Evolution Mail Users Easily Trackable
39 comments
·July 9, 2025aitacobell
Privacy feature that doesn't work is (arguably) worse than no privacy feature at all.
dvdkon
The linked WebKit bug report seems to have some activity from today, so I'm hopeful this will be fixed at the source: https://bugs.webkit.org/show_bug.cgi?id=259787
kosolam
Oh, but gmail also reveals to tracking services (i.e. virtual deliverability manager from aws ses) that you opened an email even when you disabled loading images.
dathery
This is not true, SES uses tracking pixels which are blocked if you disable external images: https://docs.aws.amazon.com/ses/latest/dg/faqs-metrics.html#...
johnklos
No reasonable person would ever think that Google preserves their privacy. Perhaps Google preserves it enough so they can sell whatever information they're hiding, but that's about it.
Brian_K_White
Obviously if you're reading gmail on the web or in the official phone app, then of course every click is observable.
But you can read gmail in thunderbird or any other email client, and in that case gmail still doesn't know anything more than that your client performed a sync, which it might be doing periodically at all times and so isn't meaningful.
Hnrobert42
I thought Google loaded all content from all external sources upon your seat, so the sender doesn't know whether you opened it or not.
Barbing
Thinking of Apple?
This was a big announcement with Apple Mail Privacy Protection, included in iOS 15 (Sept. 2021). Sent marketers into a small panic.
If Gmail did so as well, should’ve been bigger news and figure they’d remind us we could disable the load remote content option.
ASalazarMX
It does, and as usual, Apple catched up a decade later. It was called Google Image Proxy for GMail (or something like that) when it was released, much to the chagrin of email marketers.
One of the earliest (2013) mentions I could find: https://gmail.googleblog.com/2013/12/images-now-showing.html
Found in this old article about the initial launch: https://words.filippo.io/how-the-new-gmail-image-proxy-works...
DaiPlusPlus
That still tells the sender it’s a valid email address though?
cxr
> I've noticed that moving the goalposts is extremely prevalent on HN, which makes for pretty frustrating conversations (or just reading). And then sometimes it's a tag team[…]
Barbing
Do you know if I’m safe using Apple Mail with the relevant privacy features enabled? (w/Gmail account)
Edit: one marketing site describes a new category of Apple Opens (vs. Human Opens), so sounds like the feature’s effective
gruez
Source?
mystifyingpoi
Yeah, I wonder too. Just checked the docs, they use tracking pixels. So blocking images should block it 100%?
ajross
HTML as a mail format is a horrifying mess. What you want is a rich text format for displaying static text and maybe some images and links and stuff. What we got is the entirety of the modern web application development environment stuffed into our mail clients, with maybe 1/100th the attention to standards compliance and bug fixing that real browsers get, and a metric ton of "Oh Wait Not That" workarounds to plug the obvious security gaps inherent in the "run web apps from any attacker who has your email address" metaphor.
This is one of the big reasons why email has pretty much died for casual use. Even in work environments almost everyone uses chat clients these days.
umbra07
> This is one of the big reasons why email has pretty much died for casual use. Even in work environments almost everyone uses chat clients these days.
I don't see how this follows. Yes, HTML email fucking sucks. But most people are using Gmail, Outlook, Apple Mail, etc, all of which do a pretty good job at handling HTML emails - especially between each other. How do you go from "html emails are bad" to "html emails led to IM replacing email"?
DaiPlusPlus
In the 1990s it was common to exchange short, 1-line, emails - or even emails where the entire message fits in the subject line.
…you can still do that on internal email systems; but over the internet any kind of unsolicited short email will probably be dropped by Bayesian filters on the recipient’s side because the information-capacity of a short email is… well, short, making it harder to discern from short spam/attack emails.
Also, email clients are getting heavier and slower: (Classic) Outlook M365/2025/Etc somehow takes a grating 10+ seconds to fully load and warm-up on my brand new machine, while double-clicking an email to open it makes the whole thing awkwardly hang for 2-3 seconds, even when working offline. It’s given me a huge aversion to using email in general, so I’m not going to send a 1-liner via Outlook.
klank
In my personal experience, while the experience you're describing is frustrating, it didn't feel connected. I don't see a connection to prevalence of HTML being a driving factor. Even when I was using pine I'd use irc or aim if available.
For me, it was simply the lack of adoption of messaging options that made email the default tool. Once cell phones came along and people got accustomed to instant quick messaging that was generally ubiquitous, email was out, whether you were using pine, outlook, or something in between.
ASalazarMX
> (Classic) Outlook M365/2025/Etc
Why would you subject yourself to that torture? Thunderbird is like LibreOffice is to MS Office, meaning you will have to adapt, but it is still lean for being a contemporary email client.
pornel
This has been true since the beginning of HTML email. It hasn't stopped it from proliferating. It hasn't stopped it from being de-facto mandatory, and has no chance of reversing the course now.
