Recently Gmail started caching all images sent to its users and by default will now display them when you look at your email. At first glance it seems like a good idea. It protects your IP address, stops the sender dropping cookies in your browser and possibly speeds up image loading for you. What it doesn’t do is stop the sender knowing that you opened the email. Your privacy is at risk if you enable this. Marketing efforts just became a lot easier.
A carefully crafted image filename will let the sender know that a particular user viewed his spam email, even if Google host the file on their own servers. Google has to fetch the file from the sender’s server and that will contain a number or string identifying that user.
http://example.com/logo.jpg?email=joe@example.com
As soon as that image is opened by Google the sender knows they have a valid email address.
How easy is it to track usage? It’s simple! I wrote a plugin in 2007 called blog voyeur that could track visitors who viewed my blog through RSS readers if they had left comments here. (I’m not using that plugin any more, don’t worry, your anonymity is safe!)
The documentation on the new settings says as much but I doubt many people will look there.
In some cases, senders may be able to know whether an individual has opened a message with unique image links. As always, Gmail scans every message for suspicious content and if Gmail considers a sender or message potentially suspicious, images won’t be displayed and you’ll be asked whether you want to see the images.
Gmail does a good job of spotting spam but legitimate email can contain these tracking images too. I get promotional emails from companies I’ve dealt with. I would much rather they not know when I open or even if I have opened their emails. If I wanted them to know, I’d tell them.
So, when you see that popup informing you that images will be displayed, click on Settings and disable image loading.
