Why You Can Trust CNET Is your e-mail watching you?
Marketers may be tracking your moves online through e-mail messages that share the look and feel of Web pages--and often without regard for safeguards that protect consumer privacy.
Web sites have long planted bits of code called "cookies" on consumers' hard drives to tailor Internet pages for returning visitors and better target ads. Now, enhanced messages that share the look and feel of Web pages are being used to deliver the same bits of code through e-mail, in many cases without regard for safeguards that have been developed to protect consumer privacy on the Web.
"All of the security and privacy issues on the Web now relate to e-mail," said Adam Shostack, director of technology at Zero-Knowledge Systems, a Montreal-based privacy and security company. "The shame about this behavior is that it's going on surreptitiously and people are not given an obvious way to opt out."
Consumer notice and choice have been at the heart of the Internet privacy debate for years, driving popular Web companies including eBay, Yahoo and DoubleClick to write tough-sounding Web privacy policies. Playing offense, civil libertarians and privacy groups for years have stalked Web sites for violations of their stated policies and have kept an eye on secretive tracking tactics. Although many of the same troubles are cutting into e-mail, disclosure of such data-gathering practices has not received anywhere close to the level of scrutiny it has had on the Web.
With e-mail, however, the stakes for consumer privacy may be higher.
After battling consumer advocates for years over the issue, Web sites now typically cloak visitors' identities and collect data anonymously. By contrast, junk e-mailers and even some legitimate marketers have begun to use cookies and other techniques to link specific addresses to surfing behavior, security experts said.
In some cases, spammers may be able to link formerly anonymous consumers with their e-mail addresses. For example, a Web site specializing in horoscopes may know a consumer only by birth date. But if that Web site rents a list of e-mail addresses with that consumer's address on it, the company may be able to link the address to the individual's birth date and visits to the site.
"In many ways, e-mail tracking is more powerful because they can correlate the e-mail address with online history," said Lance Cottrell, president of Anonymizer, an Internet privacy services company.
"There isn't an opportunity to be fully informed when you receive a spam with remotely loaded graphics used to track your computer," he added. "It's a bit of a loophole in the whole process."
Slipping in with the mail
The rise of e-mail tracking runs parallel to the adoption of "rich e-mail," or messages that incorporate the programming language most commonly used to display Web pages, known as HTML (Hypertext Markup Language). Such messages may include Web pages, audio and video in addition to ordinary text.
According to a recent report from the industry trade group the Direct Marketing Association (DMA), 65 percent of online marketers regularly send HTML e-mail to consumers or prospective customers. By incorporating HTML, the e-mail acts like a Web page, requesting graphics and content from a Web server and counting as a "hit" to the company's Web site.
|  |  | |
| | ||
On the simplest level, marketers may embed a numeric tracking code in the "from" line. This code is sent back to the Web site's service when the recipient visits the site from the e-mail. More sophisticated tracking can involve cookies so that the Web site can detect whether the consumer visits the site days later. Cookies can also help determine how much revenue was booked on a Web site as a result of an e-mail campaign by following the recipient throughout a visit.
The monitoring technology can be planted on consumer hard drives at various stages in the process of delivering and reading an e-mail. In many cases, cookies or Web beacons are set the moment the recipient opens the message or views it in the preview window of the e-mail program. In other cases, cookies are set only when the person clicks on an embedded link that leads to a Web site--an action some argue is part of the Web experience and is the purview of Web privacy policies.
Digital Impact, an e-mail marketing services company, uses a range of tactics to measure the effectiveness of campaigns for its customers, which include Citigroup, Bank of America, Wal-Mart, Target and the Gap.
Since its launch in 1998, Digital Impact has sent about 3 billion commercial e-mails. Gerardo Capiel, chief technology officer and co-founder of Digital Impact, said that while about 70 percent of the e-mail the company sends for customers is HTML, less than 30 percent of HTML e-mail includes tracking technology. Capiel said the company asks that its customers address e-mail communications in their privacy policies.
"We don't set a cookie when you open the e-mail, but you might get one when you click through," he said. "It's really a question of how aggressive the marketer wants to get to track revenue."
Capiel said the company only sends messages to consumers who have opted to receive communications from the client. Still, he acknowledges that people can be sensitive to cookies. "You may end up irking some customers," he said.
Experian, another e-mail marketing services company, started using cookies this year to better track digital communications for its customers. According to its privacy policy, it uses cookies and Web beacons to monitor when an e-mail was opened, how many times an e-mail recipient forwarded the message, and which Web addresses were clicked on, among other actions.
Christine Frye, chief privacy officer of Experian's e-marketing services unit, said the company has started working with customers to educate them on updating their privacy policies to include e-mail tracking. So far, "they've been very receptive to that," she said. She would not name any Experian customers.
