ProtonMail introduces Tracking Protection feature
Secure email provider ProtonMail launched a new protective feature called Tracking Protection recently. The feature aims to protect users of the service better against tracking attempts.
ProtonMail users who use the web interface of the service will notice that Tracking Protection is enabled by default for their accounts. Tracking Protection blocks tracking pixels and hides a user's IP address in the default configuration.
Companies and individuals may add tracking components to emails. Tracking pixels are a common form. A small pixel image is added to the email, and it is loaded when the email is opened. The server the image is loaded from gets information such as the location and IP address of the user and date/time information from the request.
ProtonMail removes tracking pixels from emails automatically. Users are informed about this in the interface. Check the right side of the email header; ProtonMail displays a number there that indicates the number of trackers that it blocked in that email.
A click on the icon in the email header on ProtonMail displays information about the trackers that the service blocked. Each tracker is listed with its full address and grouped by domain name.
Tracking Protection changes how remote images are downloaded in emails. The default behavior uses a proxy with a generic IP address to download remote images; this is done to protect the IP address of the user.
Google's Gmail service has a similar feature. Remote images are downloaded by Google servers and not by the user when emails are opened. The feature protects the user's email address, but it has a downside for some users. Gmail displays the remote content automatically in the email, which means that unwanted content may be displayed automatically.
ProtonMail blocks remote content from being loaded automatically by default, but there is an option to switch the behavior to automatic.
ProtonMail users may configure the two protective features in the following way:
- Go to Settings > Go to Settings > ProtonMail > Email Privacy
- Toggle "Ask before loading remote content" and "block email tracking".
The first option blocks remote content from being loaded automatically by the company's proxy. Users who want content to be displayed automatically need to toggle "Ask before loading remote content" to off to do so. Note that the setting applies to the web interface and the mobile apps. If you turn it off, remote content is loaded automatically in the web version and in the mobile apps.
You can read more about the new privacy features here.
Now You: how do you handle remote content in emails?
That’s very interesting. Those tracking pixels are what I suppose LiveIntent puts in emails I subscribe to from a newspaper. I really have been bothered when LiveIntent ads mention the city where I am; it is creepy and violating. Recently I signed up for an anti-spam forwarding service and changed my email address with the newspaper newsletter to it. I have not since seen ads mentioning my location, so I am glad but do not know exactly why that happened. Big benefit.
Since feature. If you’re Protonmail, Gmail or other webmail app just using uBO or Brave (or any extension using Easyprivacy) will protect you against email trackers.
That incident was because senior members of French government personally targeted that activist because the activist attacked the members of their parliament, their families and their homes. So basically they received terrorist level labeling. They went to highest levels of French Interpol and they fired it to EUROPOL in Switzerland and got it done through subpoena straight through the High Court so when ProtonMail had received it, they had absolutely no way to challenge it. It was basically labelled as ‘terrorism’ straight from High Court and bypassed everything. They handed over all the data they had on the account which was useless encrypted data because ProtonMail does not store keys, but the activist in question was stupid enough to use his unfiltered IP from his home address as his last login so they just traced his IP and knocked on his door.
“Tracking pixels is [grammar correction–tracking is the subject] a common form.” Learning more each day; didn’t know about the pixel tracking. Crazy–The mass of tech corporations earn a living in some desperate ways.
In US. Other versions of English don’t seem to recognized collective nouns.
“My herd of cattle were inside the fence before it came down.” Yuk.
So people are throwing shade at ProtonMail (not undeservedly), but I’m not seeing anyone suggesting better options. Are there any legit email services today that are really private?
Tutanota maybe.
https://www.techdirt.com/articles/20201209/03061645849/german-court-orders-encrypted-email-service-tutanota-to-backdoor-one-account.shtml
Looks like basically the same kind of issue.
