Is there a way to stop my client from tracking my email activity?
April 18, 2020 9:06 AM Subscribe
I received a highly disturbing email from a client of mine indicating that she could see that I was currently viewing an email she had sent me a few days prior. What are the possible mechanisms she could be using to accomplish this and is there any way I can block it?
I received an email from a client about a week ago, which I opened and read shortly after it was sent. I then marked it as unread and filed it away in a folder with the intention to go back to the email when I had more time to dedicate to her question.
A few days after the email was sent, she sent a follow-up email indicating that she could tell I was currently looking at her original email. She included a screenshot of my name, the date, and the time, which she presumably grabbed from her email program. She said "our app keeps tabs on our mail." I actually had not looked at the message since the first time I read it.
I'm familiar with read receipts on email, but I've never heard of someone thinking they could monitor when an email was actually being viewed.
What are the possible mechanisms she could be using to try and do this? Is there any way I can block it or stop it?
Possibly relevant technical details:
-client and I each work from home on completely separate hardware and network infrastructure
-I'm using Microsoft Outlook on an Office 365 subscription with email hosting through Exchange Online
-I have a router running DD-WRT in case this can be utilized in some way
For the time being, I have changed my Outlook settings to process all incoming and outgoing mail in plaint-text format. But, I would prefer not to change my email usage with everyone because of one problem client.
I received an email from a client about a week ago, which I opened and read shortly after it was sent. I then marked it as unread and filed it away in a folder with the intention to go back to the email when I had more time to dedicate to her question.
A few days after the email was sent, she sent a follow-up email indicating that she could tell I was currently looking at her original email. She included a screenshot of my name, the date, and the time, which she presumably grabbed from her email program. She said "our app keeps tabs on our mail." I actually had not looked at the message since the first time I read it.
I'm familiar with read receipts on email, but I've never heard of someone thinking they could monitor when an email was actually being viewed.
What are the possible mechanisms she could be using to try and do this? Is there any way I can block it or stop it?
Possibly relevant technical details:
-client and I each work from home on completely separate hardware and network infrastructure
-I'm using Microsoft Outlook on an Office 365 subscription with email hosting through Exchange Online
-I have a router running DD-WRT in case this can be utilized in some way
For the time being, I have changed my Outlook settings to process all incoming and outgoing mail in plaint-text format. But, I would prefer not to change my email usage with everyone because of one problem client.
Did the screen shot include any information identifying of your computer at all other than the email? i.E. could it have been completely faked?
posted by Tell Me No Lies at 9:12 AM on April 18, 2020
posted by Tell Me No Lies at 9:12 AM on April 18, 2020
Best answer: Web beacons/Tracking pixels.
If this is an HTML email, she just included a link to an image (any image, but the commercial tools usually just have a 1x1 pixel transparent GIF or something) with a unique name or querystring. When your reader opens the email, it loads the image from a server somewhere, which records that that unique image was loaded. They then know when you read the email.
Easiest way to block it is to disable HTML email / rich email. I use Outlook through Office 365 at work, and I know that images in HTML are blocked by default exactly to protect against this sort of behaviour. Unsure how to turn it on, it's something our admin did on the AD side, or a default..
posted by Alterscape at 9:16 AM on April 18, 2020 [35 favorites]
If this is an HTML email, she just included a link to an image (any image, but the commercial tools usually just have a 1x1 pixel transparent GIF or something) with a unique name or querystring. When your reader opens the email, it loads the image from a server somewhere, which records that that unique image was loaded. They then know when you read the email.
Easiest way to block it is to disable HTML email / rich email. I use Outlook through Office 365 at work, and I know that images in HTML are blocked by default exactly to protect against this sort of behaviour. Unsure how to turn it on, it's something our admin did on the AD side, or a default..
posted by Alterscape at 9:16 AM on April 18, 2020 [35 favorites]
Yes this is possible, and is a widely used mechanism by marketers and anyone who wants to understand the effectiveness of marketing-type emails (although it can be used for any email). For example, even the free tier of Mail Chimp that small businesses use allows you to see which addresses have opened the email.
