Is your e-mail watching you?
May 4, 2002
WEB SITES HAVE long planted bits of code called “cookies” on consumers’ hard drives to tailor Internet pages for returning visitors and better target ads. Now, enhanced messages that share the look and feel of Web pages are being used to deliver the same bits of code through e-mail, in many cases without regard for safeguards that have been developed to protect consumer privacy on the Web.
“All of the security and privacy issues on the Web now relate to e-mail,” said Adam Shostack, director of technology at Zero-Knowledge Systems, a Montreal-based privacy and security company. “The shame about this behavior is that it’s going on surreptitiously and people are not given an obvious way to opt out.”
Consumer notice and choice have been at the heart of the Internet privacy debate for years, driving popular Web companies including eBay, Yahoo and DoubleClick to write tough-sounding Web privacy policies. Playing offense, civil libertarians and privacy groups for years have stalked Web sites for violations of their stated policies and have kept an eye on secretive tracking tactics. Although many of the same troubles are cutting into e-mail, disclosure of such data-gathering practices has not received anywhere close to the level of scrutiny it has had on the Web.
With e-mail, however, the stakes for consumer privacy may be higher.
In some cases, spammers may be able to link formerly anonymous consumers with their e-mail addresses. For example, a Web site specializing in horoscopes may know a consumer only by birth date. But if that Web site rents a list of e-mail addresses with that consumer’s address on it, the company may be able to link the address to the individual’s birth date and visits to the site.
"In many ways, e-mail tracking is more powerful because they can correlate the e-mail address with online history,” said Lance Cottrell, president of Anonymizer, an Internet privacy services company.
“There isn’t an opportunity to be fully informed when you receive a spam with remotely loaded graphics used to track your computer,” he added. “It’s a bit of a loophole in the whole process.”
SLIPPING IN WITH THE MAIL
The rise of e-mail tracking runs parallel to the adoption of “rich e-mail,” or messages that incorporate the programming language most commonly used to display Web pages, known as HTML (Hypertext Markup Language). Such messages may include Web pages, audio and video in addition to ordinary text.
According to a recent report from the industry trade group the Direct Marketing Association (DMA), 65 percent of online marketers regularly send HTML e-mail to consumers or prospective customers. By incorporating HTML, the e-mail acts like a Web page, requesting graphics and content from a Web server and counting as a “hit” to the company’s Web site.
Taking advantage of the technology, marketers can track how and when people respond to e-mail, note where they click, and trace follow-up actions on their Web pages. They do this by embedding cookies or clear GIF images known as Web beacons, an action that isn’t possible in a simple text message.
On the simplest level, marketers may embed a numeric tracking code in the “from” line. This code is sent back to the Web site’s service when the recipient visits the site from the e-mail. More sophisticated tracking can involve cookies so that the Web site can detect whether the consumer visits the site days later. Cookies can also help determine how much revenue was booked on a Web site as a result of an e-mail campaign by following the recipient throughout a visit.
The monitoring technology can be planted on consumer hard drives at various stages in the process of delivering and reading an e-mail. In many cases, cookies or Web beacons are set the moment the recipient opens the message or views it in the preview window of the e-mail program. In other cases, cookies are set only when the person clicks on an embedded link that leads to a Web site — an action some argue is part of the Web experience and is the purview of Web privacy policies.
Digital Impact, an e-mail marketing services company, uses a range of tactics to measure the effectiveness of campaigns for its customers, which include Citigroup, Bank of America, Wal-Mart, Target and the Gap.
Since its launch in 1998, Digital Impact has sent about 3 billion commercial e-mails. Gerardo Capiel, chief technology officer and co-founder of Digital Impact, said that while about 70 percent of the e-mail the company sends for customers is HTML, less than 30 percent of HTML e-mail includes tracking technology. Capiel said the company asks that its customers address e-mail communications in their privacy policies.
“We don’t set a cookie when you open the e-mail, but you might get one when you click through,” he said. “It’s really a question of how aggressive the marketer wants to get to track revenue.”