@Anonymous: thanks for that link because I actually ditched ProtonMail for Tutamail. But, as the article says:
“And even then, it will only deliver any unencrypted emails that are present, because Tutanota is not able to decrypt users’ emails that apply end-to-end encryption, which is entirely under the user’s control, not Tutanota’s.”
I am aware that only email messages between 2 Tutamail accounts are encrypted, so all mails between my Tutamail account and non-Tutamail accounts are freely accessible even without a court order.
Still, this is so far the only article about Tutamail’s privacy I have seen, whereas Protonmail is involved in more privacy issues, incl. egregious ones.
Laughing in my coffee this morning reading a bunch of gmail users scream about protonmail complying with ONE court order.
I leave remote content enabled. Disabled, most messages, especially those with graphics, are unreadable, so I end up turning on remote content often. Videos in email are stupid; it’s easy to turn email into a proxy browser, hence a mess.
Not all remote content is for tracking or ad serving. I use TBird with advanced config privacy switches and FairEmail for clients in Windows and Android, along with AdGuard and aggressive spam filters.
I’ve found it easier to make email non-functional with too many privacy switches than browsers. I get some spam but not much.
Loading remote content is the default for Gmail, but you can turn it off in the settings.
Call to the population :
“Tracking pixels are a common form. A small pixel image is added to the email, and it is loaded when the email is opened.”
I’m wondering if choosing the option provided by most email services which is to block email images by default includes pixel images.
Thanks for sharing your answer :=)
That’s what FairMail does, best I can tell. I didn’t mean to imply that only the pixel is removed or blocked. The entire image is blocked if it contains a tracker.
Try this for more info:
https://email.faircode.eu/
@ULBoom, OK. But Fairmail is for smartphones only. I’m experiencing on a PC desktop.
The FairEmail client does that. It has an effect on what is displayed but not the “almost all messages are butchered” effect disabling remote content does.
I’d be interested in knowing if other email services or clients beside Proton look for tracking pixels. I don’t know of any, haven’t looked extensively though.
@ULBoom, I’m not referring to an email service’s feature which would specifically concern tracking pixels, but to the one which proposes to block images, and if the so-called pixel images are included in that blocking.
Actually in Fairemail client there are different options namely images, reformatting message, tracking pixels etc for privacy.
As for main question – does tracking pixel come under images category? I would say no. Well I signed up to an undisclosed youtuber and when his mail came on a daily basis, they always included his signature(literally) at the end. Image loading was disabled through email provider, and so it was all good until I saw those mails in Fairemail, that signature part didn’t load and was identified as tracking pixel.
@Yash, “As for main question – does tracking pixel come under images category? I would say no […]”.
That’s indeed what I have in mind. I’ll have to get that clear with the email service.
What you describe could mean that the signature was disabled by the email provider on the account it was an image, but blocked by Fairemail on the account it included moreover (or before) a tracking pixel. That could mean tracking pixels being blocked by the traditional ‘block images’ feature given they’re included in an image. For what I know most racking pixels are freely independent, hidden among nothing as compared to hidden within an image…
I think I didn’t explain it properly before. Actually with disabling images on email provider settings the signature part always loaded. But in Fairemail it didn’t.
It really sometimes puzzles my mind as to how invasive these things are. Some say even opening a mail or even it being sent is enough to track users. I guess that part is a bit over the top but still scary. I consider emails fundamentally broken and so only use them in extreme circumstances.
“ProtonMail turned over a French climate activist’s IP address and browser fingerprint to Swiss authorities.”
“After providing the activist’s metadata to Swiss authorities, ProtonMail removed the section that had promised no IP logs, replacing it with one saying, “ProtonMail is email that respects privacy and puts people (not advertisers) first.”
This whole privacy thing is a joke!
It was not a lone “climate activist”. It was a whole bunch of criminals. They were rightly dragged before French courts, for reasons which had nothing to do about their opinions on the “climate” : trespassing on private property, illegally occupying real estate and assaulting policemen.
This is a good thing. It’s a good thing they were prosecuted, and it’s a good thing Proton Mail helped it.