Its usually done with HTML emails embedding whats known as tracking pixels - when the email app renders the hidden "tracking pixel" image within in the email, the server that hosts the pixels can tell when it's viewed and associate it with the specific email. I'm not totally up on the latest and greatest tech however. Blocking these is similar to ad blocking - it's a cat-and-mouse game. I'm probably a few years behind in my knowledge at this point...
In Chrome with gmail, I use the PixelBlock extension. You can also turn off images entirely, which a lot of email clients support.
posted by cgg at 9:16 AM on April 18, 2020 [7 favorites]
Its usually done with HTML emails embedding whats known as tracking pixels - when the email app renders the hidden "tracking pixel" image within in the email, the server that hosts the pixels can tell when it's viewed and associate it with the specific email. I'm not totally up on the latest and greatest tech however. Blocking these is similar to ad blocking - it's a cat-and-mouse game. I'm probably a few years behind in my knowledge at this point...
In Chrome with gmail, I use the PixelBlock extension. You can also turn off images entirely, which a lot of email clients support.
posted by cgg at 9:16 AM on April 18, 2020 [7 favorites]
Yes. Turn off image loading in your email application & the email tracking stops working.
I always have it turned off anyway, as in my experience it makes it much easier to identify the (few) spam emails that get through the filters. The clever ones that masquerade as bank communications or what-not are usually given away by the entirely rubbish URLs contained within, which you only see if you turn image loading off.
posted by pharm at 9:22 AM on April 18, 2020 [10 favorites]
I always have it turned off anyway, as in my experience it makes it much easier to identify the (few) spam emails that get through the filters. The clever ones that masquerade as bank communications or what-not are usually given away by the entirely rubbish URLs contained within, which you only see if you turn image loading off.
posted by pharm at 9:22 AM on April 18, 2020 [10 favorites]
It is my experience that when one blocks the tracking, often the sender thinks that you did not receive the email or did not open it. That may be a feature, but it can also be a bug so to speak. If you don't reply to an inquiry for 6 days even though you may have read it, the sender could assume that you are not working that hard on their issue.
I will often reply to an email with a vague, "I received the email. I am researching the answer and I will be back to you shortly."
posted by AugustWest at 9:35 AM on April 18, 2020 [2 favorites]
I will often reply to an email with a vague, "I received the email. I am researching the answer and I will be back to you shortly."
posted by AugustWest at 9:35 AM on April 18, 2020 [2 favorites]
O daaang, so that's why I have to click to load images on Mailchimp and suchlike e-mails! I never thought I'd say this, but thank you, Outlook! In this one single way you are not annoying!
This person would not be my client anymore starting the instant I read that outrageous line, "Our app keeps tabs on our mail." Orly okay bye felicia. I would delete everything else from her unread, finish whatever she's contracted for and fire it off to her with no accompanying note and reject every attempt from her to communicate ever again. (I mean, unless there's just absolute buckets of money involved in this or she's merely technologically feeble and clueless and not the unbearable jerk she's coming off as, here.)
I mean, who has time for EXTRA nerve-fraying bullshit right now!? I am completely outraged on your behalf!
posted by Don Pepino at 1:24 PM on April 18, 2020 [17 favorites]
This person would not be my client anymore starting the instant I read that outrageous line, "Our app keeps tabs on our mail." Orly okay bye felicia. I would delete everything else from her unread, finish whatever she's contracted for and fire it off to her with no accompanying note and reject every attempt from her to communicate ever again. (I mean, unless there's just absolute buckets of money involved in this or she's merely technologically feeble and clueless and not the unbearable jerk she's coming off as, here.)
I mean, who has time for EXTRA nerve-fraying bullshit right now!? I am completely outraged on your behalf!
posted by Don Pepino at 1:24 PM on April 18, 2020 [17 favorites]
Wow, how unbelievable creepy and invasive. I’m with Don, I’d instantly fire them. For me, the relationship would be beyond repair.
posted by Jubey at 4:52 PM on April 18, 2020 [5 favorites]
posted by Jubey at 4:52 PM on April 18, 2020 [5 favorites]
Best answer: Yes, turning off auto image loading will help. You can also look at the links in the emails she sends you, and see if they are forwarders/rewritten URLs. Don't click on the links in the email if they're forwarders.