Capiel said the company only sends messages to consumers who have opted to receive communications from the client. Still, he acknowledges that people can be sensitive to cookies. “You may end up irking some customers,” he said.
SOFTWARE FIGHTS BACK
Christine Frye, chief privacy officer of Experian’s e-marketing services unit, said the company has started working with customers to educate them on updating their privacy policies to include e-mail tracking. So far, “they’ve been very receptive to that,” she said. She would not name any Experian customers.
Such techniques have become pervasive enough to attract the attention of browser and e-mail software makers.
Some e-mail programs already include settings allowing consumers to block cookies. Microsoft’s Internet Explorer 6.0, for example, offers controls for cookies on the Web and via the company’s Outlook and Outlook Express e-mail programs. Turning on the “prompt for cookies” setting can reveal the stunning extent of the problem, unmasking unsolicited HTML e-mail messages that try to lay down cookies on a hard drive.
According to Microsoft, IE 6, Outlook and Outlook Express block cookies by default in HTML mail and place such mail automatically in a secure “restricted” zone. The settings have not always proven effective, however—well-known security expert Richard Smith has reported at least one bug that allows cookies to be planted through Outlook despite the default settings.
Rajeev Dujari, development manager on IE 6 for Microsoft, countered that Outlook is designed to let consumers read e-mail in different security zones and control cookies through privacy settings. But he admitted that consumers need to better educate themselves to set a defense against increasingly invasive marketing tactics.
“Our default is around cookies being part of a Web experience rather than an e-mail experience,” Dujari said. “When consumers get e-mail, people don’t usually expect a cookie.”
SPREADING THE WORD
There’s a fine line between spam and commercial pitches from an online retailer that ask for permission to send a message. In both cases, the message may plant a cookie on the receiver’s hard drive, but the spammer, by definition, has done so without any pre-established relationship. Still, consumers at the receiving end of both kinds of messages are often not notified of monitoring—either in the mail or in Web privacy policies—nor given the option to block cookies in the future, privacy experts said.
E-mail marketing also raises sticky questions for marketing services companies, which deliver ads into rich e-mail. Although these companies typically guarantee anonymous data-collection, it theoretically would be easy to tie that data back to an e-mail address in an e-mail-based marketing campaign, according to privacy experts.
DoubleClick, a heavyweight in Web ad delivery and e-mail marketing, offers a service called DartMail that lets companies manage, deliver and track e-mail marketing campaigns. The technology allows customers to add software such as cookies or Web beacons to a campaign and track the effectiveness of a promotion.
DoubleClick said that data it collects online is kept separate from data collected through e-mail.
J.Crew did not immediately respond to requests for comment.
PRIVACY DISCLOSURE VARIES
To be sure, some retailers are starting to refer to e-mail monitoring in privacy policies. Amazon.com, for example, mentions that it may use tracking methods via e-mail to determine preferences for future communications. Still, privacy advocates said e-mail privacy practices are largely under-disclosed compared with other media such as the Web.
“E-mail privacy hasn’t been on the radar until recently,” said Larry Ponemon, CEO of the Dallas-based Privacy Council, a knowledge management and technology company. He added that most companies still don’t fully understand how e-mail plays a role in privacy and security.
One problem with the disclosure of e-mail privacy stems from the large percentage of e-mail marketing campaigns that are conducted at arm’s length through third-party providers. As a result, companies that retain e-mail marketing services may not always be fully aware of the practices employed on their behalf.
Although many major companies outsource their e-mail marketing to companies that openly admit to using cookies and other tracking techniques, the privacy policies published online by these companies do not always address the issue of e-mail monitoring.
“There’s a lot less transparency around what’s happening in e-mail marketing than with Web content,” said Alex Fowler, senior director of policy and advocacy at Zero-Knowledge Systems.
By Stefanie Olsen. Copyright © 1995-2002 CNET Networks, Inc.