti­cally stop sending messa­ges to custo­mers who ignore them.

But a study by Prin­ce­ton Univer­sity also indi­ca­ted the data gathe­red was some­ti­mes linked to a users’ cookies. This allows an indi­vi­du­al’s email address to be tied to their wider brow­sing habits, even as they move from one device to anot­her.

«The resul­ting links between iden­ti­ties and web history profi­les belie the claim of 'anony­mous’ web trac­king, » the paper warned.

In addi­tion, trac­kers can also lead to perso­na­li­sed follow-ups.

«Parti­cu­larly with sales­pe­o­ple or consul­tants, they can go: 'I saw you open my email yester­day, but you haven’t replied yet. Can I call?'» said Mr Hans­son.

«And in some cases they get outright belli­ge­rent when they see you’ve opened it three times but have still not replied.»

Use of trac­king pixels is gover­ned in the UK and other parts of Europe by 2003's Privacy and Elec­tro­nic Commu­ni­ca­ti­ons Regu­la­ti­ons (Pecr) and 2016's Gene­ral Data Protec­tion Regu­la­tion (GDPR).

They require orga­ni­sa­ti­ons to inform reci­pi­ents of the pixels, and in most cases to obtain consent.

One privacy consul­tant said the Court of Justice of the Euro­pean Union (CJEU) had previ­ously ruled that such consent must be «unam­bi­guous» and «a clear affir­ma­tive act».

«Solely placing somet­hing in a privacy notice is not consent, and it is hardly trans­pa­rent, » said Pat Walshe from Privacy Matters.

"The fact that trac­king will take place and what that invol­ves should be put in the user’s face and involve them opting in.

«The law is clear enough, what we need is regu­la­tory enfor­ce­ment. Just because this prac­tice is wides­pread doesn’t mean it’s correct and accep­ta­ble.»

Mr Walshe noted that the ICO had used a pixel within its own e-news­let­ter.

The watch­dog told the BBC it was used to track email openings, but not users’ loca­ti­ons, adding: «We’re working with our provi­der to remove the pixel func­ti­o­na­lity and this should be comple­ted soon.»

The BBC asked some of the compa­nies iden­ti­fied by Hey for their own response.

British Airways said: «We take custo­mer data extre­mely seri­ously, and use a cross-industry stan­dard appro­ach that allows us to unders­tand how effec­tive our custo­mer commu­ni­ca­ti­ons are.»

Talk­Talk said: «As is common across our industry and others, we track the perfor­mance of diffe­rent types of commu­ni­ca­ti­ons to unders­tand what our custo­mers prefer. We do not share this data exter­nally.»