tags:

views:

112

answers:

2
+4  Q: 

Why does conversion tracking use pixels and why do images potentially expose information about you?

First, why (historically) was conversion tracking implemented by html pixel tracking versus using other small and able-to-be-made-nearly-invisible html elements which could provide the same information? Curious why html images were used as opposed to other methods.

Second, many email clients, e.g. Outlook and Gmail don't display images in html emails by default as a means to "protect your identity". Why do images provide greater exposure of information than the other markup elements in the page? They all show up in some server's web log as a GET from some IP address with some possible query string parms, so I'm not sure why images represent additional risk.

+1  A: 

When you load an image from a site, you make a request to that sites http server. The request contains header information which is pretty extensive.

Images were there from the first HTML spec, which explains their common usage. <iframe>, <object>, <script> and all the other embeddable elements came in later editions and were not always supported or enabled in the browser.

Displaying images in HTML Emails can be seen as a "security risk" as confirmation for spammers that somebody actually reads their spam mails.

Otto Allmendinger  2010-02-27 23:43:25
+3  A: 

versus using other small and able-to-be-made-nearly-invisible html elements which could provide the same information?

Name one! I can't think of one except images, at least not in good old HTML 4, which still is the standard for rich E-Mail until this day. External style sheets would be a possibility nowadays, but don't get loaded in E-Mails. Background images could be disabled. iframes came later.

They all show up in some server's web log as a GET from some IP address with some possible query string parms, so I'm not sure why images represent additional risk.

When an image resource is embedded into an E-Mail, the time when that image is loaded is the time when the user reads the E-Mail. Plus, the IP the image is pulled from is the IP the recipient is logged on to the Internet with at that moment. A badly patched Windows installation might be enough to facilitate an attack with this.

From the request, it is also maybe possible to determine the recipient's operating system, whether they're behind a Firewall / router, which Internet provider they're with, where roughly they are located.... All already very, very sensitive information.

Pekka  2010-02-27 23:48:21
Ah I see, so the magic here is that the other html content in the email is static - it's embedded in the email itself (which of course an image could be as well, but that's not what the email clients are protecting against). The exposure is a result of the fact that, as you said, the images are retrieved *at the time* the email is opened (page is rendered) hence contain info about your current state. Am I stating that correctly?
Emilio  2010-02-27 23:54:15
To clarify a bit further, a spammer can auto-generate a new image name for each target email address or include tracking information in the query string enclosed in the img tag. This allows said spammer to see exactly which email addresses have opened the email.
chrissr  2010-02-27 23:54:35
@Emilio exactly. And using the method @chrissr outlines, it is possible to "personalize" the information to know exactly which E-Mail address read the message when and from where. This method is called "web bug."
Pekka  2010-02-27 23:55:30
@Pekka - Thanks. I suppose that <script> tags could be used in a similar way as img elements are for tracking purposes, no?
Emilio  2010-02-28 00:02:53
@Emilio they could, but they are not reliable at all in E-Mails (I think none of the big clients support JS in mails) and it could be deactivated in the browser as well.
Pekka  2010-02-28 00:07:06

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?