Like it or not, email is not going away. You better know how it works.

What are spy pixels in Email?

Spy pixels are a common marketing tactic used by “many of the largest brands used email pixels, with the exception of the “Big Tech” firms”. Which is obvious, because those firms, especially Google and Facebook, have too many better ways to spy their users to need spy pixel.

Email spy pixels, or tracking pixels, or web beacons, are just like Sherlock Holmes in the screenshot above. They are images inserted in email messages, just invisible, because they are of the smallest possible size and of the same color of the message background. Something like this, that is:

Whenever you open any email, your email client must download everything it contains, in order to display it. By downloading a spy pixel, it unavoidably tells the server of whoever sent you the email that you have, indeed, received that message, and that it stimulated you enough to make you open it.

Together with this information, the server will also collect other data, starting from where (approximately) the user was when she opened the message, and which device, and software she used to do it. Basically, spy pixels mark which recipients may receive further messages, if not phone calls, along the lines of “you opened my email but have not replied yet, can I call?"

Oh, and of course the same thing will happen with everybody else to whom you forwarded an email with a spy tracking pixel.

Important: microscopic images are the most common way to implement this particular spying technique, but by no means the only one! As this article explained, “anything that sends a request to a remote server can be used as a tracking tool”: including fonts.

What do the senders say?

As many other things digital, most email spy pixels are “mentioned within the wider privacy policies” of the companies that send them. More often than not, however, the reactions of these companies when someone questions the practice amount to some variation of “everybody else does it, so just trus us, why shouldn’t you? We are offended!”

What you can you do to avoid pixel tracking via email

Not so much, at least in terms of immediate results. In the European Union, for example, already existing laws like the GDPR do require organisations to inform recipients of the pixels, and in most cases to obtain consent. As with many other digital issues, however, “The law is clear enough, what we need is regulatory enforcement”… and then hope that such an enforcement is enforceable across a worldwide Internet.

At the personal level, by far the best way to neutralize not just spy pixels, but many other privacy and security risks of email is to use a text-only email client like Mutt. The next best thing would be to set your email client to show all incoming messages as plain text. When that is not possible, check if your client has some configuration, or plugin, specifically designed to recognize spy pixels, without downloading them. If it doesn’t, you should probably change software.

Why do we still need to say this in 2021?

Because, as the BBC recently said, in 2021… “the use of “invisible” tracking tech in emails is now “endemic”. During a survey commissioned by the BBC, two-thirds of the emails left after filtering spam out contained a “spy pixel”. For more details, including which companies are doing email pixel tracking, see that piece.