Maybe it is just me, but it looks like the volume of rudimentary spam email messages is slowly declining (statistics disagree with me). It could be my email service provider who has so smart junk mail detection system, but nonetheless, spam is not my major headache anymore. What is a major problem, however, is that many email systems leak private data to anyone who sends an email message to an inbox that someone is reading.
The way it works is the same as it has been for years. Someone sends you an email message, you open it, and bang! – the sender knows a lot about you – independent of what is said in the actual message.
The usual suspects are images embedded in messages. They may be visible images or invisible transparent dots (gif file format) hidden in a message. When you open a message that has images, the sender can extract surprisingly plenty of information from it. This includes your IP address, browser, and a range of technical information about the email system.
An IP address is a unique identifier to an access point where you were when you opened the message. If you were at home, it is your home router’s address, and if you were at a library, it is one of the addresses in the library. Other bits and pieces of information may be useful for someone when it is combined with other information about you.
Here is how you can test your email system for privacy
Mike Cardwell has created a test tool – Email Privacy Tester – that lets you easily find out how well your email system guards your privacy. For historical reasons, we happen to use an email service provider both in the US and in Europe. I tested both of them with the privacy tester tool.
Workspace Email is Godaddy’s web mail system that we have happily used for years. It is a robust, easy to use, and comes with plenty of storage space. Email Privacy Tester, however, revealed that the Workspace Email system leaked our office IP address, along with some other pieces of data (see the screen shot above).
Having learned all this, I wanted to prevent Workspace Email from displaying images. I opened the email Settings section, but couldn’t find anything related to it. I was using the new user interface, and didn’t check if the Classic View would have these settings available.
In Europe, we use the email system provided by Ovh.co.uk. The Email Privacy Tester could not pull any information from the system.
The web user interface for email at Ovh is provided by Roundcube software. It is possible to adjust image settings, and the default is that it doesn’t display images.
Here is how you can test you email provider with the Email Privacy Tester:
- Go to the test page and enter your email address.
- Check your email inbox, and open the message that you have received from the test tool.
- Click the Confirm-link.
- It takes you back to the test tool. Click Send Email.
- Check your inbox again, and open a new message sent by the test tool. Don’t click any links or objects in the message yet.
- Now, go back to the test tool page.
The test page displays the pieces of data it has managed to extract from your email system. Red boxes pop up on the page as it discovers new data related to you and the email system.
If all boxes remain gray, you are fine. It means that the test tool hasn’t managed to pull any extra data from the email system.
EFF has more about email security in this article.