[HN Gopher] Will Apple Mail threaten the newsletter boom? ___________________________________________________________________ Will Apple Mail threaten the newsletter boom? Author : danso Score : 78 points Date : 2021-06-09 14:25 UTC (1 days ago) (HTM) web link (www.platformer.news) (TXT) w3m dump (www.platformer.news) | kergonath wrote: | I doubt it. However, it might help reining in advertisers and | close a gaping leak of private information that is quite | difficult for a random user to plug. I wish, anyway. | | We don't owe advertisers a viable business. If their business | plan depends on them sucking in private information without my | consent, well, fuck them. | 9wzYQbTYsAIc wrote: | I think you may be mixing things up between advertising and | marketing. Marketing is where things like newsletter click | engagement tracking happens. | | Usually you are dealing with the actual company sending the | newsletter, at that point, and not the advertising industry. | | Better to think of marketing engagement tracking through these | dark patterns as being a form of forcibly getting you to fill | out a comment card at a restaurant than to think of it as | having anything to do with advertising. | ljm wrote: | You know, I had some beef with the word 'engaged' a few years | ago, especially because I worked for a startup that cared about | happiness instead (an active question rather than passive | inference). In that context, we realised it was ridiculous to ask | if you were engaged with your job, we wanted to know if you were | _happy_ and so we asked the questions instead of trying to | secretly gather the data by spying on your activity. | | Now I downright hate it. What does 'engaged' even fucking mean? | One definition is that you're 'locked', so your attention is | locked with them and not someone else. A public toilet cubicle | will say 'engaged' when someone is in it. | | For an email newsletter, you can see how well it's doing both by | the number of subscribers on the list, and also by how many | people click through and read the full article on your site. No | tracking involved, you just send out an email and look at your | logs for an uptick in traffic. | 9wzYQbTYsAIc wrote: | Click through detection requires inclusion of at least a | newsletter id in a query parameter, or something along those | lines, for the links provided within the newsletter. Without | that, there's not enough specificity to get anything other than | a rough idea of how many people might have clicked the link | right after you sent the email. | ljm wrote: | You can make a case for it not being tracking if it's not a | link masked behind 2 or 3 redirects through ad or link | tracking services. | | You can just have a link that you could log and rewrite in | nginx/apache/caddy -> https://mysite.com/mailer/thepost --> | https://mysite.com/thepost | | Or just forget about all of that and just _ask_ people and | make your decisions on that instead of extrapolating meaning | through espionage. | loloquwowndueo wrote: | Guess since I never click on those annoying "subscribe to our | newsletter" pop ups, I missed out on the whole "newsletter boom" | - but really if the whole complaint is about how they will no | longer be able to track my behaviour so closely, I'm not too | concerned about the "boom" becoming a bust. | theshrike79 wrote: | I never understood the idea of newsletters. | | If you have the material for one, why not just put it up as a | website? Provide people with RSS feeds? Maybe link the posts to | FB/Instagram/TikTok whatever. | | Why do I need to get that stuff as an email? | dqv wrote: | Some newsletters are purely informational. I like to update | my customers on upcoming holidays because it affects how we | do business. I also like to update them to remind them of | where they can get our W-9 form for tax filing. They're not | really the type to use RSS or check the website. | frankydp wrote: | Just to add a alternative voice. | | Open rates are an important metric for ESPs to track bad actors | on their platforms. If this implementation is a 100% preload | those metrics then have no value. | | IP anonymized pixel loads are a good compromise. | | But, 100% preloads would actually make email list management best | practices harder to implement. Specifically unsubing subscribers | that do not open over a time period. Which many ESPs do in the | backend to maintain list quality and minimize spam complaints. | Some level of engagement feedback at the subscriber level does | have value in the spam/unwanted email workflow. | | Assuming you have a preexisting relationship with a business, it | is not crazy on the privacy side of things to have an engagement | feedback loop. | | Assuming you are dealing with a spammer/list buyer ip | anonymization provides an appropriate level of privacy, and any | additional protection should be expected by the email provider | not delivering the mail. | tekacs wrote: | > Given Apple's monopoly advantage with their preinstalled Mail | app, we don't need much of an uptake from what they're calling | Mail Privacy Protection to break the dam on spy pixels. You can't | really say anything authoritatively about open rates if | 5-10-30-50% of your