Premium Email Service Sparks Privacy Outrage

John Lister's picture

A premium email service has been slammed for letting users track other people's locations simply by sending a message. It's not a new issue, but has raised legal and ethical questions.

The email service is called Superhuman and costs $30 a month. That covers a host of features, such as being able to "unsend" a message before its read, plus an "artificial intelligence" tool to decide and highlight which incoming messages are most important.

While reviewers are split between whether it's a fantastic service for power users or just a jumped-up Gmail, one designer has laid into Superhuman for a feature that tells users when a message has been read. (Source: theregister.co.uk)

Such a 'tracking' feature is common with many messaging apps, but users willfully sign up to the app knowing that's the case. The controversy here is partly that the tracking can work without the email recipient's knowledge or consent, and partly that the way Superhuman is set up can gather the recipient's location.

Tracking Pixel Old But Effective

Superhuman doesn't use any new or particularly sophisticated technique to do this. Instead, its done by a method that dates back at least 20 years, known as a tracking pixel. This simply involves the email containing an image that's made up of a single pixel, so it's virtually impossible to see by the naked eye. In some cases, these pixels are set to be completely transparent.

When the recipient opens the email, their computer will load the image stored at Superhuman's servers. This essentially confirms the message is open and can also collect their location through their IP address. Spammers use the same technique to verify email addresses are valid, which is why you should never open a spam email.

What's sparking the controversy here is that the feature is turned on by default with Superhuman, as well as collecting and reporting the location by default. In this case the recipient is tracked just by opening the email, which may well be from somebody they know and contain a message they want to read.

Workarounds Have Limitations

There's also some question over whether this violates privacy laws. In particular it would appear to breach the European GDPR rules that require express consent before collecting personal data, which can include location.

There are several ways to avoid such tracking, but it comes with some drawbacks. Users can set their email software to disable images altogether, though that can be overkill. Some ad-blocker tools in browsers will block tracking images, though this may have to be on a case-by-case basis.

Perhaps the easiest option is using email services like Gmail that route email image requests through a proxy server. This still lets the sender know the message has been opened, but doesn't reveal the user's location or other details. (Source: theverge.com)

What's Your Opinion?

Is this a big deal or a fuss over nothing? Should tracking pixels collect and report recipient location? Should more email services follow Gmail's lead to bypass the location collection?

Rate this article: 
Average: 5 (4 votes)

Comments

Dennis Faas's picture

Tracking pixels have been around forever, so this story is way overblown. The only thing new here is the GDPR compliance, and in that case, tracking pixels are now considered "illegal".

Now let's talk about the actual tracking mechanism.

Once the request to download the message is made by the recipient, the tracking pixel is sucked down along with it. The request is then recorded at the email server end, and with it, the recipient's IP address. The recipient's IP is then looked up via a 'whois database' which then reveals an approximate location (because leased IPs are associated with locations). However, the location is only accurate up to the town or city the recipient is located (usually), and that is only accurate according to the Internet Service Provider which may very well have associated the IP to a 400 KM radius (for example).

So, in other words: this type of "tracking" isn't anything at all like GPS, and nowhere near as accurate. Also, if the recipient is using a VPN then the tracking pixel isn't going to be accurate at all because the VPN is going to be in an entirely different country or state.

So, to me this isn't really news unless you are screaming GDPR bloody murder.

Also, if you're paying $30 a month for an email service ($360 a year), then I think there is something more wrong about that then this whole tracking fiasco.

pctyson's picture

Just as you stated, I checked my IP address location and it is off by 60 miles. Why would anybody pay for this? This is a service for those who do not do their homework on what they are paying for. This "premium email" provider liklely will not even be around anymore in the next 12 months once people find out that this is a complete farce.