By Caitlin Counihan, CCO, CCPA, Digital Forensic Analyst

The marketing emails arriving in your Gmail inbox are not just a “one way” product advertisement from a marketer – those emails also send information about you back to the marketing company – information such as whether the email has been opened, when it was opened and your location when the email was opened. From a business perspective, such email tracking is an incredibly useful tool since the marketer can quickly determine if the recipient received the email or clicked on the intended link. However, the Gmail user’s behavioral information that is tracked and sent back to the marketer is more than just a privacy issue – the tracking technology creates hidden security risks. This article will outline the risks and provide some simple steps to address them so that the reader can be more secure when using Gmail.

First, let’s expose the technology used by email marketers to glean information from the target audience (you). There are two common ways that emails are tracked: with a “redirect link” or with a “tracking pixel.” Redirect links are the simplest form of tracking emails – you click on a marketing link within an email which then leads to the intended product. The link is trackable – once it has been clicked, the code within the link sends information about you to the marketer, such as what browser you are using and where you clicked the link from, even before taking you to the product link. A tracking pixel is a more advanced way to record the target’s behavior, because the pixel is hidden within an image in the email. When the email is opened, the pixel is loaded from the marketer’s server, which then records the tracking information. These response events accumulate over time in the marketer’s database, enabling the marketer’s email software to report metrics such as open-rate and click-through rate. The marketer can then view reports on both aggregate response statistics and individual’s response over time. Gmail assists email marketing software because it tracks information by collecting unique identifiers tied to your browser, application, or the device that you are using [1]. These user identifiers include names, email addresses, usernames and browser versions.

The problem is that email tracking can be exploited by hackers. A malicious user can exploit the email tracking technology to collect confidential information about businesses and individuals which can then lead to successful phishing schemes. Much of the data accumulated by tracking pixels and redirect links are transferred over unsecure, unencrypted websites, which can potentially expose personal information to attackers. Spammers and phishers can also use email tracking to authenticate that an email address is active, and to pinpoint susceptible individuals. Do you really want unscrupulous actors to know when, and possibly where, you are checking your email?

There are some easy steps you can take to avert most trackers within Gmail: stop your email from automatically loading images, since pixels hide within images. Although this will not block all trackers that might be hidden in your email, it will stop most of them. The following are the simple steps for disabling “image autoloading” in Gmail on a computer and mobile device.

How to Disable Image Autoloading on a Computer:

  • In your web browser, log into your Gmail account and then click on the gear icon in the upper right corner.
  • Click on “See all settings.”
  • In the “General” tab, scroll down to “Images.”
  • Select “Ask before displaying external images.”
  • Scroll down to the bottom of the page and click on “Save Changes.”

How to Disable Image Autoloading on a Mobile Device:

  • In the Gmail app, select the three-line icon in the upper left corner.
  • Scroll down and select “Settings.”
  • Select the email account you want to change.
  • Scroll down to and select “Images.”
  • Select “Ask before displaying external images (also disables dynamic email).”