recipients are protected against snooping, as | you won't know whether that's why your spy pixel isn't tripping, | or it's because they're just not opening your email. | | This doesn't seem true -- I imagine that most tracking providers | will start to simply ignore all link opens from Apple's proxy (I | assume they'll be using Apple's IP ranges or otherwise be | 'detectable'). | | DHH doesn't seem to recognize that Apple opens the link | irrespective (the spy pixel will /always/ trip, not /never/ | trip), so it should even be really easy to figure out which users | are using Apple Mail. | | That being the case, folks will only lack open data for Apple | customers, without polluting the rest of the dataset. | Vomzor wrote: | I've been toying with the idea of starting a newsletter. How can | I measure the opening rate without tracking pixels? | criddell wrote: | I think articles like this one are being a little dishonest. They | can still put all the ads they want in newsletters. What they | can't do (at least not like they used to do) is spy on their | readers without consent. | smoldesu wrote: | I find it pretty ironic that Apple also seems to be one of the | largest buyers of targeted ads. When the M1 iMac released, I | couldn't visit a single website without their grating "Colors" ad | puttering along on the side. If Apple considers privacy a human | right, can they at treat me like a human too? | rickdeckard wrote: | Not popular here, but Apple might only be against targeted Ads | if its done without Apple's participation. | | The general assumption of many people seems to be that Apple is | taking effort to make their user Anonymous. But quite clearly | it can not be in their interest to make them Anonymous _to | Apple_. | | To be quite blunt: If Apple's strategy serves them right, their | future user should be free to choose in all areas of his life | from the options Apple curated for him. | tyingq wrote: | This doesn't prevent creating unique names for the same image and | sending a unique name per email. Apple's new approach hides the | IP, but Gmail already does that[1], and they have more email | market share, don't they? | | [1] https://gmail.googleblog.com/2013/12/images-now-showing.html | macintux wrote: | Apple will apparently always retrieve the images independently | of the user's actions, so the metrics become worthless. | [deleted] | tyingq wrote: | It's not specifically mentioned in the article I linked, but | Gmail does this, and has for years. | [deleted] | villasv wrote: | TL;DR: No | | Needle in the haystack: | | > But after conversations with newsletter writers and media | executives today, I'm not sure that people doing email-based | journalism have all that much to worry about from the shift. | midasuni wrote: | I'm confused. When I open a mail in iOS, I get a banner saying | "this message contains unloaded images" | | I thought the only ones loaded were ones embedded as an | attachment. Is that not the case? | floatingatoll wrote: | Your interpretation of the current mail client behavior is | accurate. | | In the upcoming mail client changes, the mail client will be | able to background-load those "unloaded images" through a proxy | at Apple. | | We don't _yet_ know how that new behavior will intersect with | the "don't load images until i permit it" behavior that you | have enabled today, but presumably they can coexist peacefully | as two options (that I'll be expecting and checking for, later | on in the beta cycles): | | "Background-load images when new mail arrives" Y/N | | "Use Apple's privacy protecting proxy to load images" Y/N | symfoniq wrote: | You're not wrong. Not loading images will block tracking pixels | completely. Apple is just adding a way to send less PII while | still loading images. | midasuni wrote: | I rarely want images on my mails. Won't this method show that | I access my mail on an Apple device - this leaking | information that might not be leaked otherwise? | symfoniq wrote: | Leaked to who, though? If you use this feature, then sure, | Apple will know that you're using an Apple device. | | But the purpose of the proxy is to shield the end-user's IP | address, and probably their user agent, too. Some email | providers already do this. If you load an image from a | Yahoo mailbox, for example, the reported user agent is | "YahooMailProxy; https://help.yahoo.com/kb/yahoo-mail- | proxy-SLN28749.html". | midasuni wrote: | Send a mail to bob@bob.com with an image of | eztrack.com/bob123.jpg | | If it's loaded from an Apple ip you know Bob has an Apple | device. | toxik wrote: | Difficult to feel pity for business models built on abusing HTML | capabilities to track email viewing. | | I don't load remote images by default, so this already doesn't | work for me. However, basically every mail platform creates | tailored links to track click engagement. So you're screwed | anyway, just maybe a little later. | techsupporter wrote: | > However, basically every mail platform creates tailored links | to track click engagement. | | Yep, even financial institutions do this and half of _them_ | don't even use domains they own for the tracking links. | | Years and years of "don't click on suspicious links" out the | window