It’s also something all email providers will do, because that’s the law.
The thugs breaking the law slipped their propaganda on Twitter, and everybody lapped it, including respectable media, including Proton Mail which was very very sorry they had to inconvenience some “climate activists”, because there’s something bad happening to the “climate”, and being “active” against it is a very very good thing, even if serves as a pretext to steal other people’s property and hit policemen.
Love ProtonMail. But I suspect their fame will make them target for unscrupulous people who will only try to exploit their free subscription.
@Anonymous: in view of the links provided here, it seems clear that the unscrupulous people are within the Protonmail organization itself.
Bullshit. Think first before you write stupid nonsense.
Do you know the complete and profound background why that happened? It’s a rhetoric question cause you don’t.
Your Facebook-like comments degrades you to a halfwitted wannabe professional.
@Uwe: thanks for confirming the numskull is you, completely unable to refute with arguments someone’s comment. Furthermore, your reply with sewer-like language also confirms that your mindset does not even reach Facebook mentality.
Get a life and get a decent education, you can only benefit because your education is at the basement of ground zero.
Have a wonderful day!
Ah, Ghacks is a breeding ground for people who like to complain about everything, deride everybody else that tries to tell them otherwise, go on and on about how Mozilla is witnessing its downfall, how M$ is an unscrupulous organization that loves tracking you.
Folks, we get it. Don’t need to stick your nose in every single GODDAMN post on this website. Martin and Ashwin, you guys know this and yet keep the negative reactions to these coming in, so you’re a part of the problem.
Sure. Let the blogmasters censor opinions you don’t like. That will incite more people to read Ghacks.
@Clairvaux: spot on. +1 for you, and for Martin and Ashwin.
“Get a life and get a decent education, you can only benefit because your education is at the basement of ground zero.”
You would be uttermost surprized about my education if you knew, dude.
Whatsoever… a wonderful day for you too.
@Uwe: coming from someone using sewer language, I am afraid I have to say you would not in the least be able to surprise me in a positive way. Whatever education you claim to have, it still remains at ground zero basement, as your previous comment confirms.
By all means, keep deluding yourself, dude, that always feels a lot more comfortable for your ilk.
I use the Trocker extension. https://trockerapp.github.io/
Just reviewed “Trockerapp” and it’s nothing special, just installing uBO or using Brave will protect you from email trackers. Avoid unnecessarily adding extensions, and this is another one.
Ok this is totally awesome. Many thanks @Anders.
No thanks.
https://www.wired.com/story/protonmail-amends-policy-after-giving-up-activists-data/
Did you really read that article before posting its link?
Quote:
“As usual, the devil is in the details—ProtonMail’s original policy simply said that the service does not keep IP logs “by default.” However, as a Swiss company, ProtonMail was obliged to comply with a Swiss court’s demand that it begin logging IP address and browser fingerprint information for a particular ProtonMail account.”
So do you really expect ProtonMail to disobey a court order?
@linuxfan: the issue is not obeying or disobeying a court’s demand; the issue is about misleading its users. It had stated that it does not keep IP logs, which was false. So, before issuing that statement Protonmail should have checked what its legal obligations were. In fact, I am pretty sure it knew, but in order to lure potential new users it went ahead and made the statement.
Furthermore, in view of the info provided in the other links, Protonmail’s credibility is definitely not what one can expect from an organization that claims to be laser-focused on privacy.
What about apple and iphone? Why not?
https://theconsciousresistance.com/protonmail-is-insecure/
https://www.moonofalabama.org/2021/05/how-protonmail-lost-the-public-trust-it-needs-to-do-business.html
Golden rule, nothing online is private even if the company says it is…
https://protonmail.com/blog/cryptographic-architecture-response/
Yes, as a ProtonMail user, I got the information delivered from the ProtonMail team as well. ?
And additionally, ProtonVPN is my absolutely favorite VPN service.
Using both of them in a bundle.
Same here.