ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Analysts: Email spy pixels have become 'endemic'

Analysts at the Hey messaging service revealed that a staggering two-thirds of the emails sent to its users' email accounts contained a 'spy pixel' – a minuscule, effectively invisible image file embedded into the body of an email that can expose certain information about the email recipient, even their location. Proponents of spy pixels argue the practice is nothing out of the ordinary and a conventional tactic used by marketers to track email marketing campaigns. Digital privacy advocates, however, are quick to point out the alarming privacy implications of the practice.


At the BBC's request this week, analysts at Hey reviewed its email traffic and disclosed its findings that the majority of emails sent to its users' accounts contained spy pixels. And that is not including spam emails. The findings suggest that the prevalence of the furtive marketing tactic is arguably far greater than most people would have imagined it to be, if they even realized that the practice existed in the first place.

Indeed, the practice of embedding spy pixels into marketing email messages is widespread and employed by some of the largest companies doing business in the UK. The BBC's report named British Airways, TalkTalk, Vodafone, Sainsbury's, Tesco, HSBC, Marks & Spencer, Asos, and Unilever as some of the more prominent organizations in the UK that are actively deploying spy pixels in the marketing emails they are sending to consumers. The widespread and pervasive use of spy pixels by large organizations like these and others has led to the practice being labeled an 'endemic' by analysts at Hey. And the privacy implications of the practice are highly concerning – concerning enough that Hey co-founder David Heinemeier Hansson has labeled the stealthy tactic a "grotesque invasion of privacy".

Essentially, spy pixels, also known as beacons or pixel tags, are tiny image files – commonly in the form of .gif or .png formats – embedded into an email's header, footer, or body. These pixels can be as small as 1x1 and are typically designed to be deliberately transparent, blending into the email message and rendering them virtually impossible to detect visually. Email recipients would literally have no idea that they're even there. Nor would they typically be aware of what spy pixels are capable of tracking; things like precisely when and how many times the user opened the email, information regarding the user's device and operating system, and even the recipient's location through their IP address.

Equally concerning is that no action whatsoever from the email recipient beyond opening the email is necessary for the spy pixel to activate and broadcast this information to the sender. This is because the pixel is automatically downloaded when the recipient opens the email and the recipient's data is logged and sent to a server operated by the sender for analysis.

Businesses who deploy spy pixels justify their use by maintaining that the practice is merely a commonly used, industry-standard marketing tool and that the pixels are designed to be tiny and transparent as to be as unobtrusive as possible.

Never will these businesses (publicly) concede that the practice is in any way an intrusion on the privacy of the email recipient.

Companies also rationalize their use because they notify consumers of the pixels' presence in their privacy policies. That may indeed be the case, but any such notice is typically buried somewhere in a voluminous and at times impenetrable privacy policy that consumers typically do not bother reading, anyway.

Consider, for example, the following three examples from the privacy policies of a few of the companies explicitly mentioned by the BBC as employing spy pixels in their email marketing communications: 

Vodafone UK: "We use cookies (small text files stored in your browser) and other techniques such as web beacons (small, clear picture files used to follow your movements on our website)."

Tesco: "We and our partners use cookies and similar technologies, such as tags and pixels ("cookies"), to personalize and improve your customer experience as you use our Websites and Mobile Apps and to provide you with relevant online advertising."

Marks & Spencer: "Our website uses cookies, and similar technologies such as pixels and beacons, to collect information. This includes information about browsing and purchasing behavior by people who access our websites. It also includes information about pages viewed, products purchased, the customer journey around our websites and whether marketing communications are opened".

In the examples above, the language may be clear and straightforward enough for any English-speaking individual to comprehend, but the information presented is not nearly as comprehensive as it could be. Nowhere is it mentioned that these beacons are exposing the recipient's device information and location to the sender; and rarely is it mentioned that the sender is able to see when and how many times the email was opened. Nor is it communicated to consumers that the spy pixels are intentionally made invisible so as to entirely conceal their presence from the recipient.

The language that companies use to "inform" consumers of the practice is deliberately vague. But by mentioning their use of beacons in their privacy policies, these companies are largely able to insulate themselves from the reach of privacy legislation. By using the website and receiving the marketing emails, consumers have agreed to abide by what is spelled out in the privacy policy.

Some email services may include a feature that warns users any time a spy pixel is detected, but users are otherwise left on their own when it comes to protecting their privacy against the practice. Email users can either install a plugin into their email client to block the pixels, read their emails strictly in plain text, or manually set their email client to not automatically load images.

Alternatively, users can connect to a VPN to conceal their true IP address and effectively hide their physical location when opening an email. Doing this will only prevent the email sender from knowing the email recipient's true location, however. When and how many times the email was opened as well as the recipient's device information could still be logged and divulged to the sender.

Although companies will undoubtedly continue to employ sneaky methods to collect consumer data surreptitiously, consumers still have certain options at their disposal to counteract such tactics.

Written by: Attila Tomaschek

Attila is a Hungarian-American currently living in Budapest. Being in the VPN game for over 5 years, along with his acute understanding of the digital privacy space enables him to share his expertise with ProPrivacy readers. Attila has been featured as a privacy expert in press outlets such as Security Week, Silicon Angle, Fox News, Reader’s Digest, The Washington Examiner, Techopedia, Disruptor Daily, DZone, and more. He has also contributed bylines for several online publications like SC Magazine UK, Legal Reader, ITProPortal, BetaNews, and Verdict.


There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service