12 July 2012

Email Hidden Tracking Deceptions

1. Government Email Hidden Tracking Deceptions

Many US federal agencies distribute emails and notifications via govdelivery.com ("Made for government"). The service embeds hidden URLs with a lengthy tracking number which logs clicks and identifications of recipients who retrieve cited documents. This is a significant privacy violation by not notifying email recipients of the tracking feature. DHS examples (some alphanumerics changed):

This service is provided to you at no charge by the U.S. Department of Homeland Security.

http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTIwMTIwLjU
xMTA1MjEmbWVzc2FnZWlkPU1EQi1QUkYYYYBBBVVVIwMTIwLjUxMTA1MjEmZGF0YWJhc2Vp
ZD0xMDAxJnNlcmlhbD0xNjg0Nzk1NCZlbWFpbGlkPWp5YUBwaXBlbGluZS5jb20mdXNlcmlkPWp5Y
UBwaXBlbGluZS5jb20mZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&102&&&http://
www.dhs.gov/index.shtm

Privacy Policy

http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTIwMTIwLjUx
MTA1MjEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTIwMTIwLjUxMTA1MjEmZGF0YWJhc2VpZ
D0xMDAxJnNlcmlhbUUUUYYYYVVVZlbWFpbGlkPWp5YUBwaXBlbGluZS5jb20mdXNlcmlkPWp5YU
BwaXBlbGluZS5jb20mZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&103&&&http://www.
dhs.gov/xutil/gc_1157139158971.shtm

GovDelivery is providing this information on behalf of U.S. Department of Homeland Security, and may not use the information for any other purposes.

Department of Justice admittedly tracking ID today:

Deputy Attorney General James M. Cole Speaks at the Wells Fargo Press Conference

http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTIwNzEy
Ljg5ODc4MTEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTIwNzEyLjg5ODc4MTEmZGF0YWJhc2
VpZD0xMDAxJnNlcmlhbD0xNzA3MzcyMyZlbWFpbGlkPWp5YUBwaXBlbGluZS5jb20mdXNlcmlkPWp
5YUBwaXBlbGluZS5jb20mZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&
102&&&http://www.justice.gov/iso/opa/dag/speeches/2012/dag-speech-120712.html

The White House admittedly tracks ID minutely too:

Watch the video and get the facts here.

http://links.whitehouse.gov/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTIwNjI4Ljg2NDc2M
zEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTIwNjI4Ljg2NDc2MzEmZGF0YWJhc2VpZD0xMDAxJn
NlcmlhbD0xNjkwNTM2MiZlbWFpbGlkPWp5YUBwaXBlbGluZS5jb20mdXNlcmlkPWp5YUBwaXBlbGlu
ZS5jb20mZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&100&&&http://www.whitehouse.gov/
blog/2012/06/28/supreme-court-upholds-president-obamas-health-care-ref

The hidden codes may be overlooked: They were discovered when our legacy email program could not activate them. Last year Cryptome wrote the government clients of govdelivery.com and the service itself to reveal the tracking but never received an answer from any.

Notable exception to hidden tracking is the GAO which transparently discloses its URLs:

Electronic Warfare: DOD Actions Needed to Strengthen Management and Oversight. GAO-12-479, July 9.

http://www.gao.gov/products/GAO-12-479

Other USG offices display only a linked title but not the underlying URL, a method often used to deceive about the link. State Department and FBI examples, respectively, without hidden tracking code:

Press Releases: Remarks With Afghan President Hamid Karzai

[We see today at the bottom of State Department email it is also sent by govdelivery.com and tracks recipients. "Report problems: <support@govdelivery.com>"]

Alleged Associate of al Qaeda in the Arabian Peninsula Charged in New York with Providing Material Support and Receiving Military Training in Yemen

2. Commercial Email Tracking Deceptions

Commercial email delivery services also hide tracking code. For example, Bluehornet.com sent out an email yesterday for the Stratfor Class Action Settlement which embedded hidden URLs with tracking numbers (original numbers replaced):

http://echo4.bluehornet.com/yu/10987654321:10987654321:k:9:10987654321:109876543211098765
432110987654321:h

Bluehornet violates the privacy of the email recipients by not calling attention to its tracking feature, thus implicating the law firm which sued Stratfor for failing to protect its customer information -- presumably the law firm does not know it may be subject to privacy violation suits.

Other services embed URLs which track access to articles with concealed codes that likely also track email recipients without explanation of the codes's use. New York Times today, egregiously tracking (some alphanumerics changed):

Spend summer vacation at an all-inclusive resort, surrounded by the crystalline waters of the Pacific Ocean

http://p.nytimes.com/email/re?location=vzewYO/FHLSRA5cTrA4oWdnsb+onKeHxFGl2jINZg1bhIX3P5MN
4T03Fcnswgysn52TggCVcNc5LY2IXAm9BwJ6DmVAwsenGY7ZBBBBBCCCCCBBDbW3WIL+pXZuA&
campaign_id=105&instance_id=16741&segment_id=36060&user_id=5c401f4b636bc9557c9c7a87cab025f8

Amazon (some alphanumerics changed):

The SAGE Handbook of Architectural Theory

http://www.amazon.com/gp/r.html?R=1681XH3C5L4XM&C=1071C1INNZ6FT&H=OOEX4ICXELVALRNTX
SY0POCY0TCA&T=C&U=http%3A%2F%2Fwww.amazon.com%2Freview%2Fcreate-review%2Fref%3Dpe_
6680_24339240_cm_cr_ec_add_1_h_c24339240%3Fie%3DUTF8%26nodeID%3D%26asin%3D1412946131%
26customerID%BVRFWGHDEW35

This for an article listed in a Dei Zeit newsletter today (alphamumerics changed):

http://newsletterversand.zeit.de/go/4/LMTVGB-2W9MEN8-HBV7G81-VXZM6N.html

3. Honest and Dishonest Email

Honest privacy protection advocates will always use transparent URLs. An EFF example:

For the full motion for partial summary judgment:

https://www.eff.org/document/plaintiffs-motion-partial-summary-judgment

Compared to, one of many possible examples, the otherwise admirable Bradley Manning Support Network (code changed):

http://bradleymanning.org

http://t.ymlp305.net/mybealcccccccccccccccccj/click.php

Tracking is often justified as legitimate automatic data gathering on users, however few, if any, email delivery and tracking services disclose tracking information with each email, offer no tracking opt-out choice, provide no guarantees of anonymity or against misuse of the user data, and seldom point to either the privacy policies of the service or those of the services' customers (albeit, no privacy policy is believable). This suggests deliberate deception and lack of accountability of both the services and their customers, and in this manner replicate the deceptions of vilified email spammers.

All users of email should use transparent URLs, and those using hidden tracking codes should include with each email an explanation of the hidden URLs, the purpose of the tracking, related privacy policies and a trcking to opt-out choice. Those which do not comply should be blocked, filtered, trashed unread or returned marked "Choice Expletive."

__________

Related, website links with non-transparent URLs (such as Cryptome uses, and has no delusional privacy policy) should never be clicked until passing a pointer over them to verify the underlying code. Avoid lengthy alphanumeric codes whereever they are hidden.