

EmailOracle (YC W10) Tracks Your Emails and Confirms They've Been Opened - cominatchu
http://lifehacker.com/5660823/emailoracle-tracks-your-emails-and-confirms-theyve-been-opened

======
eli
Gonna have a pretty high false negative rate though, right? Virtually all
modern email programs and webmail systems block images by default (unless the
sender has been marked as "safe" or sometimes if they've been added to your
address book).

You might as well steal some of the (very clever) tricks used here:
<http://litmus.com/email-analytics> to track whether the messages was
forwarded and the time spent reading. They don't work all the time, but it's a
pretty neat piece of code.

~~~
mike-cardwell
You'd think that wouldn't you. I found ways to track this stuff even when
remote images are disabled in Thunderbird, Apple Mail, Android Mail, Mail on
iOS, Outlook, tonnes of webmail apps:

<https://secure.grepular.com/Apple_Mail_Privacy_Hole>

<https://secure.grepular.com/iOS4_iPhone_Email_Privacy_Leak>

[https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunder...](https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail)

I created a web application which crafts an email with lots of tests and sends
it your address. When you open it, it tries to "call back" to my server and
the web page shows you the results. If you see anything on there before
hitting "Load Images" your client has a problem. You can access the app here:

<https://secure.grepular.com/email_privacy_tester/>

~~~
Luyt
Thunderbird 3.1.4 doesn't trigger anything. All yellow stars.

~~~
mike-cardwell
Thunderbird 3.1.0 used to trigger the dns prefetch test, but yeah it's fine
now.

------
thingie
I usually consider emails with some kind of read-receipt requests or (even
worse) tracking images (which fortunately gets blocked in any decent email
client) at least very rude.

~~~
emailoracle
What EmailOracle does is to enable prosumers with the ability to deal with
outgoing email overload. We are a business tool and we have studies that show
that this is a feature that is well-received and well-intentioned in
enterprise communication.

This is also evidenced in how MS Outlook provides read-receipts for their
emails, and Blackberry messages that also automatically do read-tracking.

Makers of a kitchen knives cannot really prevent customers from using the tool
for nefarious purposes. We do our best to preserve the privacy of recipients
and allow opting out as well.

~~~
dgallagher
This is a hot button issue in the sense that it "spies" on the foreign email
reader without their permission. Many spammers use this same technique to
verify if an email address is valid or not (e.g. checking if keyed-URL images
loaded).

A few responses from people who don't like this idea might include:

\- Blocking the service

\- Auto-opening and auto-reading "every" email that comes into their inbox (no
way to tell which one was/wasn't read)

\- Being extra-careful, reading emails selectively (e.g. don't read anything
after 4pm otherwise you might get stuck doing overtime)

As you might tell, I'm personally not a fan of this. But if I were a lawyer,
or boss, or part of law enforcement, I might like this idea. The current
implementation of "email receipts" is very broken, especially in the corporate
world.

The thing is, if a company or employee ever gets burned by this, they'll block
it. Most everyone I've worked with turns email receipts off in Outlook for
this reason.

Don't take my cynicism to heart though. Nobody has tried this idea in this way
(that I'm aware of). It's very interesting. You never know how it'll pan out
unless you try. Plus this is just the opinion of some dude on the internet;
not a very good indicator if it'll succeed or not. ;)

Best of luck to you and your team! :)

~~~
cstross
Alternatively, power users can just go back to mutt: <http://www.mutt.org/>

Unless I'm reading this wrong, the service relies on the broken misfeature of
many modern email clients that diverge from the original RFCs for mail by
treating HTML as something they can process. A client that only handles plain
text email (with attachments as something separate to hand off to an external
program) is safe from this kind of abuse.

------
anonymous245
Somebody please write a blocker for this. Do we need something special, or can
we just add some rules to AdBlock Plus to work around these antisocials?

Good job funding this garbage, PG.

~~~
cominatchu
I'm sorry you feel this way. You can opt-out of emails sent to you from free
EmailOracle accounts. Maybe we should add to our website the ability to
automatically opt-out of all future tracking?

~~~
bobds
A pre-emptive opt-out could work, but how exactly would you implement it?

Do I have to give you all my email addresses that I want to opt-out with?

Do I have to get an "optout" cookie so that the server with the tracking
pixels and whatnot knows not to track me?

I think I'd rather block this at the email client level. This way I don't have
to trust anyone's optout procedures, as well as being protected from any
nefarious trackers that don't care about things such as opting-out.

~~~
emailoracle
Yes, users are free to still continue whatever means they have used in the
past to opt-out, including at the client level. We don't (and can't) prevent
any of that.

