Monday, 14 July 2014

How to stop embedded images tracking your location on Gmail

You may think that the only way people can tell if you opened an email is the good old 'read receipt' but there is another more subtle method. That method is by using embedded images to track individuals. Currently this method is used by phishers, marketers and spammers to track where people open emails and to track other useful information.

The most common method used for email tracking is embedded images. The process is relatively simple :

- Email is created in HTML

- Included is a reference on a remote server that the sender owns or has access to

- Each email can be given a unique URL to track what individual opens emails

- Contained within the HTTP request from your email client to obtain the referenced image will be your IP address (which can track your location unless you are on a VPN) to at least to your city, your browser and Operating System.

All very useful information that can be used to draw a number of conclusions about the reader :

- Where was the email opened

- What time was the email opened

- How long from when the email was sent was it opened

- What type of device was the email opened on

- Prove that it made it past any spam filters in place

- Show that the email is valid and in active use

Gmail Solution

With Gmail like most privacy features from Google you must opt-out which can be done as follows :

Browser Client

- Select Gear icon then Settings

- Under the General tab look for Images (Fourth down currently in the list)

- Select 'Ask before displaying external images'

- Scroll to bottom of screen

- Select Save Changes


- Within the Gmail App on Android

- Select menu on left and scroll down to the bottom (may take a while if you have lots of labels) until you see Settings   

- Select each email address in turn (if your have multiple) and scroll to bottom and select Images

- Change to Ask before showing

1 comment:

  1. This irrelevant now. Gmail shows all images cached from Google's proxy servers. Your IP is never revealed.