Email Privacy is Broken

Email has always had privacy problems — it’s only now that we’re able to see them

Mike Davidson wrote about Superhuman, a web client for Gmail that features some remarkably creepy tracking options. Not only does Superhuman spy on who opens your emails, it also tells the sender exactly where the recipient is and how many times they opened the email. Superhuman is by no means the only one doing this, but they’ve taken it to another level. Spark also does this type of spying, in addition to dumping all your mail onto their own servers. I’m glad that awareness of these practices is spreading. Let’s label this for what it is — spyware — and users deserve better.

What makes this type of behavior so unethical? It’s because it breaks the assumptions that email is built on. A user understands email as the digital equivalent of a letter. It’s a static, sealed document that once sent is irrevocable and one may reply, discard or view whenever you wish. What no–one expects is that each email is a mini spyware app, phoning home each time it’s viewed.

This practise has slowly crept out of email marketing software and into business email clients. Now, having become standard in messenging apps, read receipts are slowly entering personal email clients too. There is a big difference though. Messenging apps make read receipts obvious to the user, and the user has complete control over them. In contrast, Superhuman hides the tracking features, has them switched on by default and the recipient has no way to opt out.

Paul Graham wrote that a good business should “fix what is obviously broken.” To me, the current state of email privacy is completely broken. I expect total privacy from my email client.

I’ve been thinking about how to design a client to work around this. I can think of three approaches. The first would be to disable HTML in emails and convert HTML-only emails into plain text. There is much to like about plain text emails. They render fast, they are easy to search, they can’t contain tracking pixels and they reflow and wrap perfectly on every device. Even ConvertKit, a company that sells email marketing software, advises users to send marketing emails in plaintext.

Secondly, you can block external resources from loading from a third party domain. This is how ad blockers work in Safari but it becomes more difficult in emails. The tracking pixels are often generated dynamically for each email and they can also embed tracking elements into otherwise innocuous elements, such as a header or product image.

Lastly, you could proxy the email through a remote server that downloads any external images or resources. Google does this with Gmail, and while it does protect your device and location information, it doesn’t prevent the sender knowing when you opened the email.

I expect the solution to require some combination of the first and second approach. In the meantime, you have my word that I will continue to keep worrying about these issues and developing Aura into an email client that works for the user to defend their privacy.