tl;dr css hover selectors that change the background image don't actually cause the browser to GET the specified background image until you hover over it, thus creating a way to send data from a web page with no javascript.
We used to do that to track emails. Gmail's fix was to cache the emails' images on their own server, so it's only hit once. They also don't listen to selector:hover{} so you can't have hover effects.
But it does not matter, if google download all the images when for all your emails then showing them to you is just a fetch from their own servers. Similarly to the ad-blocking extension that clicked all ads on the page (in isolation) so that tracking would be useless.
This would actually be detrimental to users. Responsible email publishers use lack of opens as a signal to reduce volume of emails sent and, eventually, unsubscribing you automatically. Gmail causing a lot of bogus engagement would make it look like people can’t get enough of your content
I'd love to meet these people. I've yet to have a good email publisher experience. whether it's a fortune 500 co or the newest startup they all terribly abuse email.
> unsubscribing you automatically
What is this magic? I've never once been automatically unsubscribed from anything.
Hi, pleased to meet you. Even though everyone on our newsletter list specifically signed up to get newsletters, we’ll still warn you and then unsubscribe you if you do not engage for a long time.
Google, in particular, will send all a sender’s mail to everyone’s spam folder if it sees low engagement across all gmail users... so it is in publisher’s own self interest to remove disengaged users.
I believe mailchimp has something that automatically unsubscribes users if they haven't opened your emails for x time, but the amount of publishers that use this is probably pretty low.
> Responsible email publishers use lack of opens as a signal to reduce volume of emails sent and, eventually, unsubscribing you automatically.
That does not remotely sound like the behaviour of responsible "email publishers". Responsible behaviour is to only email people who asked for it, and to stop when they tell you to stop. Clever trickery to spy on people is not the behaviour of responsible people.
If their intention was as you say, it would be really stupid and unreliable trickery, not just because some systems might load the images without the user reading the email, but also because the user might read the email without loading the images. And even if they were to only and reliably load on reading, reading the email does not in any way imply that the user wants to receive it. Lots of people open email before throwing it away. Some mail readers show a preview which may be enough to read the message. Does that count as reading or not?
No responsible organisation would rely on this kind of trickery, and no organisation that relies on this can be considered responsible in their handling of email.
Agreed, it's a terrible idea. I've been subscribed to the NY Times' "morning briefing" email for a long time. I'm using an IMAP client, and I never bother to load the images for this, because all I want is a text summary of the day's news.
They recently sent me an email saying something like "we noticed that you're not reading our email, so we're unsubscribing you." Apparently I hadn't been loading their tracking pixel/script/CSS, so they thought I wasn't "engaging" enough. This was despite the fact that I clicked on links to full articles, which had all sorts of tracking info embedded in a redirect.
A responsible email publisher offers a clearly-visible "unsubscribe" link at the bottom of the email, which will unsubscribe you with a single click. No nags, no checklists of email categories, maybe an "are you sure?" page at most, with equal-sized "yes" and "no" buttons. One or two clicks, and I don't hear from you again.
A dodgy email provider is more likely to "use lack of opens to reduce volume." If I don't trust some company to actually unsubscribe me when I ask, I'll just filter their domain directly to the trash. Clicking on spammers' "unsubscribe" links is usually a bad idea.
I don't know why this is being downvoted. I work for an ESP, and this is an accurate statement. Whatever you think about marketing emails, you probably don't want gmail to simulate click traffic. Trust me.
> Responsible email publishers use lack of opens as a signal to reduce volume of emails sent and, eventually, unsubscribing you automatically.
No, they don't.
> Gmail causing a lot of bogus engagement would make it look like people can’t get enough of your content
For a few days, perhaps. Gmail accounts for a significant proportion of all email. 'Publishers' would quickly realise they are no longer able to track emails sent to Gmail. To fail to do so would be their loss; if that weren't the case, they wouldn't bother with tracking at all.
"Sorry boss, please fire me and ask one of the 200 other employees here to use that system with built-in tracking to make a newsletter for this clothing brand."
Take some pride in your work. Software is literally the most in demand profession today, you don't have to work for corrupt employers. You can contribute something positive to society and still make decent money.