because bank.example.com/creditcard is turned into | 4828fjfneo848.totallyfine.adtracker.thirdparty.example.org | | I hate all of it but nobody seems to give a shit (nor do they | care to implement proper 2FA to effectively guard against | phishing) so whatever. If people have their accounts drained | because marketers gotta get that sweet engagement metric, what | does it matter any more? | kergonath wrote: | > I hate all of it but nobody seems to give a shit | | I hope this will change. More companies need to make some | noise about it. | lttlrck wrote: | A pet peeve is unsubscribe links are frequently on an obscure | domain that has found it's way onto Adblock lists. | | That's got be by design. | wlesieutre wrote: | If something makes itself difficult to unsubscribe you | could always feed it to the spam filter | ssharp wrote: | It's not uncommon for the unsubscribe links to live on the | same domain as the link tracking and other features of | whatever email or marketing automation platform they are | on, so if those are blocked to prevent tracking, the | unsubscribe links would be as well. | hsbauauvhabzb wrote: | MFA won't protect against phishing. | techsupporter wrote: | The MFA we commonly use _right now_ won 't protect against | phishing because, as I suspect you mean, the codes are not | protected against being entered into the "wrong" site. | | Proper MFA, like U2F/FIDO2/whatever-it-is-called-today, | will protect against phishing because the visited site | won't match the hash needed to complete the second-factor- | auth-flow. | gleenn wrote: | Yes it does, maybe not directly. Two examples, both | 1Password and my Yubikey only autofill passwords based on | the domain. I immediately get a tingle when I go to | autocomplete a commonly visited website and it doesn't fill | ... time to immediately inspect the URL for phishing etc. | Those tools have definitely saved me multiple times. | jonplackett wrote: | Why can't apple just allow some kind of pixel that doesn't | reveal user identity, or strip user identity from what's | already being used. | | I don't really mind someone knowing I opened an email, just | like I'm fine with a website knowing I visited (say using | plausible.io rather than google analytics). I get that that's | useful to them for non-nefarious reasons. | gnicholas wrote: | Apple can't strip identity from the existing trackers because | there's not a separate and distinct part of the tracker that | encodes the user identity. It's integral to the tracker | itself, which makes this an all-or-nothing proposition. | jonplackett wrote: | I guessed it would just be some url variables on the end of | each image, is that not how it works? | pavel_lishin wrote: | Sure. But if you strip those out, then the pixel itself | no longer has any value to anyone. | nickfromseattle wrote: | Delivery rates, AKA staying out of spam and getting into the | inbox are correlated to subscriber engagement on your emails. | | The more often subscribers open + click a link, the more likely | the mail server will let it in the inbox. | | If you blast 10,000 emails, and noone clicks or engages with | your email - you'll kill your domain's delivery rate. | | One of the methods email marketers use to keep their email | delivery rates high is by removing subscribers that don't | engage with their email. | | Preventing email tracking prevents marketers from removing | uninterested or unengaged subscribers from their lists. | bjustin wrote: | Clicking links doesn't sound like the sort of thing that | email servers would know about one way or the other. Likewise | for engaging (or not) with emails at all. What setup do you | have in mind where this is the case? | | Given that AFAIK Apple Mail downloads entire messages | regardless of whether they're opened, Apple's change here | doesn't seem likely to affect delivery rates in this way | anyway. | Nullabillity wrote: | > Likewise for engaging (or not) with emails at all. What | setup do you have in mind where this is the case? | | If you use IMAP (or basically anything else than POP) then | your email client reports the read status back to the | server. | giantrobot wrote: | Your IMAP server doesn't report read status back to the | sender. Unless your e-mail provider _is_ an advertiser | *cough* Google *cough* the advertiser doesn 't know if | you read a message just because the IMAP server marked it | as read. | | Also an IMAP server's read status doesn't mean someone | manually interacted with an e-mail. If you mark messages | as read in bulk, even if the provider reported that | status to an advertiser, says nothing about engagement. | toxik wrote: | This could be done without duping the receiver's email client | into revealing that the email has been viewed. | hermanradtke wrote: | > One of the methods email marketers use to keep their email | delivery rates high is by removing subscribers that don't | engage with their email. | | Email marketers can still track when a user clicks a link, | which is the proper signal for them to be using anyways. | seumars wrote: | Every privacy-focused push by Apple - or anyone, really - forces | publishers to find less invasive methods for engaging with their | audience, without