Earlier this week, DuckDuckGo branched out from its private browser and search engine with a new service called Email Protection.
The service, which is currently invite-only, gives users a unique duck.com email address that forwards messages to their real inbox. Along the way, DuckDuckGo strips out invasive trackers from the email, preventing senders from knowing whether you opened their messages. It also shows a note at the top of the email, letting you know it identified trackers and removed them.
DuckDuckGo is one of several companies that’s turning to email as a new privacy frontier. With the upcoming iOS 15 and MacOS Monterey, Apple’s Mail app will offer tracking protection, while the email service Hey uses aggressive labeling to call out the “spy trackers” it blocks from your inbox.
But all of these tools share one major flaw: They can’t stop senders from tracking the links you click on. Even with DuckDuckGo’s Email Protection enabled, senders can see exactly which links you’ve clicked, how many times you’ve clicked them, and your location while clicking. The same is true with anti-tracking tools from Apple, Hey, and most others.
DuckDuckGo says it plans to improve link-tracking protection in the future. But without disclosing the limits of their current tools, these companies may be instilling a false sense of security by promising a more private inbox.
How email tracking works
To see whether readers have opened an email, senders typically embed a small, invisible image—sometimes called a tracking pixel or spy pixel—hosted on a remote server. Opening the email loads the image, which in turn signals to the email provider that the message has been seen. Some email services also log the IP address that downloaded the image, revealing the reader’s approximate location as well.
Anti-tracking tools can use several methods to block these pixels. DuckDuckGo looks for images of known tracking patterns, then removes them from the body of the email before passing it along to your inbox. Hey removes tracking pixels in similar fashion as part of its own email service. Apple’s Mail app preloads the images on its own servers whether you open the email or not, essentially leaving senders with junk data by marking every email as read. Browser extensions like Trocker prevent images from loading on your computer if they come from known spy pixel sources.
Still, none of those methods help with emails that track which links users click on. In this type of tracking, the email contains a set of links that are unique for every recipient, and those links redirect to the actual websites readers are intending to visit. That redirection process lets the sender see exactly who clicked on what. (You can usually see if this is happening by long-pressing or hovering over a link to preview the address, then looking for a URL that includes a seemingly random string of characters.)
On some level, this type of tracking is even creepier than spy pixels, providing details not just on whether you’ve opened an email, but on how you interacted with it. Marketers can use this information to send you additional messages. And as companies like Facebook and Twitter get into the newsletter business, they may use this data to target you with ads. (The data policy for Facebook’s Bulletin newsletter service notes that it will use “cookies, pixels, and similar technologies” to collect information about you for ad targeting.)
Look before you click
So why don’t most email privacy tools protect against click tracking? The main reason is that it’s technically challenging to do so.
Mikael Berner, the founder and CEO of email provider OnMail, notes that some redirect links in emails serve a useful purpose beyond tracking, making it difficult to tell which ones are there for tracking of a sort you might want to foil. Recipients, for instance, might need a unique link to reset their password, track a package, view their travel itinerary, or unsubscribe from a mailing list.
“If those link trackers were to be stripped out, the links would then become defunct and the user [would] likely receive a 404 message on the other end,” Berner says via email.
Unlike your web browser, your inbox doesn’t have an incognito mode.
But even this approach has limitations. It doesn’t work for every kind of link, and because it relies on a browser extension, it won’t help when you’re reading email on your phone.
Philosophically, some providers of anti-tracking tools may also feel that link tracking is less of a privacy risk than read receipts.
“I think link trackers are far less egregious as the user is choosing to click on the link,” says Michael Leggett, creator of the Simplify Gmail extension, whose features include a tracking pixel blocker. “Analytics on websites are a generally assumed part of the internet and this is an extension of that.”
Even so, clicking an email link inherently gives up more personal data than clicking a web link, because everything you engage with becomes tied to your email address. Unlike your web browser, your inbox doesn’t have an incognito mode. (While Leggett says he’s still interested in blocking link clicks, he doesn’t want to give users a false sense of security from an incomplete solution.)
That’s why Apple, DuckDuckGo, and other companies offering anti-tracking tools for email ought to be clearer about their limitations. Just because DuckDuckGo tells you that it’s removed a tracker from your email doesn’t mean nobody’s watching.