Wednesday, July 3, 2019 [Tweets] [Favorites]

Superhuman Embeds Tracking Pixels in User E-mails

Mike Davidson (via Hacker News):

It is disappointing then that one of the most hyped new email clients, Superhuman, has decided to embed hidden tracking pixels inside of the emails its customers send out. Superhuman calls this feature “Read Receipts” and turns it on by default for its customers, without the consent of its recipients. You’ve heard the term “Read Receipts” before, so you have most likely been conditioned to believe it’s a simple “Read/Unread” status that people can opt out of. With Superhuman, it is not. If I send you an email using Superhuman (no matter what email client you use), and you open it 9 times, this is what I see[…] A running log of every single time you have opened my email, including your location when you opened it.


They’ve identified a feature that provides value to some of their customers (i.e. seeing if someone has opened your email yet) and they’ve trampled the privacy of every single person they send email to in order to achieve that.

This has long been common with spam and mass marketing tools like MailChimp. But adding tracking—which the sender can’t turn off—for personal e-mails takes this to a new level. The only recourse for the recipient is to turn off automatic display of all remote images, as I describe in the SpamSieve documentation.


What bothered me the most about tracking pixels in emails (when using Apple Mail) was false positives:

I would occasionally have someone ask me why I opened their email 20+ times before responding (I didn’t).

After a while, I realized that when using the “arrow down” key to scroll through your inbox in Apple Mail (with split view enabled), Apple Mail will open and render every email in the split view when attempting to open an email further down in the inbox. This would result in every tracking pixel being loaded/rendered dozens of times, even when the email was open on the screen for < 200ms.

See also: David Heinemeier Hansson.


Update (2019-07-05): Rahul Vohra (tweet):

We are making these changes:

  1. We have stopped logging location information for new email, effective immediately.
  2. We are releasing new app versions today that no longer show location information.
  3. We are deleting all historical location data from our apps.
  4. We are keeping the read status feature, but turning it off by default. Users who want it will have to explicitly turn it on.
  5. We are prioritizing building an option to disable remote image loading.

Walt Mossberg:

This is a good first step. Better than doing nothing. But it’s not enough. I read the full blog post. It makes no mention of disabling tracking how often the recipient opens the email. It’s also full of the rationalization that secret tracking is ok in “business” software.

Michael Rockwell:

Maybe content blockers for email apps should be a thing.

See also: Nilay Patel.

Update (2019-07-10): David Heinemeier Hansson:

Microsoft understood years ago how to offer ethical read receipts in email.


Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment