12 July 2012
Email Hidden Tracking Deceptions
1. Government Email Hidden Tracking Deceptions
Many US federal agencies distribute emails and notifications via govdelivery.com (“Made for government”). The service embeds hidden URLs with a lengthy tracking number which logs clicks and identifications of recipients who retrieve cited documents. This is a significant privacy violation by not notifying email recipients of the tracking feature. DHS examples (some alphanumerics changed):
This service is provided to you at no charge by the U.S. Department of Homeland Security.
GovDelivery is providing this information on behalf of U.S. Department of Homeland Security, and may not use the information for any other purposes.
Department of Justice admittedly tracking ID today:
Deputy Attorney General James M. Cole Speaks at the Wells Fargo Press Conference
The White House admittedly tracks ID minutely too:
Watch the video and get the facts here.
The hidden codes may be overlooked: They were discovered when our legacy email program could not activate them. Last year Cryptome wrote the government clients of govdelivery.com and the service itself to reveal the tracking but never received an answer from any.
Notable exception to hidden tracking is the GAO which transparently discloses its URLs:
Electronic Warfare: DOD Actions Needed to Strengthen Management and Oversight. GAO-12-479, July 9.
Other USG offices display only a linked title but not the underlying URL, a method often used to deceive about the link. State Department and FBI examples, respectively, without hidden tracking code:
Press Releases: Remarks With Afghan President Hamid Karzai
[We see today at the bottom of State Department email it is also sent by govdelivery.com and tracks recipients. “Report problems:”]
Alleged Associate of al Qaeda in the Arabian Peninsula Charged in New York with Providing Material Support and Receiving Military Training in Yemen
2. Commercial Email Tracking Deceptions
Commercial email delivery services also hide tracking code. For example, Bluehornet.com sent out an email yesterday for the Stratfor Class Action Settlement which embedded hidden URLs with tracking numbers (original numbers replaced):
Bluehornet violates the privacy of the email recipients by not calling attention to its tracking feature, thus implicating the law firm which sued Stratfor for failing to protect its customer information — presumably the law firm does not know it may be subject to privacy violation suits.
Other services embed URLs which track access to articles with concealed codes that likely also track email recipients without explanation of the codes’s use. New York Times today, egregiously tracking (some alphanumerics changed):
Spend summer vacation at an all-inclusive resort, surrounded by the crystalline waters of the Pacific Ocean
Amazon (some alphanumerics changed):
The SAGE Handbook of Architectural Theory
This for an article listed in a Dei Zeit newsletter today (alphamumerics changed):
3. Honest and Dishonest Email
Honest privacy protection advocates will always use transparent URLs. An EFF example:
For the full motion for partial summary judgment:
Compared to, one of many possible examples, the otherwise admirable Bradley Manning Support Network (code changed):
All users of email should use transparent URLs, and those using hidden tracking codes should include with each email an explanation of the hidden URLs, the purpose of the tracking, related privacy policies and a trcking to opt-out choice. Those which do not comply should be blocked, filtered, trashed unread or returned marked “Choice Expletive