Thursday, December 12, 2013

Gmail Changes Enables Tracking of User Email Activity

Changes to Gmail Image Handling Enables Tracking of User Activity with Emails

Google has just modified Gmail so images automatically load within emails.

An important privacy element was omitted from discussion with this change. The change to image handling in gmail creates a reliable method for companies and advertisers to track if a user opens any email sent by the company/advertiser.

This is accomplished since the image within the email can be accompanied with a unique URL parameter that acts as a tracking beacon. If a user opens the email then the image will be automatically loaded and the beacon will be sent back to a web server controlled by the sender. This provides an alert that the specific user opened the email.

Previously Gmail blocked images by default and required users to take a specific action to display the images. So while this beacon based email tracking has always been possible, the default handling in gmail previously made it an unreliable tracking method that wasn't worth the effort.


 How Does The Tracking Work?
In this example the company sending the email would own site.com
  1. Company crafts an email and includes an image with a tracking beacon number within a url parameter
    http://site.com/picture.jpg?beacon=0001234
  2. User opens the email within gmail and the browser automatically requests the image included in the email
  3. Google has modified the email so the image new resolves through the new proxy service. This means the url from step #1 now looks like this in the source
    https://ci4.googleusercontent.com/proxy/wLmL7aeWQ5zwvPCbo5nG=s0-d-e1-ft#http://site.com/picture.jpg?beacon=0001234
  4. The browser automatically requests the image
  5. The google proxy service at ci4.googleusercontent.com receives this request and makes an outbound request to http://site.com/picture.jpg?beacon=0001234
  6. The sender of the email returns picture.jpg and records that user 0001234 has opened the email

Here's a screenshot of my webserver showing the request which includes the URL parameter and also a mention to google's domain ggpht.com


[12/Dec/2013:23:48:10 +0000] "GET /Turkish_Van_Cat.jpg?id=01234 HTTP/1.1" 200 1718186 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (via ggpht.com)"



 In practice companies wishing to track email activity will simply add a hidden 1 pixel by 1 pixel image that will perform this tracking unbeknownst to the end user.

 Opt-Out Argument
The argument that you can opt-out of this new setting is a red-herring. If only those that read this post take actions to opt-out then the vast majority of people can still be tracked using this technique.

Security Win and Privacy Loss?
Perhaps there are security merits to this change. However, the collateral damage should not be ignored and overlooked in this change that impacts all gmail users.



-Michael Coates - @_mwc
Posted by