For instance, if she included a link to a post on MetaFilter, the base of the URL should begin with one of the official MeFi domains, such as
then that's a forwarder that tracks when and possibly how many times you click on that link. You can instead copy the URL and then remove the forwarder part.
Sometimes, the link forwarders don't even give you the original at the end, so it's impossible to know the original URL (like tinyurls).
She included a screenshot of my name, the date, and the time, [...] She said "our app keeps tabs on our mail."
IANAL nor a privacy law expert, but as part of my tech-related job, I've spent quite a lot of time in meetings about privacy policies and recent legislation re: GDPR and the CCPA.
I'm not sure what "our app" means here and if she's using third-party software or her company develops and manages the software. Regardless, if your client is located in, or works with people/businesses in the EU or California, her company should have a privacy policy that complies with GDPR and CCPA (if applicable).
Since her company is using software (third party or not) that collects personally identifiable information that can link your name, email address and online activity, the company should really have a privacy policy anyway that describes their practices on collecting and sharing data.
If it's third-party software, I'd be surprised if there isn't something in the third party's terms of service and privacy policy on disclosure of how data is collected and processed, and how their customers (such as your client) must use their software to comply with their own TOS.
All that said, if her company has a website, check to see if there is a privacy policy. If there isn't one (or even if there is), I would directly email her and say it was a surprise to find out this kind of email activity tracking was being employed by her company, and could she send a copy of their privacy policy / data processing policy. If this were me, I'd even ask what the name of the email tracking app/service is.
Honestly, because she blatantly gave you a screenshot of the trackable activity and didn't say anything about her company's privacy policy or how to opt out, it's possible that they don't have a privacy policy at all, and don't have any opt-out measures.
But even if they fall in the category of not being required to -- in this day and age, it is more than fair to know how your information is being used, and to find out what opt-out measures there are. Personally if they use this kind of email tracking, I'd want to know what other data they collect, and who collects that data (if not directly by your client) and where it's located.
Note: It works the other way around, too: if your company collects data (e.g. from clients), and/or stores, shares it or passes it to third-parties for processing, having a privacy policy that explains this is necessary to comply with privacy laws that may apply.
posted by rangefinder 1.4 at 6:41 PM on April 18, 2020 [5 favorites]
For instance, if she included a link to a post on MetaFilter, the base of the URL should begin with one of the official MeFi domains, such as
https://www.metafilter.com or https://mefi.us -- if you see something like https://different.example.com/www.metafilter.com/post/1234 then that's a forwarder that tracks when and possibly how many times you click on that link. You can instead copy the URL and then remove the forwarder part.
Sometimes, the link forwarders don't even give you the original at the end, so it's impossible to know the original URL (like tinyurls).
She included a screenshot of my name, the date, and the time, [...] She said "our app keeps tabs on our mail."
IANAL nor a privacy law expert, but as part of my tech-related job, I've spent quite a lot of time in meetings about privacy policies and recent legislation re: GDPR and the CCPA.
I'm not sure what "our app" means here and if she's using third-party software or her company develops and manages the software. Regardless, if your client is located in, or works with people/businesses in the EU or California, her company should have a privacy policy that complies with GDPR and CCPA (if applicable).
Since her company is using software (third party or not) that collects personally identifiable information that can link your name, email address and online activity, the company should really have a privacy policy anyway that describes their practices on collecting and sharing data.
If it's third-party software, I'd be surprised if there isn't something in the third party's terms of service and privacy policy on disclosure of how data is collected and processed, and how their customers (such as your client) must use their software to comply with their own TOS.
All that said, if her company has a website, check to see if there is a privacy policy. If there isn't one (or even if there is), I would directly email her and say it was a surprise to find out this kind of email activity tracking was being employed by her company, and could she send a copy of their privacy policy / data processing policy. If this were me, I'd even ask what the name of the email tracking app/service is.
Honestly, because she blatantly gave you a screenshot of the trackable activity and didn't say anything about her company's privacy policy or how to opt out, it's possible that they don't have a privacy policy at all, and don't have any opt-out measures.
But even if they fall in the category of not being required to -- in this day and age, it is more than fair to know how your information is being used, and to find out what opt-out measures there are. Personally if they use this kind of email tracking, I'd want to know what other data they collect, and who collects that data (if not directly by your client) and where it's located.
