Donate for the Cryptome archive of files from June 1996 to the present

12 July 2012

Email Hidden Tracking Deceptions

1. Government Email Hidden Tracking Deceptions

Many US federal agencies distribute emails and notifications via ("Made for government"). The service embeds hidden URLs with a lengthy tracking number which logs clicks and identifications of recipients who retrieve cited documents. This is a significant privacy violation by not notifying email recipients of the tracking feature. DHS examples (some alphanumerics changed):

This service is provided to you at no charge by the U.S. Department of Homeland Security.

Privacy Policy

GovDelivery is providing this information on behalf of U.S. Department of Homeland Security, and may not use the information for any other purposes.

Department of Justice admittedly tracking ID today:

Deputy Attorney General James M. Cole Speaks at the Wells Fargo Press Conference

The White House admittedly tracks ID minutely too:

Watch the video and get the facts here.

The hidden codes may be overlooked: They were discovered when our legacy email program could not activate them. Last year Cryptome wrote the government clients of and the service itself to reveal the tracking but never received an answer from any.

Notable exception to hidden tracking is the GAO which transparently discloses its URLs:

Electronic Warfare: DOD Actions Needed to Strengthen Management and Oversight. GAO-12-479, July 9.

Other USG offices display only a linked title but not the underlying URL, a method often used to deceive about the link. State Department and FBI examples, respectively, without hidden tracking code:

Press Releases: Remarks With Afghan President Hamid Karzai

[We see today at the bottom of State Department email it is also sent by and tracks recipients. "Report problems: <>"]

Alleged Associate of al Qaeda in the Arabian Peninsula Charged in New York with Providing Material Support and Receiving Military Training in Yemen

2. Commercial Email Tracking Deceptions

Commercial email delivery services also hide tracking code. For example, sent out an email yesterday for the Stratfor Class Action Settlement which embedded hidden URLs with tracking numbers (original numbers replaced):

Bluehornet violates the privacy of the email recipients by not calling attention to its tracking feature, thus implicating the law firm which sued Stratfor for failing to protect its customer information -- presumably the law firm does not know it may be subject to privacy violation suits.

Other services embed URLs which track access to articles with concealed codes that likely also track email recipients without explanation of the codes's use. New York Times today, egregiously tracking (some alphanumerics changed):

Spend summer vacation at an all-inclusive resort, surrounded by the crystalline waters of the Pacific Ocean

Amazon (some alphanumerics changed):

The SAGE Handbook of Architectural Theory

This for an article listed in a Dei Zeit newsletter today (alphamumerics changed):

3. Honest and Dishonest Email

Honest privacy protection advocates will always use transparent URLs. An EFF example:

For the full motion for partial summary judgment:

Compared to, one of many possible examples, the otherwise admirable Bradley Manning Support Network (code changed):

Tracking is often justified as legitimate automatic data gathering on users, however few, if any, email delivery and tracking services disclose tracking information with each email, offer no tracking opt-out choice, provide no guarantees of anonymity or against misuse of the user data, and seldom point to either the privacy policies of the service or those of the services' customers (albeit, no privacy policy is believable). This suggests deliberate deception and lack of accountability of both the services and their customers, and in this manner replicate the deceptions of vilified email spammers.

All users of email should use transparent URLs, and those using hidden tracking codes should include with each email an explanation of the hidden URLs, the purpose of the tracking, related privacy policies and a trcking to opt-out choice. Those which do not comply should be blocked, filtered, trashed unread or returned marked "Choice Expletive."


Related, website links with non-transparent URLs (such as Cryptome uses, and has no delusional privacy policy) should never be clicked until passing a pointer over them to verify the underlying code. Avoid lengthy alphanumeric codes whereever they are hidden.