Who really reads your e-mail?

March 8, 2008 – 3:19 PM

The people in my personal focus group (my wife, my mother, and some coworkers at CNET) agree that this is one of the creepiest things they’ve ever heard of: a new service that will tell your correspondents exactly when you opened the e-mail they sent you. It will also tell them how long you took to read their message and which computer you used to do so. The kicker: You’ll never know all this information is being collected. It’s a supercharged return receipt that’s completely invisible. The service is called DidTheyReadIt. What it does is insert a small tracking device, often called a Web bug, into the e-mail that you want to track. When your recipient opens your message, the bug (a one-pixel, transparent GIF file) is pulled from the DidTheyReadIt server, generating a logged event that shows when the message was opened and for how long.

Whose mail is it, anyway?
The existence of this service raises interesting privacy issues. Do we have the right to read e-mail without sending a beacon back to the sender that we’re doing so? Certainly it’s customary that no beacon is sent. However, while personal messages don’t usually send such beacons back to their senders, many commercial messages and most commercial Web sites have been closely metered for some time. You can’t twitch a mouse on a big site like Amazon (or CNET, for that matter) without creating a log file entry that likely has your IP address attached to it.

The difference is the one-to-one nature of e-mail from friends or associates. Big sites aggregate log file entries and use the information to design more effective overall sales strategies or more compelling content. Individuals could use the data for other purposes that you might not like.

Furthermore, such tracking eliminates one of personal e-mail’s big charms: plausible deniability. “Sorry, I haven’t read your e-mail yet,” will vanish as an excuse for a tardy reply. And worse, if a sender knows you read his or her e-mail and you don’t reply in a timely fashion, you could be in line for social or business awkwardness of a very high order.

DidTheyReadIt adds presence to e-mail; with this live tracking, e-mail becomes similar to instant messaging. With IM, you can tell if your recipient is online and awake; with e-mail, to date, you haven’t been able to. DidTheyReadIt changes that. In fact, it goes beyond IM, by hiding the fact that people are watching your activity. Most IM systems at least require that you approve the addition of people to your buddy list before they can see your presence.

DidTheyReadIt has some legitimate uses. What with antispam products occasionally blocking even good e-mail these days, you might want to use this product to make sure that your personal e-mail messages are punching through your recipient’s filters. And it could turn e-mail into a medium with higher legal status than it has now. But overall, the product changes the customary usage models of e-mail, and more importantly, it just creeps people out. People should be able to turn off the capability of DidTheyReadIt to spy on them or at least be able to see if people are doing it.

Get out of my in-box!
Fortunately, there are countermeasures. While almost any e-mail reader that displays HTML will send DidTheyReadIt beacons, text-based e-mail programs (such as Pine, which I admit, hardly anybody uses anymore) won’t. Also, capitalism has come to the rescue: shortly after DidTheyReadIt was released, a competing company bought the DidTheyReadIt Google AdWord and started selling its Email Tracking Blocker, which it’s claimed will hide your e-mail presence from DidTheyReadIt and other products like it.

There are other antitracking methods. Some people have proposed turning off the automatic download of images in e-mail, but few e-mail products have this option–Outlook does, but only in the 2003 version, and even then, e-mail from people in your address book are exempt from this setting by default.

But there is a way to flag DidTheyReadIt-tracked e-mail in Outlook, at least for now: set a filter to catch any messages containing a reference to didtheyreadit.com, which is the server the tracking bug is downloaded from. You can’t see this code when you read the message, but it has to exist in the HTML body of the message for the service to work. At least this way you can see who’s bugging you, which is half the battle, and it turns the tables on the system, allowing you to reply to your senders with indignant messages asking why they find it necessary to track your e-mail reading behavior. However, while this simple filter works today, it won’t take much for DidTheyReadIt’s manufacturer to bypass it.

Ultimately, I expect that antispam programs will offer options to scan for tracking bugs and quarantine messages that have them. So, if you feel your privacy is being invaded when e-mail messages report back to their senders when you read them, you won’t have to wait long for more solutions to appear.

And if you feel it necessary to use DidTheyReadIt or products like it, I’d caution you that may not be worth it. While the tracking bugs are currently almost undetectable, they won’t stay that way forever. So don’t plan on being able to hide your use of this service for long. Also, keep in mind that the people I talked to called the tracking capability creepy, pushy, slimy, and other choice epithets. I’d guess that’s not the kind of impression you’re trying to make when you e-mail friends and associates.


You must be logged in to post a comment.