Spy pixels are evolving like malware, so HEY’s adapting

We knew that spy-pixel pushers might go down the rabbit hole of escalation once we gave HEY users the power to defend themselves. Just like virus and malware makers are constantly trying to defeat anti-virus and other security protections. But I guess we didn’t realize just how quickly it would happen!

Enter GMass, a plugin for Gmail that adds spy-pixel tracking, amongst a grab bag of other stuff. They hadn’t been on our original list of 50+ services we name’n’shame, but thanks to a new blog post where they brag about defeating protections that recipients might take to defend themselves, they came onto our radar.

This lead to an in-depth investigation into how their latest techniques work, and we spent the whole day coming up with a new process of detecting GMass’ spy pixels. It just shipped! And now HEY will name’n’shame GMass, just like we do the other fifty-odd pushers of this kind of surveillance.

Of course, like those virus and malware makers, GMass may try to defeat our protections again. And we’ll then have to adapt once more, and so we will. Internet security is a constantly moving target. But we can hope that Google will soon stop being a conduit for this kind of privacy abuse on the Gmail platform. Just like they don’t tolerate being used for spamming or phishing.

In the mean time, we’ll continue to do the work both on a general level to protect against all forms of privacy attacks against HEY users, but also specifically to identity bad actors, and to call out the users who employ their software for spying.

Have a surveillance-free Friday!

9 thoughts on “Spy pixels are evolving like malware, so HEY’s adapting

  1. Hi David,

    what about the manually built trackings? Can you somehow stop those as well? Which are not part of a big service like mailchimp, etc.


  2. To some extent, yes. We proxy all images, so no requests are made directly. We have other heuristics to spot generic tracking too. But when we don’t match a specific pattern, we can’t directly shame for it.

  3. Thanks to Hey, I now have exactly two emails in my Imbox. This is after a month of use. My feed gets trashed once read each day, and the paper trail is there when I need to reference an order confirmation or receipt. It perfectly aligns with how I use email and has made my life so much simpler. The vast majority of email I used to receive is now screened out. Thank you, everyone at Hey. Keep fighting the good fight.

  4. Do you proxy the images as soon as the email is received by your servers even if I never open the mail myself? The guy is bragging on the blog it will still register the first open when they user opens the email, but if you proxy right away then that will pollute their data and show an artificially high open rate.

    Guess I could verify this myself by emailing my Hey account with an image and a random filename string from one of my web servers and watch the logs! Maybe later! 🙂

    1. This is probably the endgame for pixel tracking. Open all the images on an email when it’s received by the server and cache them. Also, do this on emails that aren’t valid email addresses so the marketers don’t know if the email address is valid or not.

  5. I read how GMass tries to bypass pixel tracking and I really wonder how HEY can filter those images while keeping the others. GMass IMHO made very difficult to distinguish between them.
    Can you share some technical information or you prefer to keep that secret? 😉

  6. I chimed in on the Gmass comments section with a few questions[1] for the founder.

    @DHH, in a similar vein to the conversation you had with the folks at Agilebits, would you be willing to talk to the Gmass founder in a podcast? It would be fascinating to hear him attempt to justify openly dedicating engineering resource to subverting customers who have opted out of spy tracking.

    Thanks for your work on this area. It’s really meaningful, and I appreciate it.

    [1] https://www.gmass.co/blog/tracking-pixel-blockers/#comment-333304

Comments are closed.