I never signed up for this! Privacy implications of email tracking

Steven Englehardt 1 , Jeffrey Han 2 , and Arvind Narayanan 3
  • 1 Princeton University,
  • 2 Princeton University,
  • 3 Princeton University,

Abstract

We show that the simple act of viewing emails contains privacy pitfalls for the unwary. We assembled a corpus of commercial mailing-list emails, and find a network of hundreds of third parties that track email recipients via methods such as embedded pixels. About 30% of emails leak the recipient’s email address to one or more of these third parties when they are viewed. In the majority of cases, these leaks are intentional on the part of email senders, and further leaks occur if the recipient clicks links in emails. Mail servers and clients may employ a variety of defenses, but we analyze 16 servers and clients and find that they are far from comprehensive. We propose, prototype, and evaluate a new defense, namely stripping tracking tags from emails based on enhanced versions of existing web tracking protection lists.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Adblock Plus - Surf the web without annoying ads! https://adblockplus.org/. Online; accessed 2017-09-05.

  • [2] BeautifulSoup. https://www.crummy.com/software/BeautifulSoup/. Online; accessed 2017-09-05.

  • [3] BlockListParser. https://github.com/shivamagarwal-iitb/BlockListParser. Online; accessed 2017-09-05.

  • [4] EasyList and EasyPrivacy. https://easylist.to/. Online; accessed 2017-09-05.

  • [5] uBlock Origin - An efficient blocker for Chromium and Firefox. Fast and lean. https://github.com/gorhill/uBlock/. Online; accessed 2017-09-05.

  • [6] CSS Support Guide for Email Clients. Campaign Source, https://www.campaignmonitor.com/css/ (Archive: https://www.webcitation.org/6rLLXBX0E), 2014.

  • [7] Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of ACM CCS, pages 674–689. ACM, 2014.

  • [8] Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. Fpdetective: dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1129–1140. ACM, 2013.

  • [9] Julia Angwin. Why online tracking is getting creepier. ProPublica, Jun 2014.

  • [10] Mika D Ayenson, Dietrich James Wambach, Ashkan Soltani, Nathan Good, and Chris Jay Hoofnagle. Flash cookies and privacy II: Now with html5 and etag respawning. 2011.

  • [11] Bananatag. Email Tracking for Gmail, Outlook and other clients. https://bananatag.com/email-tracking/. Online; accessed 2017-09-04.

  • [12] Justin Brookman, Phoebe Rouge, Aaron Alva Alva, and Christina Yeung. Cross-device tracking: Measurement and disclosures. In Proceedings of the Privacy Enhancing Technologies Symposium, 2017.

  • [13] Ceren Budak, Sharad Goel, Justin Rao, and Georgios Zervas. Understanding emerging threats to online advertising. In Proceedings of the ACM Conference on Economics and Computation, 2016.

  • [14] ContactMonkey. Email Tracking for Outlook and Gmail. https://www.contactmonkey.com/email-tracking. Online; accessed 2017-09-04.

  • [15] Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, and J Alex Halderman. Neither snow nor rain nor mitm...: An empirical analysis of email delivery security. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference, pages 27–39. ACM, 2015.

  • [16] Peter Eckersley. How unique is your web browser? In International Symposium on Privacy Enhancing Technologies Symposium, pages 1–18. Springer, 2010.

  • [17] Steven Englehardt and Arvind Narayanan. Online tracking: A 1-million-site measurement and analysis. In ACM Conference on Computer and Communications Security, 2016.

  • [18] Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th Conference on World Wide Web, 2015.

  • [19] David Fifield and Serge Egelman. Fingerprinting web users through font metrics. In International Conference on Financial Cryptography and Data Security, 2015.

  • [20] Gmail Help. Choose whether to show images. https://support.google.com/mail/answer/145919. Online; accessed 2017-09-06.

  • [21] Ralph Holz, Johanna Amann, Olivier Mehani, Mohamed Ali Kâafar, and Matthias Wachs. TLS in the wild: An internetwide analysis of tls-based protocols for electronic communication. In 23nd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016, 2016.

