Email has always had privacy problems — it’s only now that we’re able to see them
Mike Davidson wrote about Superhuman, a web client for Gmail that features some remarkably creepy tracking options. Not only does Superhuman spy on who opens your emails, it also tells the sender exactly where the recipient is and how many times they opened the email. Superhuman is by no means the only one doing this, but they’ve taken it to another level. Sparrow also does this type of spying, in addition to dumping all your mail onto their own servers. I’m glad that awareness of these practices is spreading. Let’s label this for what it is — spyware — and users deserve better.
What makes this type of behavior so unethical? It’s because it breaks the assumptions that email is built on. A user understands email as the digital equivalent of a letter. It’s a static, sealed document that once sent is irrevocable and one may reply, discard or view whenever you wish. What no–one expects is that each email is a mini spyware app, phoning home each time it’s viewed.
This practise has slowly crept out of email marketing software and into business email clients. Now, having become standard in messenging apps, read receipts are slowly entering personal email clients too. There is a big difference though. Messenging apps make read receipts obvious to the user, and the user has complete control over them. In contrast, Superhuman hides the tracking features, has them switched on by default and the recipient has no way to opt out.
Paul Graham wrote that a good business should “fix what is obviously broken.” To me, the current state of email privacy is completely broken. I expect total privacy from my email client.
I’ve been thinking about how to design a client to work around this. I can think of three approaches. The first would be to disable HTML in emails and convert HTML-only emails into plain text. There is much to like about plain text emails. They render fast, they are easy to search, they can’t contain tracking pixels and they reflow and wrap perfectly on every device. Even ConvertKit, a company that sells email marketing software, advises users to send marketing emails in plaintext.
Secondly, you can block external resources from loading from a third party domain. This is how ad blockers work in Safari but it becomes more difficult in emails. The tracking pixels are often generated dynamically for each email and they can also embed tracking elements into otherwise innocuous elements, such as a header or product image.
Lastly, you could proxy the email through a remote server that downloads any external images or resources. Google does this with Gmail, and while it does protect your device and location information, it doesn’t prevent the sender knowing when you opened the email.
I expect the solution to require some combination of the first and second approach. In the meantime, you have my word that I will continue to keep worrying about these issues and developing Aura into an email client that works for the user to defend their privacy.
How it will affect independent developers and kill innovation
Google, bruised from years of privacy scandals and keen to avoid its own Cambridge Analytica incident, announced last year that any project touching user data in Gmail would now require verification. What verification meant was left unclear until the beginning of this year.
When the dust settled, Google published an FAQ outlining what was required. Any app touching user data was required to pay a fee between $15,000 and $75,000 or more. A full security audit was required by one of two third parties selected by Google. Cries of protest went up around the web, and several services announced their intention to shutdown.
Fearing the worst I was preparing to email users and start shutting down Aura. However, because Aura doesn’t store any user data on its own servers I was able to avoid the security audit. After five months of waiting, Aura has just completed the verification.
Ajay Goel, developer of the Gmass extension, has live blogged the process – still ongoing. If it looks opaque and unclear, that’s because it is. The Google team reviewing applications takes weeks or months to reply, and frequently loses the thread of the conversation.
With a userbase numbering 1.4 billion users, Gmail has become a platform in its own right. What makes this policy so frustrating is the inconsistency. Any email app can still connect to Gmail using POP3 or IMAP which aren’t subject to these checks. The result will be to stifle innovation, frustrate users and increase prices for all services.
I’m launching Aura Talk, it’s available here. What is it? It’s a community site, built on Discourse (which is awesome software, check it out if you need a forum). I’ve found that as Aura grows in users and complexity that I need something better to co-ordinate everything.
I’ll be using it do things like:
collect bug reports
run betas and collect feedback on the next version of Aura
and just generally to make Aura as great as it can be
In an attempt to make it effortless to login, there’s no need to create an account. All authentication is done through your Google account, full details here but the TLDR is that you only need to have used Aura before, and the trial will do.
Head over to check it out, it’s going to get busier over there soon.
Bringing dark mode, Mojave support, search and thousands of other improvements to Aura
I’m delighted to release Aura 4. This release represents many thousands of changes that make this a faster, more powerful and useful app. For the sake of brevity, here are just three of the main ones.
The search bar has become much more powerful. A fuzzy, quick search matches thousands of items from your accounts and lets you jump to anything instantly. Contacts, inboxes, categories, labels or types of mail.
Improvements all round to how Aura interacts with Gmail. All of Gmail’s smart categories are accessible. The synchronization has been improved along with better sleep/wake behavior.
Mojave added support for a system dark mode, and Aura fully supports it. You’ll even notice the theme colors used throughout.
Finally, stricter requirements for access to Gmail data were published at the beginning of the year. Aura has always treated your email data securely and already met all of the requirements. But users of older versions of Aura will need to migrate to Aura 4 as API keys for versions 1 - 3 are going to expire. Aura 4 is a free upgrade for all customers and I will be contacting you soon if you haven’t yet upgraded.