having to rely on skewed data and grotesque | tracking. How could that be bad for journalism? We got rid of | blinking text and popup ads for a reason, and this is just the | next step. | jldugger wrote: | > How could that be bad for journalism? | | I don't know about journalism per se, but for journalists, they | presumably arrived at the status quo as the profit maximizing | option, and removing it will, to varying degrees, impoverish | them. | FabHK wrote: | That is a sensible first hypothesis, but it rests on many | assumptions, in particular that the market doesn't have any | prisoner-dilemma/tragedy of the commons aspects to it. | | It is quite conceivable, for example, that every single | journalist is better off if they make click-bait listicles | instead of investigative journalism, but the profession as a | whole suffers. | layble wrote: | Exactly the opposite actually. | midasuni wrote: | Please elaborate | throwaway3699 wrote: | It forces publishers into closed gardens. I am willing to | bet Apple's work here will have the same effect that | advertising did on RSS, which is that newsletters will turn | into truncated notifications designed to bring you to a | website where they _can_ get the business metrics they | "think" they need. | | I actually think there is a nice middle ground for | something like a basic view counter, and some open rate | data to be available in an aggregated, anonymous way. | rodgerd wrote: | > "This is another sign that Apple's war against targeted | advertising isn't just about screwing Facebook," Joshua Benton | wrote in Nieman Lab. "They're also coming for your Substack." | | I mean good? Like you, I struggle to see the downside of this, | really. Probably the only risk in the bigger picture is the | degree to which wealthy billionaires fund free lies such as | Brietbart or the Murdoch papaers, while actual research and | journalism is pay-for. But the wealthy billionaires are doing | that anyway, so it's hard to see much change. | Barrin92 wrote: | because one possible consequence of this is that it forces | people to move towards closed platforms like Apple's own if | they want to effectively advertise and that includes forking | over substantial amount of money to those platforms. | | Which is of course the economic incentive that a company like | Apple has to introduce these measures, it creates an asymmetry | where Apple has all kinds of user information, but competitors | don't. | | And if you want to see the effect that declining ad revenue has | on journalism you can just look at the decline of local | journalism across the US as revenue shifted from advertisers to | digital platforms. | kergonath wrote: | > it creates an asymmetry where Apple has all kinds of user | information, but competitors don't | | That is true only if Apple competes with them, which is not | the case at all. | nickfromseattle wrote: | It's believed Apple generates ~$2B per year from | advertising revenue (through Appstore PPC) and that could | increase to over $10B in 2025. [0] | | [0] https://9to5mac.com/2019/11/15/apple-ad-revenue/ | kergonath wrote: | This is paid keywords in the stores. They don't do | targeted advertising and are not an ad broker, which are | the companies whining about being unable to track people. | smoldesu wrote: | Fine: call it _Dynamic Advertisement_ if it helps you | sleep at night, but Apple is still targeting the user | with an ad that is relevant to the content they 're | searching for. Furthermore, Apple's policy seems to only | apply to their own platform: it's estimated that they | spend hundreds of millions of dollars on AdSense | marketing campaigns, which are highly targeted and among | the least respectful ad platforms around. Evidently their | motto of "privacy is a human right" only applies if they | deem you "human" enough... | rickdeckard wrote: | This asymmetry is already very real, and a quite dominant | pattern of Apple's strategy is now to build mechanisms to | protect explicitly their ability to monetize all aspects of | their _users_, not so much their devices. | | These small steps taken under the banner of "preserving the | users' privacy" are also steps to make sure that all those | clumsy users don't get offered something without giving | Apple the opportunity to profit from it first. | | And the only disarming response to this so far is "yeah, | but that's fine for me. I WANT Apple to take control, | they're the good guys with the cool products!" | Barrin92 wrote: | But they do? Apple is literally in the news business, the | services business (many of which rely on ad revenue to | compete with Apple's own services), increasingly in the ad | business itself (revenue is expected to rise to 11 billion | in 2025, growing quickly)[1], and as I just laid out in the | post above, has a huge interest in just laying waste to | independent revenue streams outside of their own channels, | in the exact same way digital platforms overall benefited | from laying waste to the small and mid-sized ad-industry. | | [1]https://9to5mac.com/2019/11/15/apple-ad-revenue/ | kergonath wrote: | > Apple is literally in the news business, the services | business (many of which rely on ad revenue to compete | with Apple's own services) | | They are a news aggregator and distributor, they are a | customer of media and news agencies. Or a parasite, | depending on point of view. Still not a competitor. They | also still don't compete with ad brokers and don't do any | targeted advertising. | | > increasingly in the ad business itself (revenue is | expected to rise to 11 billion in 2025, growing quickly) | | These ads are in the Stores and keyword-based. Which _is_ | distasteful, but not quite the same level. Again, they | don't distribute ads, and are not in the market for | targeted advertising. They don't compete with ad | networks, and if they weren't doing that there would just | be no ads on the store. Like it was not that long ago. | | > in the exact same way digital platforms overall | benefited from laying waste to the small and mid-sized | ad-industry. | | If the mid-sized ad industry does not rely on tracking, | blocking invisible pixels in newsletter won't affect it. | If it does rely on tracking, then it can't die soon | enough. | JimBlackwood wrote: | These features Apple introduce sell well because people | (including me) want them. | | If that means journalists lose revenue, they should look for | other ways. Using intrusive ads as an excuse for "otherwise | we don't have money" is just dumb. They're free to think of | other ways. | | The best journalism I've read (ftm.nl, dutch) is a | subscription service and they don't rely on ads or tracking. | The sites that do this kind of tracking, in my anecdotal | experience, produce shitty journalism. | | If this is bad for journalism, we'll end up in that crisis | and figure out a way that doesn't use these methods. | smoldesu wrote: | > These features Apple introduce sell well because people | (including me) want them. | | You want the service, you don't necessarily need it from | Apple though. That's the crux of this entire argument: | Apple's black-box model is terrible for the industry. Apple | is opposed to any roads that don't run through taxable | lands, so it should come as no surprise that they want to | tear down everything that keeps the web currently working. | The less functional the internet becomes, the higher | pressure there is to use native apps: that's likely part of | why Safari is woefully broken and outdated compared to | Chrome and Firefox. | | > If this is bad for journalism, we'll end up in that | crisis and figure out a way that doesn't use these methods. | | We are already in that crisis. Whenever a paywalled link | crops up on Hacker News, the first comment is always an | archived version for the 99% of readers who would otherwise | be unable to read that. Compared to the past 15 years of | reporting, that's a direct downgrade. Adding synthetic | friction to the flow of information never works: games get | cracked, movies get shared, shows get ripped and music gets | leaked. It's nothing new, and pretending like it's somehow | _not_ going to affect the next decade of reporting seems a | little disingenuous to me. | grishka wrote: | Apple doesn't offer an alternative even if you want to pay | them. It's simply saying "you can no longer do this to our | users, it's now illegal". | bjustin wrote: | In this case and things like ATT, Apple is saying "you can | no longer do this to our users _unless they agree to it | first_ ". And they default to asking users. That users are | the ones making these choices is an important point. | tshaddox wrote: | > Which is of course the economic incentive that a company | like Apple has to introduce these measures, it creates an | asymmetry where Apple has all kinds of user information, but | competitors don't. | | It's completely fair to speculate that this is Apple's _true_ | goal, but I actually do feel a little bit better about Apple | doing this than, say, Facebook, or Google. The reason I feel | a little bit better is that Apple at least still has an | actual business model where people give them money in | exchange for a product. I 'm willing to be charitable and | speculate that at least _some_ of the reason Apple releases | services like this is that it will cause people to continue | to buy iPhones (which are wildly profitable). | amelius wrote: | I hate advertisers like the next guy, but what I hate even more | is a company acting as a regulator. | als0 wrote: | When will Apple bring back RSS to Mail? | Hoasi wrote: | Mail privacy is the right thing to do and implement it will be a | major improvement! | | That doesn't threaten email newsletters that are legitimate and | of interest to real subscribers. Communication should never rely | on espionage tactics even for the sake of metrics. Forgo | monitoring people, customers, or would-be customers, and save a | ton of time as a result. | | Marketing experts will start talking about how two ways | conversation is the ultimate email strategy that works. Send a | non-tracked email, let them hit reply. Brands and consumers, | united in conversation, finally. That is as horizontal as it | gets. | graeme wrote: | Have you ever managed a newsletter? Mail providers such as | gmail use things like open rates to determine if a message | should be in important, promotions, or spam. | | Also, a sizeable