  • [22] HubSpot. Start Email Tracking Today. https://www.hubspot.com/products/sales/email-tracking. Online; accessed 2017-09-04.

  • [23] Balachander Krishnamurthy, Konstantin Naryshkin, and Craig Wills. Privacy leakage vs. protection measures: the growing disconnect. In Proceedings of the Web, 2011.

  • [24] Balachander Krishnamurthy and Craig E Wills. On the leakage of personally identifiable information via online social networks. In Proceedings of the 2nd ACM workshop on Online social networks, pages 7–12. ACM, 2009.

  • [25] Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In 37th IEEE Symposium on Security and Privacy, 2016.

  • [26] Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In 25th USENIX Security Symposium, 2016.

  • [27] Timothy Libert. Exposing the invisible web: An analysis of third-party http requests on 1 million websites. International Journal of Communication, 9:18, 2015.

  • [28] Jonathan R Mayer and John C Mitchell. Third-party web tracking: Policy and technology. In 2012 IEEE Symposium on Security and Privacy. IEEE, 2012.

  • [29] Georg Merzdovnik, Markus Huber, Damjan Buhov, Nick Nikiforakis, Sebastian Neuner, Martin Schmiedecker, and Edgar Weippl. Block me if you can: A large-scale study of tracker-blocking tools. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy (IEEE EuroS&P), 2017.

  • [30] Keaton Mowery and Hovav Shacham. Pixel perfect: Fingerprinting canvas in HTML5. W2SP, 2012.

  • [31] Mozilla Support. Remote Content in Messages. https://support.mozilla.org/en-US/kb/remote-content-in-messages. Online; accessed 2017-09-04.

  • [32] Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Security and privacy (SP), 2013 IEEE symposium on, pages 541–555. IEEE, 2013.

  • [33] Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. The leaking battery A privacy analysis of the HTML5 Battery Status API. Technical report, 2015.

  • [34] Jingjing Ren, Ashwin Rao, Martina Lindorfer, Arnaud Legout, and David Choffnes. Recon: Revealing and controlling pii leaks in mobile network traffic. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services, pages 361–374. ACM, 2016.

  • [35] Franziska Roesner, Tadayoshi Kohno, and David Wetherall. Detecting and defending against third-party tracking on the web. In Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation, pages 12–12. USENIX Association, 2012.

  • [36] scikit-learn. Jaccard Similarity Score. http://scikit-learn.org/stable/modules/generated/sklearn.metrics.jaccard_similarity_score.html. Online; accessed 2017-09-05.

  • [37] Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas, and Chris Jay Hoofnagle. Flash cookies and privacy. In AAAI spring symposium: intelligent information privacy management, volume 2010, pages 158–163, 2010.

  • [38] Oleksii Starov, Phillipa Gill, and Nick Nikiforakis. Are you sure you want to contact us? quantifying the leakage of pii via website contact forms. Proceedings on Privacy Enhancing Technologies, 2016(1):20–33, 2016.

  • [39] Oleksii Starov and Nick Nikiforakis. Extended tracking powers: Measuring the privacy diffusion enabled by browser extensions. In Proceedings of the 26th International Conference on World Wide Web, pages 1481–1490, 2017.

  • [40] Narseo Vallina-Rodriguez, Christian Kreibich, Mark Allman, and Vern Paxson. Lumen: Fine-grained visibility and control of mobile traffic in user-space. 2017.

  • [41] W3C. 4.10 Forms - HTML5. https://www.w3.org/TR/html5/forms.html. Online; accessed 2017-09-07.

  • [42] Yahoo Help. Block images in your incoming Yahoo Mail emails. https://help.yahoo.com/kb/SLN5043.html. Online; accessed 2017-09-06.

  • [43] Zhonghao Yu, Sam Macbeth, Konark Modi, and Josep M Pujol. Tracking the trackers. In Proceedings of the 25th International Conference on World Wide Web, pages 121–132. International World Wide Web Conferences Steering Committee, 2016.

OPEN ACCESS

Journal + Issues

Search