If you use email, you have likely gotten a message with pictures in it. Not because I sent you cat pictures or anything, rest assured.
So there you are with your fancy email with pictures. Well, not quite. The pictures are blocked. You can choose to show them, but they don’t show by default. Why is that?
Email providers hate cats, obviously.
Oh, that isn’t it? I could have sworn… oh well.
Wait, I remember now. It has to do with privacy from tracking.
Emails with pictures are actually HTML, kind of like a mini web page. The images themselves are stored on a web server and will only be retrieved when you view them, not when you receive the email.
How do we retrieve the pictures? It goes something like this:
Email Client: Hey there, bro. I am looking for mahwebsite.com/flowers.jpg. Can you, like, get that for me?
Web Server: Oh hey Larry. How is the family? Taken the boat out recently? Just yesterday, I saw… oh right, the picture. Yes, I got it, here you go.
The email client can now display the picture. However, by contacting the web server for the picture we also gave it some information.
More specifically, we gave the web server this information:
- IP address
- Location (based on the IP address)
- Access time (when we read the email, and that we read the email in the first place)
- Access to cookies that originated from the web server
This information must be sent as part of the request. For example, without our IP address the server couldn’t send us the picture. The server also knows when we access the email because it knows what time it was when we asked for the picture.
A visible picture isn’t even required. Most trackers of this sort are transparent 1×1 pictures. You don’t see them, but
they see you they track you nevertheless. Furthermore, they have unique filenames. For example, maybe the picture is flowers35530.jpg. The email sent to us had that picture. Other emails had another number, say 25039. The picture data is the same, but the unique filename allows associating the information gathered with the email it came from.
The email sender can then do as they wish with this information. For example, advertisers can collect a geographic mapping of customers, and spammers can detect if the email is actively used if the picture is accessed.
As it turns out, people don’t like being tracked. On a completely unrelated note, don’t trim those bushes in front of your windows. I, um, like them the way they are. Moving on.
Email clients block images by default so you cannot be tracked. That being said, gmail (and perhaps other providers) has an option that lets you get the pictures without being tracked.
Gmail does this by acting as a middleman. When you choose to show pictures in an email message, Gmail performs the HTTP request for you. The web server then gets Gmail’s IP address, not yours. In other words, nothing about you is tracked and you still get your pictures.
While this article has focused on blocking trackers, there are other reasons you may not want pictures to display by default. For example, it prevents potentially explicit or offensive imagery from reaching you. Not showing pictures is also useful for low-bandwidth users.