HTML is going to be inseparable part of e-mail for as long as e-mail lives, and yeah, it seems more likely than e-mail will die as a whole rather than get any simpler technically.
At this point we can only get better at filtering the HTML.
the_mitsuhiko
> Even in work environments almost everyone uses chat clients these days.
I'm not sure how this is better though. With chat clients you are completely locked into their ecosystem. Email at least is an open protocol and interoperable.
zzo38computer
There are also some email programs that do not support HTML. I use a email program that does not support HTML.
rsync
I do the same.
Not only does my mail usage not generate any outbound network traffic, nor follow any links, but I can also inspect and edit URLs without following them.
testfrequency
Between my network ad blocker and VPN, I’m lucky for an email that is anything beyond formatted text to render properly anymore.
I’ve practically given up on clicking any sort of links from marketing emails as they are full of multiple redirect trackers. Which, is a shame, as these are obviously from companies I care to keep up with and support.
Email will always have its place, but I agree the default email experience we all know shouldn’t default to essentially a viewport.
Night_Thastus
Mine blocks any external resources unless you choose to download them with a button on the top of the email. Helps lower their ability to track as well, on top of the other precautions.
But yeah, it's pretty horrendous by default.
t_mann
> Even in work environments almost everyone uses chat clients these days.
Maybe in your bubble, but globally this is just false.
raddan
No kidding. If your org is large enough, you have to communicate with nontechnical people sometimes. Unless you're a Microsoft shop, they probably aren't using your chat platform of choice. Email is still the first stop where I work. Not to mention talking to people _outside_ of my org, which is _most_ communication for me.
AlienRobot
I'm pretty sure that the real reason is spam. Nobody is composing e-mail with complex designs to send their colleagues.
I feel like the major problem with almost everything that has a feed these days is the feed. Real state is a finite resource victim of the tragedy of commons: to be visible, you must post, but if others post, you are less visible, so to be even more visible, you post more, which prompts others to post even more, and anyone who doesn't play this game loses.
This happens with all feeds: chronological feeds on Tumblr, e-mail, RSS, etc.
One project I've seen that has tried a novel approach to this was https://fraidyc.at/ Essentially instead of putting all posts in a line, it's an RSS client that just tells you who has posted recently but not what they have posted.
Kabootit
> I'm pretty sure that the real reason is spam. Nobody is composing e-mail with complex designs to send their colleagues.
There is a use case of using HTML for transactional emails:
- enhance company branding with design - embed call to action items via hrefs
b0a04gl
[dead]
monster_truck
They're called allowlists now
InvisGhost
I'm glad that he is raising the flag after the devs failed to take it seriously. Evolution is going to have to do PR damage control soon and talk about how they're changing things to avoid this in the future.
arp242
> The sender can look at their DNS logs to see if you’ve read your email, and the IP address of your DNS resolver at that time, which may indicate your location. [..] An attacker could look at the SNI header during the TLS negotiation
I suppose, but AFAIK no one is really doing that. So in that sense it's a "if a tree falls in the forest, but no one is around to hear it"-type issue.
And the response seems reasonable by the way; they set the correct flag. WebkitGTK has a bug and it doesn't work. It's not great, but you can't expect people to fix everything, especially for fairly minor issues like this.
Arnavion
>It's not great, but you can't expect people to fix everything, especially for fairly minor issues like this.
1. It's not a minor issue that a privacy feature doesn't work.
2. OP clearly stated ( https://gitlab.gnome.org/GNOME/evolution/-/issues/3095#note_... ) that they know the fixes are not trivial, so at the very least they want the application and website to make it clear that the privacy feature doesn't work, so that users are not misled.
johnklos
You forget about targetted tracking, stalkers, and the very simple reality that this is a certain way to see if people looked at the email.
Handwaving this away because "nobody will do this" is in the same family of issues as "I have nothing to hide" or "what can they really do with my data?"
> you can't expect people to fix everything, especially for fairly minor issues like this.
The feature is called "Load Remote Content". Turning that off should have predictable consequences. The fact that it doesn't do what people would rightly assume it should do is not a "fairly minor issue".
People who blindly accept problems, who accept a lack of concern about privacy, both as a right and as a preference, who handwave away poor behavior aren't helping anyone. Tech companies rarely DTRT on their own, so people need to hold their feet to the fire. Those companies don't need apologists.
Barbing
Anyone know if they have a disclaimer on the Load Remote Content toggle?
(Seems reasonable to link to the bug report or something, but this is not my domain.)
> I suggested that maintaining a whitelist of allowed html tags and attributes, and stripping them before passing the email html onto a web browser would be a good defense in depth strategy
Are there any best in class HTML preprocessors that do this well? There are many use cases for displaying email content in e.g. CRM widgets where the underlying networking can’t be controlled. An iframe with a good CSP goes a long way, but as OP notes you want defense in depth!