In some other profession I'd make exceptions, but seriously the amount of money flowing to developers these days, there's no excuse to sell out.
What you describe as a corrupt employer is anyone that uses Mailchimp, SendinBlue, MailPoet, CampaignMonitor, Dotmailer, MailGet, etc.
Do you think that companies who send newsletter do it without any traces of analytics? Every link is tracked, every image is tracked. On the web, there are heatmaps of every single mouse movement. Your keystrokes used to be tracked too, until GDPR hit. Anyone who works does analytics can play back the path visitors used to navigate on the site.
It doesn't take any advanced team to do that. You simply drop a .js file from some third-party CND in your site's head and you have all that data. Any mom ? pop shop that has a website has access to that data.
Everyone does it, that's the current state of the industry. To refuse work from anyone who does analytics would mean to leave the web industry.
> but seriously the amount of money flowing to developers these days
At the time, I was paid cad$40k/year. According to glassdoor.ca, the salary for the same position would be cad$59k/year today. Not everyone works from the inside of a bubble.
> Do you think that companies who send newsletter do it without any traces of analytics?
I don't doubt it.
> Everyone does it, that's the current state of the industry.
That's not an excuse
> To refuse work from anyone who does analytics would mean to leave the web industry.
Analytics as a whole is not the issue. Doing shit like abusing CSS in order to track when someone opens an email and what they do in that email is evil. That violates the user's trust and expectations. I don't doubt that any time I spend on somebodies website will be tracked and analyzed by them. But they have no right to track and analyze me on my own properties, like while reading my own email.
"Everybody is doing it" is not an excuse for evil behaviour. Be better than others, don't contribute to this race to the bottom.
59k a year is a very healthy salary. I know real Engineers doing things like verifying building and bridges who make less than that. Honestly to think that $59k a year in Canada is too little money to afford a moral compass shows how much of a bubble you are already in.
This tracking is made by tracking when someone loads an image from our server.
When their device calls our server, we have access to this person's basic information. Usually this information isn't aggregated but only counted to know how many users opened the email.
That's the equivalent of a caller id. This is the less hurtful and evil method of tracking I can think of.
I don't understand why you are so outraged from it.
Nobody is forcing you to open the newsletter email titled "AMAZING deal from [brand], get ONE FREE if you purchase THREE!" that you just received and much less to click the "request images in this email" button.
I could understand your point if we were talking about "Canvas Fingerprinting" where an invisible image is generated and the user's GPU is singled out to an unique token by exploiting the unique hardware information outputted during the rendering of the image, allowing you to track user across browsers, sites, logins and even after a software format or operating system reset.
However right now I'm merely talking about tracking the number of hits our server receive for "banner-image.jpg". This is not even information unique to the viewer.
Yeah, I'm playing around with the idea of using the background image trick to profile the integrity hash speed of the visiting browser.
That little background image feature in CSS has given up quite a bit of data in similar situations (people used to use it to check browsing history of :visited links before browser started blocking that).
But that hash is a regular, fast hash that takes like 1µs to compute right? Doesn't that get lost in network jitter? Wouldn't averaging the time it takes to run for(i=0;i<Math.pow(2,18);i++); over 10 runs be much more accurate? Or is this meant to spite the 0.01% of visitors that really try not to be tracked and have turned off javascript?
Preloading images so they're ready to show when needed, does not sound like unreasonable behaviour, especially on a connection with high bandwidth but low latency.
It will make this kind of example really slow, but if the intention is to break this kind of spying, then that's okay.
This is just a different spin on the (now fixed in most browsers?) trick of using ':visited' with a background image to uncover which sites the user has visited.
It's things like this that drove me to start browsing the web with CSS disabled by default. It's yet another vector for tracking.
> tl;dr css hover selectors that change the background image don't actually cause the browser to GET the specified background image until you hover over it
This specific page uses :active, not :hover, so it is really no different from a web form, that performs web request each time you press a submit button. It just does not reload a page.
tl;dr css hover selectors that change the background image don't actually cause the browser to GET the specified background image until you hover over it, thus creating a way to send data from a web page with no javascript.