chunk of people refuse to click unsubscribe | links and instead hit the spam button. This can be a sensible | response, as a lot of spam senders ignore unsubscribe. But it | is also hard for legit newsletters. | | So what is the best practice? Pruning your list of people who | never open it. This improves open rates, makes gmail like you, | and unsubscribes people who already would prefer not to read | your letter. | | Now it will be much harder to know who is inactive so you'll | end up sending more mail to people who don't want it. And no | double opt in doesn't solve this. | | There are other ways around the problem, but you seem to be in | complete ignorance of what newsletter senders use tracking for. | | Open rates also let you diagnose deliverability issues. | jedberg wrote: | Doesn't Gmail and Outlook already anonymize tracking pixels? When | I heard that announcement what I heard was, "we implemented a | feature that Gmail and Outlook have had for years!". I don't | think it will change the landscape all that much. | stingraycharles wrote: | They don't anonimize it, they just request it from the backend. | They still request the exact same URL, so you can carefully | track email opens on a person-by-person basis, you just cannot | track IP addresses and/or set tracking cookies or whatnot. | lstamour wrote: | Gmail and similar providers proxy all image URLs they receive | at the time they receive the email, so you can't tell when a | user later opens the email. That said there might be bugs to | make your images un-cacheable such that Gmail still loads | them later, directly or indirectly, when you open an email. | | Compare this with Apple Mail which proxies emails from a | different, presumably non-Google IP address and which does so | only when an email is downloaded in the background. So while | you can't track IP address, yes, and you never could set | cookies that I'm aware of without clicking a link first, this | means you can still track "downloads" of your email to a | local client, just not "opens" - and if your Mail app already | downloaded images when the email was downloaded, then it's | possible it won't even change that - you might not have been | tracking opens this whole time... maybe. | gruez wrote: | >Gmail and similar providers proxy all image URLs they | receive at the time they receive the email, so you can't | tell when a user later opens the email. | | I searched around and found some articles that makes the | same claim[1], but in my own testing that doesn't seem to | be the case (ie. I had to click on the email before image | would start loading). | | [1] https://sendloop.com/articles/the-effect-of-gmail- | image-prox... | jalk wrote: | I did the same test (although some years ago) and gmail | didn't request the images until the email was opened. | Caching the images lazily also means that Google can save | a ton in network bandwidth / storage for all those emails | that are never opened (which is probably most emails the | handle) | jankeymeulen wrote: | Will Apple do it differently? | jedberg wrote: | Right, exactly the same way Apple Mail will work. | gruez wrote: | The wording[1] also suggests they request the images even if | you haven't opened the email, which obfuscates whether you've | opened the email or not. With other services like gmail the | images are only requested when you open the email, so it's | possible to infer whether you opened the email or not based | on whether the image was loaded. | | [1] https://twitter.com/rjonesy/status/1401993816001978375/ph | oto... | webmobdev wrote: | This is why I find it hard to trust Apple products - if Apple | funnels the request through their servers Apple also now has | access to this data. Now, your personal data / metadata is | available with more people than before. But you are supposed | to believe this is all to protect you. /s | | (And no, I don't trust Apple not to associate this data with | a user's Apple ID and datamine it in the future - _if your | country has lax privacy laws Apple will exploit it till the | law says otherwise_.) | | Edit: | | Here's another perspective - now, even if I don't use Apple's | iCloud backup or email services, Apple has found another | _clever_ way to learn about some of the marketing emails I | receive. That information is very valuable. | macintux wrote: | > if your country has lax privacy laws Apple will exploit | it till the law says otherwise | | Given the wretched state of privacy laws in the U.S. that | seems an uncharitable position. Apple has far more business | motivation to treat its customers well in that regard than | to try to squeeze money out of their data. | | Although you'd think they'd have motivation to treat | developers better than demanding a 30% cut, so there's | that. | floatingatoll wrote: | Typically they have an off switch for things that are | considered sensitive data, and when they don't they seem | inclined to course correct. If they don't have an off | switch in the WWDC developer betas, that would be a bug for | everyone to report via Feedback Assistant. | lstamour wrote: | If Apple re-uses iCloud Private Relay for this feature, | which they might or might not be doing, then there are | actually two