Spy Pixels.

Get your science fix here: research, quackery, activism and all the rest
Post Reply
User avatar
Boustrophedon
After Pie
Posts: 1969
Joined: Mon Nov 11, 2019 3:58 pm
Location: Lincolnshire Wolds

Spy Pixels.

Post by Boustrophedon » Wed Feb 17, 2021 11:19 am

Spy pixels in emails have become endemic

WTAF is a spy pixel? The idea that a single pixel can do anything is beyond my imagination. So can someone explain what this is all about?
Remember it's only a coup if it's from the coup d'état region of France, otherwise it just sparkling white terrorism.

User avatar
shpalman
Light of Blast
Posts: 4227
Joined: Mon Nov 11, 2019 12:53 pm
Location: One step beyond

Re: Spy Pixels.

Post by shpalman » Wed Feb 17, 2021 11:36 am

Tracking pixels are typically a .GIF or .PNG file that is as small as 1x1 pixels, which is inserted into the header, footer or body of an email.

If there's a link to an image in the body of an email which I send to you, then when the image is downloaded from my server, I know you've opened and looked at the email.
molto tricky

User avatar
Boustrophedon
After Pie
Posts: 1969
Joined: Mon Nov 11, 2019 3:58 pm
Location: Lincolnshire Wolds

Re: Spy Pixels.

Post by Boustrophedon » Wed Feb 17, 2021 11:59 am

shpalman wrote:
Wed Feb 17, 2021 11:36 am
Tracking pixels are typically a .GIF or .PNG file that is as small as 1x1 pixels, which is inserted into the header, footer or body of an email.

If there's a link to an image in the body of an email which I send to you, then when the image is downloaded from my server, I know you've opened and looked at the email.
So it's not the pixel at all, it's the embedded command requesting the pixel?
Remember it's only a coup if it's from the coup d'état region of France, otherwise it just sparkling white terrorism.

User avatar
jaap
Fuzzable
Posts: 324
Joined: Mon Nov 11, 2019 2:05 pm
Location: Netherlands
Contact:

Re: Spy Pixels.

Post by jaap » Wed Feb 17, 2021 1:10 pm

Boustrophedon wrote:
Wed Feb 17, 2021 11:59 am
shpalman wrote:
Wed Feb 17, 2021 11:36 am
Tracking pixels are typically a .GIF or .PNG file that is as small as 1x1 pixels, which is inserted into the header, footer or body of an email.

If there's a link to an image in the body of an email which I send to you, then when the image is downloaded from my server, I know you've opened and looked at the email.
So it's not the pixel at all, it's the embedded command requesting the pixel?
It is not an "embedded command" as such, just an embedded image given by a url, similar to the {img} tag on this forum. Most email programs will try to display the image, and to do that they will have to download the image from the url. If you look at a mail in your spam folder, it will probably show a message like "the images in this email have been disabled for your safety", which is partly for this reason. You can probably change your email program setting to not automatically download embedded images.

The url for these images generally look like

Code: Select all

http://someserver.com/image.gif?StringOfCharactersThatUniquelyIdentifiesTheRecipient
The owner of someserver.com can see in their logs the exact url that was requested, including the identifier string.

I could do the same thing by putting an {img} tag in a forum post so I could see how often it was seen. That does not uniquely identify people though because it's a public forum, but you can do that with personal email by putting in a unique identifier string that depends on the email address you send it to.

User avatar
Little waster
Dorkwood
Posts: 1439
Joined: Tue Nov 12, 2019 12:35 am
Location: About 1 inch behind my eyes

Re: Spy Pixels.

Post by Little waster » Wed Feb 17, 2021 3:15 pm

I suppose even without the identifier, a smart spammer would bombard their mailing list with different variations of "hot bab3z", "loanly s1ngles!" "ch3ap v14gra", "check out these flavours of crisps - you won't believe no.7!" etc. with the spy pixel and then tally which ones get the most "opens" to better tailor their future spam.
It's meta, so it is allowed.

User avatar
shpalman
Light of Blast
Posts: 4227
Joined: Mon Nov 11, 2019 12:53 pm
Location: One step beyond

Re: Spy Pixels.

Post by shpalman » Wed Feb 17, 2021 3:31 pm

Little waster wrote:
Wed Feb 17, 2021 3:15 pm
I suppose even without the identifier, a smart spammer would bombard their mailing list with different variations of "hot bab3z", "loanly s1ngles!" "ch3ap v14gra", "check out these flavours of crisps - you won't believe no.7!" etc. with the spy pixel and then tally which ones get the most "opens" to better tailor their future spam.
the article in the OP which nobody seems to have read wrote:British Airways, TalkTalk, Vodafone, Sainsbury's, Tesco, HSBC, Marks & Spencer, Asos and Unilever are among UK brands Hey detected to be using them.
molto tricky

User avatar
Little waster
Dorkwood
Posts: 1439
Joined: Tue Nov 12, 2019 12:35 am
Location: About 1 inch behind my eyes

Re: Spy Pixels.