Note: It works the other way around, too: if your company collects data (e.g. from clients), and/or stores, shares it or passes it to third-parties for processing, having a privacy policy that explains this is necessary to comply with privacy laws that may apply.
posted by rangefinder 1.4 at 6:41 PM on April 18, 2020 [5 favorites]
A few days after the email was sent, she sent a follow-up email indicating that she could tell I was currently looking at her original email. She included a screenshot of my name, the date, and the time, which she presumably grabbed from her email program. She said "our app keeps tabs on our mail." I actually had not looked at the message since the first time I read it.
So, this is an important detail. It's true that there are email programs that use pixel tracking to determine when emails are opened. You can block this using all of the suggestions above (esp not loading images). But your client appears to believe that her email software lets here know in real time if you're looking at her email at any given moment. She's wrong though, as you can see by the fact that she incorrectly believed that you were looking at the email three days after you had last looked at it. There is no email tracking software that tells people when you're currently looking at an email - the most they can do is track the initial open. So you don't need to worry about being tracked in real-time like that (which would be pretty alarming).
posted by Ragged Richard at 7:43 PM on April 18, 2020 [3 favorites]
So, this is an important detail. It's true that there are email programs that use pixel tracking to determine when emails are opened. You can block this using all of the suggestions above (esp not loading images). But your client appears to believe that her email software lets here know in real time if you're looking at her email at any given moment. She's wrong though, as you can see by the fact that she incorrectly believed that you were looking at the email three days after you had last looked at it. There is no email tracking software that tells people when you're currently looking at an email - the most they can do is track the initial open. So you don't need to worry about being tracked in real-time like that (which would be pretty alarming).
posted by Ragged Richard at 7:43 PM on April 18, 2020 [3 favorites]
If you can find the url of the tracking pixel, I would think about blocking just that domain. However, it sounds like she has a false positive in that you were not reading it when she took the screenshot. If so, I would tell her so at the same time I asked her to stop trying to track my emails.
posted by soelo at 7:45 PM on April 18, 2020
posted by soelo at 7:45 PM on April 18, 2020
Another approach, if you don't want to block all images: just configure your mail server to download and cache all images as soon as it receives the email. This is what Gmail is doing as far as I know. Since your mail server usually receives the email a few seconds after it's sent, a tracking pixel provides no useful information beyond the basic "it has been delivered".
I'm not sure how easy this is to configure for Exchange Online, or if it's supported at all.
posted by milan-g at 11:43 PM on April 18, 2020
I'm not sure how easy this is to configure for Exchange Online, or if it's supported at all.
posted by milan-g at 11:43 PM on April 18, 2020
I came in here to say what Ragged Richard said. If we are reading this client's message correctly, she seems to believe she can IN REAL TIME see when people are reading a particular email. As a marketer who uses a marketing automation platform to send out emails with tracking pixels, all we can see is when it was first opened and there is no way we could tell someone is "currently looking" at a particular message, at least partly because it does not track *closing* an email.
I would find this very creepy and weird. There is no reason to bring this kind of tracking into a one-on-one email conversation; we use these stats in the aggregate to track the effectiveness of promotional and other mass emails, and only look at the individual level data to troubleshoot if a user contacts us to ask why they did/did not receive a specific email.
posted by misskaz at 7:53 AM on April 19, 2020 [2 favorites]
I would find this very creepy and weird. There is no reason to bring this kind of tracking into a one-on-one email conversation; we use these stats in the aggregate to track the effectiveness of promotional and other mass emails, and only look at the individual level data to troubleshoot if a user contacts us to ask why they did/did not receive a specific email.
posted by misskaz at 7:53 AM on April 19, 2020 [2 favorites]
Is it possible that your client was using read receipts/delivery receipts in Outlook? That wouldn't rely on images in the email. Usually, sending read/delivery receipts is enabled in Outlook by default, and you wouldn't know that your system sent anything.
posted by acridrabbit at 2:53 PM on April 20, 2020
posted by acridrabbit at 2:53 PM on April 20, 2020
This thread is closed to new comments.
It's extremely tacky of her to be so brazen about it though.
posted by phunniemee at 9:11 AM on April 18, 2020 [13 favorites]