A Stranger Can Find Out Where You Are By Getting You To Open An Email

Monday, February 10, 2014 - 03:20 PM

(Streak)

This afternoon, I stumbled across this free Gmail plug-in called Streak. If you send someone an email, Streak will tell you if they opened it, when they opened it, and, most creepily, where they were when they opened it. 

How is this possible? Streak doesn't say on their website, but typically email tracking services work in a similar way. They embed a tiny image into the email you've sent. Images in emails aren't actually "in" the emails themselves - they have to be hosted on an external server. When you open the email and your computer asks the external server for the image, your computer pings that server with a request that includes your IP address. Trackers then use that IP address to locate you. 

IP addresses aren't specific enough to lock onto your exact address, but they can get pretty close. I sent Alex, my colleague, an email, and Streak was able to get me within about five minutes of our workplace. 

It's not hard to imagine a situation where this could be badly abused. People who've been stalked, threatened, or harassed, for instance, should be able to open an email without unwittingly giving away their location.

So what can you do if you don't want to be tracked? Well, you can start by not allowing images to autoload in your email client. Also, in my (very rudimentary) tests I found that Gmail, for whatever reason, offered better protection than my office's Exchange email client. (With Gmail, I only found out when Alex had opened up my email. It was the Exchange client that gave away his neighborhood.)

Tags:

More in:

Comments [11]

DoktorThomas™ from D.C.

With each passing day Google gives Internauts more and more valid reasons to discontinue use of all of their serves. Only the foolish would put up with their Big Brother attitude. NEVER CLICK ON ONE OF THEIR ADVERTISEMENT LINKS.
STOP USING gmail. DUMP THEIR WEB SITE TOOLS. Facebook, thinking people don't use Facebook, is not far behind. The world turns ust as fast without either ...©2014 All rights reserved.

Feb. 19 2014 08:02 AM
NBE

What upsets me is that I use e-mail the way I used to use a television and still use a car---to do something I wish to do, but don't ask me to fix, repair, build, or even tinker. I do not want to be stalked. But I cannot understand this article or the comments.

Feb. 16 2014 11:29 AM
Robert Eccardt from New York

This is shocking news. Well, it was in 1999 when the Electronic Frontier Foundation wrote about the technique: http://w2.eff.org/Privacy/Marketing/web_bug.html

And CNet's article from 2000: http://news.cnet.com/2100-1017-243077.html

Feb. 15 2014 08:30 AM
marcos from california

i think, it would be easy for me to become a stalker again, with this this web tools at hand lol

Feb. 12 2014 12:02 AM
anschauung

Almost every single mass email (newsletters, product promotions, etc) you've ever gotten has been doing this routinely for as long as I've been in the email marketing business.

It's actually an invaluable tool for determining who is reading and reacting to which types of emails, and improving the quality of the stuff we send you.

The only difference here is that individuals are using the same technology to creep on eachother.

Feb. 11 2014 10:47 AM
Pano DeFano

If you use a dedicated proxy or VPN, you completely prevent them from seeing your real IP address. Simple as that.

Anon-VPN.com

Feb. 11 2014 07:37 AM
Eric Goebelbecker from Check My Ip, NJ

GMail's image caching, as described by Ryan above, actually protects users. However marketers were not happy, since it screwed up their ability to snoop, er track, their users.

"Loading images from these promotional e-mails reveals a lot about you. Marketers get a rough idea of your location via your IP address. They can see the HTTP referrer, meaning the URL of the page that requested the image. With the referral data, marketers can see not only what client you are using (desktop app, Web, mobile, etc.) but also what folder you were viewing the e-mail in."

http://arstechnica.com/information-technology/2013/12/gmail-blows-up-e-mail-marketing-by-caching-all-images-on-google-servers/

Feb. 10 2014 07:59 PM
Frankie

Isn't that just another trade of convenience for privacy? People can stalk you via data from images you upload using a phone and running apps show people the actual path you ran. I like for images to automatically open for trusted sources, but that doesn't mean my trusted source can't be hacked. I would think, the only way to really address this concern, would be for you to create a VPN and mask your IP address.

Feb. 10 2014 05:10 PM
Frankie

Isn't that just another trade of convenience for privacy? People can stalk you via data from images you upload using a phone and running apps show people the actual path you ran. I like for images to automatically open for trusted sources, but that doesn't mean my trusted source can't be hacked. I would think, the only way to really address this concern, would be for you to create a VPN and mask your IP address.

Feb. 10 2014 04:36 PM
David Brower from Can't you tell?

Using GMail to shield location will probably only work if you are using the GMail client or the GMail web interface. If you're using the Mail application on either IOS or Android, or any IMAP interface (Thunderbird), you'll be sending your current IP address to get the tracking image.

So, turn off open attachments and images by default, and make yourself explicitly load them.

Feb. 10 2014 04:02 PM
Ryan Olson from Los Angeles, CA

Gmail very recently made a change in their handling of images embedded in emails. Now when you open an email in Gmail the web client requests the image from a server at Google, which then goes on to request the image from the remote server. They still see that the image was requested, but don't know where the request came from. (It looks to them like it came from Google.)

Feb. 10 2014 04:00 PM

Leave a Comment

Register for your own account so you can vote on comments, save your favorites, and more. Learn more.
Please stay on topic, be civil, and be brief.
Email addresses are never displayed, but they are required to confirm your comments. Names are displayed with all comments. We reserve the right to edit any comments posted on this site. Please read the Comment Guidelines before posting. By leaving a comment, you agree to New York Public Radio's Privacy Policy and Terms Of Use.

Supported by

 

Embed the TLDR podcast player

TLDR is a short podcast and blog about the internet by PJ Vogt and Alex Goldman. You can subscribe to our podcast here. You can follow our blog here. We’re also on Twitter, and we play Team Fortress 2 more or less constantly, so find us there if you like to communicate via computer games from six years ago.

Subscribe to Podcast iTunes RSS

Feeds