Post by Little waster » Wed Feb 17, 2021 4:56 pm

shpalman wrote:
Wed Feb 17, 2021 3:31 pm
Little waster wrote:
Wed Feb 17, 2021 3:15 pm
I suppose even without the identifier, a smart spammer would bombard their mailing list with different variations of "hot bab3z", "loanly s1ngles!" "ch3ap v14gra", "check out these flavours of crisps - you won't believe no.7!" etc. with the spy pixel and then tally which ones get the most "opens" to better tailor their future spam.
the article in the OP which nobody seems to have read wrote:British Airways, TalkTalk, Vodafone, Sainsbury's, Tesco, HSBC, Marks & Spencer, Asos and Unilever are among UK brands Hey detected to be using them.
There will be an overlap between the needs of legit and spam emailers which are met by the use of spy pixels.

However legit companies and spammers will want different things out their mailshots, as legit companies have less concern about being simply deleted unread and less need to dodge ever-more sophisticated spam filters and increasingly suspicious readers. Also legit companies tend to have logos etc. in their mails as standard so the cloak-and-dagger of spy pixel isn't required whereas your typical "Nigerian prince" email will tend to appear text-only to look marginally more plausible.

As such a spy pixel is of more use to a spammer than Tescos.
It's meta, so it is allowed.

User avatar
Boustrophedon
After Pie
Posts: 1969
Joined: Mon Nov 11, 2019 3:58 pm
Location: Lincolnshire Wolds

Re: Spy Pixels.

Post by Boustrophedon » Wed Feb 17, 2021 5:13 pm

OK thanks, understand now. I can set Gmail to "not display pictures", but I can't really be bothered.
Remember it's only a coup if it's from the coup d'état region of France, otherwise it just sparkling white terrorism.

User avatar
JQH
Dorkwood
Posts: 1385
Joined: Mon Nov 11, 2019 3:30 pm
Location: Sar Flandan

Re: Spy Pixels.

Post by JQH » Wed Feb 17, 2021 9:37 pm

Talk Talk say they do not share the data collected externally. That fills me with confidence. Not.
And remember that if you botch the exit, the carnival of reaction may be coming to a town near you.

Fintan O'Toole

User avatar
bolo
Catbabel
Posts: 725
Joined: Mon Nov 11, 2019 1:17 pm
Location: Washington DC

Re: Spy Pixels.

Post by bolo » Wed Feb 17, 2021 11:12 pm

Boustrophedon wrote:
Wed Feb 17, 2021 5:13 pm
OK thanks, understand now. I can set Gmail to "not display pictures", but I can't really be bothered.
IIRC, Gmail hosts copies of pictures on their own servers to defeat the spies. Or maybe that's an option. Or possibly I am remembering this wrong.

Millennie Al
Catbabel
Posts: 675
Joined: Mon Mar 16, 2020 4:02 am

Re: Spy Pixels.

Post by Millennie Al » Thu Feb 18, 2021 4:17 am

Little waster wrote:
Wed Feb 17, 2021 4:56 pm
There will be an overlap between the needs of legit and spam emailers which are met by the use of spy pixels.
They're usually called "web bugs" or suchlike: https://en.wikipedia.org/wiki/Web_beacon

And there is no legitimate use of them. Furthermore, they only work because of broken software which, when asked to display a message, is willing to go and fetch something mentioned in the message.
Covid-19 - Don't catch it: don't spread it.

User avatar
Sciolus
Snowbonk
Posts: 589
Joined: Mon Nov 11, 2019 6:42 pm

Re: Spy Pixels.

Post by Sciolus » Thu Feb 18, 2021 8:58 am

JQH wrote:
Wed Feb 17, 2021 9:37 pm
Talk Talk say they do not share the data collected externally. That fills me with confidence. Not.
Maybe they don't share it intentionally, but...

User avatar
JQH
Dorkwood
Posts: 1385
Joined: Mon Nov 11, 2019 3:30 pm
Location: Sar Flandan

Re: Spy Pixels.

Post by JQH » Thu Feb 18, 2021 12:05 pm

Sciolus wrote:
Thu Feb 18, 2021 8:58 am
JQH wrote:
Wed Feb 17, 2021 9:37 pm
Talk Talk say they do not share the data collected externally. That fills me with confidence. Not.
Maybe they don't share it intentionally, but...
That's what I was thinking.
And remember that if you botch the exit, the carnival of reaction may be coming to a town near you.

