• by Ray Schultz , Columnist, October 2, 2017

Solution vendors often boast of their skill at email and cross-device tracking.

Perhaps they should cool it until they grasp the full import of these capabilities. A new study from Princeton University states that email tracking can lead to privacy violations, and that they “belie the claim of anonymous web tracking.”

Consumers apparently don’t know about it, and most email marketers probably don’t either. But this study may be the beginning of a larger discussion.  

First, let’s look at the methodology.

The authors — Steven Englehardt, Jeffrey Han, and Arvind Narayanan — developed a tool to automatically find and fill in mailing list subscription forms on web sites, built on the OpenWPM web crawler.

This team was able to study 12,618 HTML emails from 902 sites. They received an average of 14 emails per site, or a medium of five.

Why did they bother? Because, “while there is a vast literature on web tracking, email tracking has seen little research,” they write.

Their conclusions? First, that “email tracking is pervasive,” they continue. And it is tied to web tracking.

“We find that 85% of emails in our corpus contain embedded third-party content, and 70% contain resources categorized as trackers by popular tracking-protections.”  

Drilling down further, they note that 29% of emails “leak the user’s email address to at least one third party, and that 19% of the senders sent at least one email that had such a leak.”

Of these leaks, 62% were intentional: they occur when remote content is embedded directly by the sender.

What’s the harm? Simply that the linking of web browsing with an email address can lead to the leaking of personally identifiable information (PII).

Whether through email or other means, “leaks of PII of logged-in users from first-party websites to third parties are rampant,” the writers allege. What’s more, email provides “a unique, persistent, real-world identifier, namely the email address.”

Here’s more on how it works.

Let’s say the person clicks through in the email. “Even if the link doesn’t contain any identifier, the web browser that opens the link will send the user’s cookie with the request,” the authors state.

Next, the browser links the cookie to the user’s email address, an identifier that may have been provided via a web form.

“Finally, the sender can pass on the email address — and other personally identifiable information (PII), if available — to embedded third parties using methods such as redirects and referrer headers,” they continue.  

EU regulators are probably poring over the report even as we speak.

One caveat should be added here. There are defenses. In general, they are identical to those used to block web tracking. But they are not 100% effective.

The researchers argue that “tracking protection should be at the center of a defensive strategy against email tracking. It can be employed either via HTML filtering on the server or via request blocking on the client.

Email tracking is facilitated by “modern graphical email clients" that  "allow rendering a subset of HTML,” the authors note.

They add that “JavaScript is invariably stripped, but embedded images and stylesheets are allowed.”

Those images are downloaded “and rendered by the email client when the user views the email” unless they are proxied by the user’s email server, the authors continue. But of the providers studied, “only Gmail and Yandex do so,” they state.

Proxying is described as follows: "when the recipient views the email, the mail user agent does not make any requests to third parties."

From the incoming emails, the authors also saw that many emailers use A/B testing.

What should an honest email marketer do? First, ensure that your privacy statement is upfront about these technologies. And make sure you understand them yourself.

In addiition, know your vendors, and get a sense of the field in general. The authors charge that a “small number of third parties” are responsible for the leaks.

Finally, read the full study yourself. It discusses both the technology and the impact.