entities involved and Apple presumably knows | what user made the request but not what URL was requested: | https://appleinsider.com/articles/21/06/10/how-apple- | icloud-... | maxpert wrote: | I literally use a tool for hiring that tells me exactly when | mail was opened and which links were clicked. So no, That is | not anonymization! | amelius wrote: | I have a tool which opens emails and randomly clicks links. | jedberg wrote: | Anonimization as in the IP address and location of the | requester. Just like Apple Mail will do. | [deleted] | smoldesu wrote: | I have never used an email client that doesn't block it by | default. I was surprised (and somewhat worried) when I heard it | being announced for Mail. | lstamour wrote: | Yep. | | When Gmail first introduced this image proxy feature in 2013 it | started showing images in emails by default, which is great. I | researched blog posts from then and apparently a workaround | that still worked was to serve a fake HTTP Content-Length | header of "0" and Gmail's proxies wouldn't cache the image. | It's unclear if this bug has been fixed or not, or if similar | bugs affect Outlook's proxies, for example. | | The rest of this post is speculation - | | I wonder if it won't affect Apple's Mail app because Apple | isn't loading images directly from a proxy, instead, the | original URL is sent to the Mail app over IMAP or Exchange and | then Apple will download the image by asking the Apple proxy | for the unmodified URL. This means even if an existing Gmail or | Outlook image proxy server can be tricked, it shouldn't affect | the Apple Mail app. | | That's not to say Apple Mail won't have other issues - for | example, it shouldn't stop at images. Apple Mail supports CSS | and web fonts, so theoretically all network traffic not | destined to hit the IMAP server should go through the proxy if | complete privacy is desired. I think the wording of the Mail | app suggests it's more than just images. | | And the way it's implemented, because it's not server-side, it | does indicate that an email address checked using Apple Mail | downloaded your email, so you know it's pretty likely there's a | human at the other end and they use Apple Mail even if they | don't know exactly when you opened the email for the first | time, they know when your Mail app downloaded it and possibly | when you received a push notification about it. Unless it | caches content with every request, which it might, you might | also know how many different Apple Mail clients downloaded the | message and when which might still indicate patterns of use | especially if you can create a network of tracking pixels | across different email messages. Finally, nothing about the | feature actually anonymizes links or prevents specifically | tracking pixels, but that's probably a good thing until we | invent local Content Blocker extensions for Mail app, for | example. | trasz wrote: | "93.5% of all email opens on phones come in Apple Mail on iPhones | or iPads" | | How? | bombcar wrote: | 93.5% of all _trackable_ email opens on phones comes from Apple | Mail on iPhones or iPads. | | If Google is already doing something similar for gmail then | android statistics would be ignored or worthless. | ryantgtg wrote: | When Casey Newton (author of the article) first launched his | Substack newsletter, he was alarmed that the full posts were not | displayed for gmail users - instead there was a "jump" (that many | users probably don't see, because it's formatted as "... [Message | clipped] View Entire Message"). The issue is that gmail clips | emails at 102k, and the substack emails easily hit that limit | when posts contain lots of urls due to 1) inline styling on | links, and 2) the ballooning hyperlinks due to the tracking | strings. | | This person found that substack was ballooning a 59 character url | to over 400 characters. | | https://tedium.co/2020/12/22/gmail-102kb-email-size-limit-hi... | (same author, more detail): | https://twitter.com/ShortFormErnie/status/133992146683031961... | | I was hoping this incident would cause substack and others to | pull back on the reins a little bit. The urls on these emails are | redonk, and clearly the authors aren't happy about users missing | out on content. | shortformblog wrote: | I wrote the story on the size limit issue you linked and have | thoughts on the issue listed here. (Long story short: This | whole issue is a byproduct of the lack of standardization in | the email space, something highlighted by the use of tables in | emails, which are another reason why emails are so large. Long | story short, email is in need of modernization, which could | lead to better options for tracking than tracking pixels, which | are not anonymized enough for publisher use cases.) | | I agree that the amount of tracking going on in the Substack | links is a bit aggressive, but I want to be careful to not put | too much of the blame on them for the long links. Part of the | problem is the service that Substack is using, Mailgun, is | intended for transactional emails, rather than the newsletters | that Substack is sending. My feeling is that Substack ramped up | using Mailgun but probably needs to start building their own | tech