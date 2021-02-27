This tracking allows obtaining data such as the number of times the message has been opened, the browser used, the device, its IP address and an approximate location of the receiver. Carol Yepes / Getty Images

In the era of instant messaging and the blue double tick, knowing that our messages are arriving and being able to check that they have been read seems a universal right. The tools that allow you to add this feature to email are not new. In fact, monitoring these shipments is essential to evaluate the results of the marketing campaigns carried out through this medium and is a functionality enabled by default in platforms such as Mailchimp, designed to manage the massive referral of promotional messages or newsletters. The insertion of what is known as a spy pixel or web beacon is enough to access different personal data of the recipient of the message, and, if it does not meet the necessary requirements, cross the line of legality. “The fact that it is generalized in practice does not imply in any case that it is possible or that it is admitted from the legal point of view”, warns Andrés Ruiz, Andrés Ruiz, lawyer specialized in technology at Ramón y Cajal Abogados.

These pixels are actually an image that is inserted into the mail as a tiny, invisible white square or as one of its visible elements: the header, the signature or any decoration. When the message is opened, the upload process sends a call to the sender’s server to download that file. “This automatic communication says many things,” says José Rossell, founding partner of the cybersecurity company S2 Grupo. The exchange, he explains, allows obtaining data such as the number of times the message has been opened, the opening hours, the browser used, the device, its IP address – identifier – and, from the latter, an approximate location of the receiver. According to a study carried out by the Hey email client for the BBC, two thirds of the messages sent on the platform contain a spy pixel, not even counting those that are diverted to the spam folder.

According to Ruiz, it is possible to use trackers without breaking the law when whoever inserts them in their communications has a legal basis to do so, but, given the myriad contexts in which these technologies can be used, it is difficult to define what the requirements are without studying in depth each case. “The first thing is to analyze from a technical point of view what the tool does,” he says. It is not the same to record only the openings than to extract all the available information from each opened email, and it is not comparable to collect all that information as aggregated data or to structure it in a database with complex profiles of each user.

Depending on the amount of information collected and the treatment that is made of it, the necessary measures are determined to guarantee that the monitoring is carried out legally. From Ruiz’s point of view, the recipient should always be informed that the shipments he receives are being tracked. “If there is treatment of your data, if information is not provided to the user, the company may be sanctioned,” he says. Regarding the need for consent, it explains that it depends on the context: if the user is correctly informed and the entity that does the monitoring can justify its legitimate interest in resorting to it, it may be dispensable. “If I simply identify that a user from my subscriber base has opened an email, it could even be understood that the company has a legitimate interest insofar as it does so as part of its services, but care must be taken to extend these purposes,” he says. The red line is in excess. “If what I do is very tight profiles of the users and based on that I create specific marketing campaigns, it would almost certainly exceed the legitimate interest and it should have a consent, or another legal basis that justifies it.”

The warning to navigators becomes even more necessary given the invisibility of these trackers, which makes it practically impossible to notice their presence in received emails unless their code has suspicious labels or external tools are used to identify them, such as the Ugly Email extensions and Pixel Block, designed for Gmail. “To reduce the effectiveness of pixels, we have to set browser and email settings that are much more restrictive,” explains Hervé Lambert, head of global consumer operations at Panda Security. In this context, the best way to circumvent this surveillance is to disable the automatic download of images to stop that revealing call to the server or to resort to mail clients that by default block these attempts.

Pixel-free territory

“We have never supported pixel tracking and we never will. It’s out of the question, ”said Hanna Bozakov, a spokesperson for the encrypted email platform Tutanota. In this company of German origin, they consider that allowing the free circulation of these beacons would be “a violation of the privacy” of those who use their services, who also in many cases are not aware that they are being tracked. “We get newsletters, commercial emails and we click on them without thinking about what’s going on behind the scenes. The cost of this is that the users themselves filter information that they probably do not want to provide, ”Bozakov reasons.

From ProtonMail, another platform that prides itself on guaranteeing the privacy of those who use its mail service, they adopt the same position regarding the use of pixels. “We consider that its use is very unethical,” they point out. They also warn that even when consent is given, as is the case with cookies whose surveillance we accept when browsing the internet, users are not fully aware of the way in which they are being tracked. “At ProtonMail we block the use of trackers and third-party content by default, to ensure that our users are not unknowingly monitored.”

Beyond marketing

These technologies are, however, still being supported on massively used platforms, such as Google’s Gmail or Microsoft’s Outlook, although certain obstacles have been appearing, such as the default blocking of downloads in emails that reach the spam folder. Is it necessary to live in the constant paranoia of being spied on? Depends. The risk that our footwear brand knows us well is far from the dangers posed by cybercriminals who use these pixels. For those who fine-tune their attacks based on the knowledge they have of their victims, data such as the type of device or browsers used can make the difference between success and failure. “It comes in handy, it helps them improve their cyberattacks and make them even more targeted. They know which are the most common browsers and that is super interesting because if I want to inject some bad process in some browser extension, I will do it in A rather than in C ”, explains Lambert.

In addition, the complete profiles of the behavior of the users together with their email addresses make up a desirable loot for sale to third parties. “Not zero that the value of this data is very high, but if you multiply it by millions, in the end it is money”, reasons the expert. To avoid headaches, it is best to resort to the golden rules of cybersecurity: do not open emails from unknown or unexpected senders, and keep devices up-to-date to prevent attackers from exploiting potential vulnerabilities.

