neveragain.de teletype

TIL: Newsletter Open Rate, a privay fail.

I knew for a long time that many e-mails (not just newsletters!) include tracking pixels. What I didn’t know: This Open Rate has become a major success metric for the content slingshots and marketing quacks to brag about.

How is it possible that we’re seeing so much noise about privacy and tracking on the web, but nobody gives a fuck about how their inbox is tracking them? This is much worse than tracking on the web. It’s deceitful!

When visiting a website, any user intuitively understands this website is aware of their visit. When I phone someone, they know I’m calling them. But nobody expects that taking a letter out of the envelope causes the letter to phone home, revealing identity and location. 3/

That’s not even considering the security implications of Mail User Agents loading arbitrary data from the web. Not as bad a problem as it used to be, but still a beloved attack vector. And completely unnecessary.

Loading external data can be disabled in most (all?) MUAs. Unfortunately this is known only to people who are also aware of how loading external data is a problem. Most people are not aware, or don’t care enough.

Anecdata: Last Week in AWS, a great newsletter for IT and Cloud professionals, claims >60% of subscribers are engineers – so exactly the kind of people that should know better. Yet LWIA boasts an Open Rate of 40%, which is above and beyond the industry benchmark of 15-25%.

This worries me, because it means that not even professionals give a shit. Why is that? Or many of them do in fact disable tracking, and LWIA’s Open Rate is even higher? Either way, it’s a fascinating data point.

Apparently, the use of tracking is now widespread for non-bulk e-mails as well, sometimes even for personal use. Further reading: Wired: How Email Open Tracking Quietly Took Over the Web

As I understand it currently, e-mail tracking would require explicit consent under GDPR. In theory. I don’t think I’ve seen this implemented anywhere.

So… How is this still default MUA behavior in 2021? Disabling external images breaks literally nothing. Disable it now. Disable it now, before the EU Cookie Monster decides to “fix” e-mail next.


Originally posted to Twitter.