Fintan O'Toole

User avatar
jdc
Hilda Ogden
Posts: 919
Joined: Wed Sep 25, 2019 4:31 pm
Location: Your Mum
Contact:

Re: Spy Pixels.

Post by jdc » Thu Feb 18, 2021 6:41 pm

JQH wrote:
Thu Feb 18, 2021 12:05 pm
Sciolus wrote:
Thu Feb 18, 2021 8:58 am
JQH wrote:
Wed Feb 17, 2021 9:37 pm
Talk Talk say they do not share the data collected externally. That fills me with confidence. Not.
Maybe they don't share it intentionally, but...
That's what I was thinking.
tbf, their f.cking useless CEO has left since that happened. Wonder what she went on to do next.

User avatar
jimbob
After Pie
Posts: 2490
Joined: Mon Nov 11, 2019 4:04 pm
Location: High Peak/Manchester

Re: Spy Pixels.

Post by jimbob » Fri Feb 19, 2021 1:07 pm

jdc wrote:
Thu Feb 18, 2021 6:41 pm
JQH wrote:
Thu Feb 18, 2021 12:05 pm
That's what I was thinking.
tbf, their f.cking useless CEO has left since that happened. Wonder what she went on to do next.
I always thought it ironic how she's failed by sharing data incorrectly and then by failing to share data when it needed to be.

I also thought that spy pixels were a thing about 15 years ago. The use of non-pictorial elements in the wiki article is something that I hadn't been aware of
Have you considered stupidity as an explanation

User avatar
Rich Scopie
Fuzzable
Posts: 266
Joined: Mon Nov 11, 2019 1:21 pm

Re: Spy Pixels.

Post by Rich Scopie » Fri Feb 19, 2021 5:56 pm

jimbob wrote:
Fri Feb 19, 2021 1:07 pm

I also thought that spy pixels were a thing about 15 years ago.
And the rest. Mid 1990s from what I remember.
It first was a rumour dismissed as a lie, but then came the evidence none could deny:
a double page spread in the Sunday Express — the Russians are running the DHSS!

User avatar
nekomatic
Snowbonk
Posts: 507
Joined: Mon Nov 11, 2019 3:04 pm

Re: Spy Pixels.

Post by nekomatic » Tue Feb 23, 2021 10:36 am

Millennie Al wrote:
Thu Feb 18, 2021 4:17 am
And there is no legitimate use of them.
You may not agree that someone should be able to tell whether you’ve read their email, but it seems debatable whether that makes their desire to ‘illegitimate’. Anyway, you can choose not to let them know, by not automatically loading images, in all modern email software I’m aware of.

Anyway, email itself is irretrievably broken for lots of other reasons. If they couldn’t use web bugs they’d only come up with some other way of making it terrible.

bagpuss
Catbabel
Posts: 824
Joined: Tue Nov 12, 2019 12:10 pm

Re: Spy Pixels.

Post by bagpuss » Thu Feb 25, 2021 1:49 pm

nekomatic wrote:
Tue Feb 23, 2021 10:36 am
Millennie Al wrote:
Thu Feb 18, 2021 4:17 am
And there is no legitimate use of them.
You may not agree that someone should be able to tell whether you’ve read their email, but it seems debatable whether that makes their desire to ‘illegitimate’. Anyway, you can choose not to let them know, by not automatically loading images, in all modern email software I’m aware of.

Anyway, email itself is irretrievably broken for lots of other reasons. If they couldn’t use web bugs they’d only come up with some other way of making it terrible.

It's very commonly used in email marketing as a way to know whether the recipient has read the email. In every case I'm aware of*, it is merely used as one measure among many to determine the success or otherwise of an email campaign. That is not to say that their use isn't problematic and I'm pretty sure that very many companies are failing to meet the requirements to inform people of their use. However, to say there is no legitimate use of them is a very sweeping and misleading statement, when many companies are using them for entirely legitimate reasons, albeit some of them failing to meet the legal information requirements.


*since I only know legitimate companies doing it for perfectly acceptable reasons, this is of course not in any way a representative sample of those who use it.

User avatar
bolo
Catbabel
Posts: 725
Joined: Mon Nov 11, 2019 1:17 pm
Location: Washington DC

Re: Spy Pixels.

Post by bolo » Thu Feb 25, 2021 3:11 pm

There is a (rarely used) protocol for emails to include a request for a read receipt. The recipient can choose whether to send the receipt. Spy pixels duplicate that capability while doing an end run around the recipient's ability to choose. I don't see that as legitimate, even if the companies doing it are legitimate companies and are doing it for business reasons that make sense to them as businesses.

Post Reply