Such techniques have become pervasive enough to attract the attention of browser and e-mail software makers.
Some e-mail programs already include settings allowing consumers to block cookies. Microsoft's Internet Explorer 6.0, for example, offers controls for cookies on the Web and via the company's Outlook and Outlook Express e-mail programs. Turning on the "prompt for cookies" setting can reveal the stunning extent of the problem, unmasking unsolicited HTML e-mail messages that try to lay down cookies on a hard drive.
According to Microsoft, IE 6, Outlook and Outlook Express block cookies by default in HTML mail and place such mail automatically in a secure "restricted" zone. The settings have not always proven effective, however--well-known security expert Richard Smith has reported at least one bug that allows cookies to be planted through Outlook despite the default settings.
Rajeev Dujari, development manager on IE 6 for Microsoft, countered that Outlook is designed to let consumers read e-mail in different security zones and control cookies through privacy settings. But he admitted that consumers need to better educate themselves to set a defense against increasingly invasive marketing tactics.
"Our default is around cookies being part of a Web experience rather than an e-mail experience," Dujari said. "When consumers get e-mail, people don't usually expect a cookie."
Spreading the word
There's a fine line between spam and commercial pitches from an online retailer that ask for permission to send a message. In both cases, the message may plant a cookie on the receiver's hard drive, but the spammer, by definition, has done so without any pre-established relationship. Still, consumers at the receiving end of both kinds of messages are often not notified of monitoring--either in the mail or in Web privacy policies--nor given the option to block cookies in the future, privacy experts said.
Direct marketers are just starting to pay attention to this area. Pat Faley, vice president of ethics and consumer affairs for the DMA, a 5,000-member organization of retailers, said the group urges members to include in all e-mail a link to their privacy policies. She added that members should "definitely disclose e-mail tracking practices in their Web site privacy policy."
E-mail marketing also raises sticky questions for marketing services companies, which deliver ads into rich e-mail. Although these companies typically guarantee anonymous data-collection, it theoretically would be easy to tie that data back to an e-mail address in an e-mail-based marketing campaign, according to privacy experts.
DoubleClick, a heavyweight in Web ad delivery and e-mail marketing, offers a service called DartMail that lets companies manage, deliver and track e-mail marketing campaigns. The technology allows customers to add software such as cookies or Web beacons to a campaign and track the effectiveness of a promotion.
DoubleClick said that data it collects online is kept separate from data collected through e-mail.
J.Crew is a customer of DoubleClick's DartMail, but the retailer does not specifically address e-mail monitoring practices in the privacy policy published in its Web site. The policy says only that "in some instances, we may use third-party companies to help us serve you better. These companies may be given access to some or all of the information you provide to us and may use cookies on our behalf."
J.Crew did not immediately respond to requests for comment.
To be sure, some retailers are starting to refer to e-mail monitoring in privacy policies. Amazon.com, for example, mentions that it may use tracking methods via e-mail to determine preferences for future communications. Still, privacy advocates said e-mail privacy practices are largely under-disclosed compared with other media such as the Web.
"E-mail privacy hasn't been on the radar until recently," said Larry Ponemon, CEO of the Dallas-based Privacy Council, a knowledge management and technology company. He added that most companies still don't fully understand how e-mail plays a role in privacy and security.
One problem with the disclosure of e-mail privacy stems from the large percentage of e-mail marketing campaigns that are conducted at arm's length through third-party providers. As a result, companies that retain e-mail marketing services may not always be fully aware of the practices employed on their behalf.
Although many major companies outsource their e-mail marketing to companies that openly admit to using cookies and other tracking techniques, the privacy policies published online by these companies do not always address the issue of e-mail monitoring.
"There's a lot less transparency around what's happening in e-mail marketing than with Web content," said Alex Fowler, senior director of policy and advocacy at Zero-Knowledge Systems.
Walmart.com, for example, delivers opt-in e-mail marketing through third-party providers. It does not mention e-mail monitoring in its privacy policy, however, which was last updated Dec. 8, 2000, according to its Web site.
In an interview, Walmart.com spokeswoman Cynthia Lin confirmed that the company tracks customers through e-mail using "software technology." Still, she said, the company's privacy policy is adequate.
For one thing, the company does not use cookies, she said. In addition, she said that any data gathering that occurs after consumers leave the e-mail client is not technically part of the e-mail experience, even if the original Web link is embedded in an e-mail. Once consumers are whisked to the Web, all of the company's practices are covered by its Web policy, which clearly states that the company never sells or rents customer information.
"When customers do get those e-mails and click on links within them, we are able to track that information," she said. "We have made every effort to make our security and privacy policy as clear as possible to our customers."