for doing this, because it's clearly not suited for the | Substack use case. | | Thanks for sending the link--it is super-relevant to this | issue. | Animats wrote: | I've had image loading turned off in Thunderbird for a decade or | more. | midasuni wrote: | I don't think I've ever had a mail client that loads images by | default. Maybe Eudora in the late 90s? I have a feeling html | mail was coming in around then, and it was before I moved to | pine. | symfoniq wrote: | Unless I'm misunderstanding how this new feature is implemented, | tracking pixels will still work, but the data that can be gleaned | from them will be more generic (the IP address will belong to a | proxy). | | Senders that are using these pixels to measure engagement (as | opposed to building user profiles) shouldn't have much to worry | about. | iancarroll wrote: | "Mail Privacy Protection works by hiding your IP address and | loading remote content privately in the background, even when | you don't open the message." | taylorfinley wrote: | Does this give Apple an excuse to send the content of | received emails to their servers, for the background proxy | loading process? "Even when you don't open the message" is | very creepy to me. I'm suspicious of any company that wants | to read my emails to 'protect' my privacy. | symfoniq wrote: | Not necessarily. Tracking pixels are implemented using | images (usually transparent ones), so all Apple Mail | _needs_ to do is send the image URLs to the proxies, not | the entire contents of the email. What they 're _actually_ | doing remains to be seen. | crooked-v wrote: | The simplest implementation here would probably be | something where the server pulls a copy of images and then | bundles them into an inline blob in the IMAP email storage. | | They're "reading your emails" for functionality like spam | filtering anyway. This seems like it would work on | basically the same level as that kind of stuff. | warkdarrior wrote: | > They're "reading your emails" for functionality like | spam filtering anyway. This seems like it would work on | basically the same level as that kind of stuff. | | This is how Gmail started as well, and now Gmail is a big | source of profiling info for Google advertising. | AlexandrB wrote: | Betteridge's law of headlines applies to this one. Though this | quote from another article was particularly inexplicable to me: | | > "This is another sign that Apple's war against targeted | advertising isn't just about screwing Facebook," Joshua Benton | wrote in Nieman Lab. "They're also coming for your Substack." | | Substack's whole appeal (at least to me) is that it's not bogged | down by the seemingly mandatory ads, popovers, and autoplay | videos that plague every other news site. | stonogo wrote: | Substack's value prop is that subscribers receive richly- | formatted emails of the posts; it's essentially a newsletter | service with a web publishing feature. | dylan604 wrote: | Why is it that Apple is coming for anyone specific rather than | just trying to protect user privacy in general regardless to | who it is affecting? Of course, other than not being click- | baity enough. | AlexandrB wrote: | Reading some of the takes on this topic makes me realize that | my consent is completely irrelevant to this whole industry at | this point: https://mattietk.medium.com/apples-mail-privacy- | protection-i... | | > Apple's fight for privacy is really a fight against the | web. In signing up for a newsletter, a publisher or marketer | already has a more valuable piece of PII: your email address. | By focusing on IP addresses, and blocking trackers rather | than proxying them on a fuzzy delay (which would provide the | same useful publisher data without any PII leak of location | or time), Apple are not really fighting for their users so | much as they are fighting against email. | | No. Embedding invisible elements that report back information | I never intended you to have is "fighting against email". | Terrestrial mail does not allow you to track where, when, or | by whom it's opened. I think that's the expectation of most | people for email as well. The fact that marketers have gotten | away with something different thus far is a _vulnerability in | the standard_ as far as I 'm concerned and should be fixed. | felipemesquita wrote: | Unless Apple's proxy loads every image in all emails | independently of the user opening them, it's still possible to | track when a message is viewed by having images with unique URLs | for each recipient. | gruez wrote: | The picture in the embedded tweet[1] suggests that the images | are loaded even if they're not opened. | | [1] | https://twitter.com/rjonesy/status/1401993816001978375/photo... | crooked-v wrote: | > Mail Privacy Protection works by hiding your IP address and | loading remote content privately in the background, even when | you don't open the message. | | It does load all the images independently of the user opening | it. | | My guess is that the server will pull a copy of everything as | soon as the email is received and bundle it all into an inline | blob that goes to the client. ___________________________________________________________________ (page generated 2021-06-10 23:00 UTC)