
If you care about privacy, don't use OS X mail - treve
http://evertpot.com/if-you-care-about-privacy-dont-use-osx-mail
======
kevinchen
Seriously? There’s a preference called “Display remote images” that is enabled
by default because most users will be confused when half their emails look
like crap. If you disable this, Mail won’t load any remote content until you
press the button.

~~~
JohnTHaller
In proper email and webmail clients, it's off by default and there's a button
to 'display images' at the top of the email when you're reading it.
Thunderbird, Android's built-in email client, Gmail, etc all do this.

~~~
kevinchen
In proper web browsers, such as lynx, displaying remote content other than the
HTML is off by default and there’s a button to display images.

~~~
JohnTHaller
Heh. True. But, there's a big difference between surfing a website anonymously
and having your mail client on your modern OS sending tracking information
confirming your email address and that you opened the mail out to every
marketer and spammer that sends you email by default.

------
JohnTHaller
For the curious, the article is lamenting the fact that OS X's built in email
client loads external images by default. This is bad behavior in an email
client. Both spammers and legitimate email marketers use external images to
track if you have opened an email. When you open it, marketers are tracking
what you're doing (you received and opened it). But when you accidentally open
a spam, the spammer is confirming that your email address is real and is
receiving the spam and then selling your email address on spamming lists.

Nearly all modern email clients and most modern webmail clients have external
images blocked by default for these reasons. They have a button or link at the
top of an email without images loaded that says "Display images". You can also
often select to always display from a particular sender. Mozilla Thunderbird,
Gmail, Outlook, Android's built-in email client, etc all display this proper
image handling behavior.

Oddly, Rackspace's webmail client for their hosted email service suffers from
this same privacy vulnerability by default despite the fact that their
competitors' webmail clients work properly. I posted a request for them to fix
it: [http://feedback.rackspace.com/forums/71021-product-
feedback/...](http://feedback.rackspace.com/forums/71021-product-
feedback/suggestions/4665972-rackspace-email-s-webmail-client-should-not-
load-e)

------
slaven
Man, this scared the crap out of me as I've been using OS X Mail for years. As
others have pointed out, the post is completely wrong, here's my privacy test
result after I viewed the delivered message:

[http://cl.ly/image/3D0O2b450Z2t](http://cl.ly/image/3D0O2b450Z2t)

Yes - of course Load Images is disabled in settings. What else would you
expect? If I press Load Image button most of those boxes of course turn red.

------
jeffh
> "I already had a hunch that it would automatically load in external images"
> ??

Excuse me, but if the author was clueful enough to expose this issue, why
didn't they explain the very simple setting that changes this (unfortunately)
default behavior? Head in to Preferences > Viewing > and remove this behavior.
It should be the default, sure, but this post makes it sound intractable.

------
wyager
Am I missing something? Doesn't any mail client that auto-loads images and
stuff have this problem?

~~~
mblakele
I think so, and OS X allows you to turn that off. Maybe the headline should be
"If you care about privacy, check your mail client settings"?

Using 10.9 with "display remote images" disabled, I asked
[https://emailprivacytester.com/](https://emailprivacytester.com/) to send me
a test message. The test page indicators didn't budge when I opened the test
message. Then I clicked on "load remote images" and naturally quite a few
turned red. But that's why I disabled that feature in the first place.

------
quesera
[https://emailprivacytester.com/](https://emailprivacytester.com/) is great.
They'll send you an email with dozens of tests to determine what kind of
information your mail client (MUA) is leaking to senders.

I use mutt exclusively and of course it's perfect.

When I first tested emailprivacytester.com, I also checked Mail.app on OSX
~10.7, and iOS ~5, and I was quite happy with the results.

Now, I always check settings immediately after launching any app for the first
time (and on OSX always run Hands Off!, which I greatly prefer over Little
Snitch), so it's possible that I fixed obviously-bad defaults before getting
bitten by them.

Unfortunately, I'm not sure what the author is trying to say -- is Mail.app
worse in Mavericks, or has he just not bothered to configure it sensibly for
his (our) uncommon usage preferences?

------
yuhong
On email tracking, here is another fun one:
[http://blog.nruns.com/blog/2013/11/12/A-portscan-by-email-
Al...](http://blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex/)

------
Stwerner
That email privacy tester linked in the article looks really cool.

I had an idea for an email client the other day, but the potential privacy and
security issues seemed like it would probably become a nightmare.

Are there any other tools out there like this?

~~~
weslly
>Are there any other tools out there like this?

[http://emailipleak.com/](http://emailipleak.com/) is pretty useful to test if
your email client sends your IP along with your message to recipients.

------
chriscareycode
It always bugged me that load external images is enabled by default on many
Apple products still. I was not aware of just how bad it really was. Great
post, thanks

~~~
kevinchen
If you care about privacy and you’re using the internet, I’d say email clients
are the least of your worries.

------
TheLoneWolfling
Anyone know of an email client that allows a whitelist of email addresses to
autoload remote content from?

~~~
extra88
Outlook 2011 for Mac has a setting, under Reading. Automatically download
pictures from the Internet:

    
    
      *In all messages
      *In messages from my contacts
      *Never [I think this is the default]
    

Your contacts list could act as your whitelist.