~~~
bobds
Of course you can't prevent it, however one of your application's goals is to
work around email client filters that would block traditional tracking
methods. Just to be clear, I have no problem with what you are doing.

I would like to know if blocking images is enough to not be tracked. Do email
clients have sufficient image blocking or do they let through images specified
in CSS (or similar) through?

------
andrewf
If anyone wanted to burn their relationship with me, spying on what most would
consider to be unwatched activity, involving something as specific and
interpersonal as email, would be a pretty good way.

It's just... creepy.

If you have a legal need to make sure I've received something, use registered
post.

~~~
tomjen3
Spying on people is rude, but you do know that there are at least 4
intelligence agencies from various countries between you and your recipient
right?

------
ig1
Don't most email clients (both web and desktop based) block images loading by
default to specifically stop this kind of tracking ?

I recall spammers using precisely this technique with early html supporting
email clients in the late '90s to validate email accounts.

~~~
NathanKP
Anyone who is concerned about security and tracking will leave images blocked
by default, but most average people will turn image blocking off so that they
can see the pictures in whatever trashy chain email is making the rounds.

The don't realize that this allows spammers to track whether or not the email
address is live, they just think that it saves them from having to click "Show
All Images".

------
anon-e-moose
As others have pointed out, Gmail and other mail clients are designed to
specifically block this kind of thing.

How is an apparently viable business based on such a non-platform?

~~~
emailoracle
Open-rate tracking is only one of the features we are providing with
EmailOracle, and we see many other business opportunities in this space.

------
edanm
Reading this was very surprising for me, because I'd always assumed this kind
of thing was impossible.

After going over the comments here, there is apparently a (well known) trick
of adding images to email, then tracking hits for that image on your server,
thus giving you "email analytics". Apparently this is one of the reasons that
most email programs block images by default. In fact, I've long wondered _why_
images are blocked by default, and only now found out.

Always amazes me how many things I have yet to learn!

------
towndrunk
What a terrible name for the company. When I first read the title I thought
"Email Oracle? Why would would I do that?". Not to mention Oracle will
probably make claims to it.

------
jesspugsley
All I see when I read about this tool is the forthcoming lawsuit from Oracle.

~~~
expertcs
I think that is why they have kept it. It will give them insanely high
publicity. Moreover, I think they might be able to keep it too. It's not like
Oracle sued Matrix team for having an Oracle. :)

Also, to the people who are saying images are not displayed in most of the
email clients, browsers, don't forget smartphones where there is no option of
blocking images.

~~~
jbail
Gmail on my smartphone (running Froyo) doesn't load images. In fact it has a
"Show pictures" button which I must explicitly press to load images.

~~~
mike-cardwell
Android 1.6 on my G1 loads the following content _before_ I click "Show
Pictures":

iframes

inline css style tags with an @import option.

external css style tags

object embed tags

It also honours meta refresh tags and opens the standard web browser entire
automatically just by viewing the email.

Can you please test Froyo using my app at
<https://secure.grepular.com/email_privacy_tester/>

I'd be interested to know if all of these flaws still exist in newer versions
of Android...

~~~
jbail
Just submitted to test. Should I get an email?

~~~
mike-cardwell
You should, unless your spam filter blocks it...?

------
thraxil
As a diehard mutt user, I wish them the best of luck.

------
shimon
Seems almost identical to this company (from a previous YC round, I think):

<https://etacts.com/>

I really like the idea of an "expect followup with in N days" feature for
GMail. It's interesting that GMail's dominance as a client for heavy email
users has accidentally enabled a market of add-ons delivered as browser
extensions.

------
yellowbkpk
It appears that one of the features this site offers is the ability to find
e-mails you've sent that need followup because they haven't been responded to.
I'd love to have that feature built into Gmail (and it seems like something
very doable). Does anyone have a search/filter setup that allows you to find
these "need to followup" e-mails?

~~~
cominatchu
EmailOracle does build this feature right into Gmail :)

It adds a link in the left panel of Gmail (under "Contacts") that lets you
open up a new pane (just like the "Tasks" pane) that contains all of your
emails needing follow-up.

------
scalyweb
A visually attractive site and sounds like a great plugin!

But quickly looking through the site...who are you? DNS records show private
whois...GoDaddy's Domain By Proxy service. I'm logging in by giving my Gmail
or GoogleApp credentials but is this through OpenID? Is there a terms of
service before I do this? If you were a known entity I'm sure I would be quite
a bit more forgiving.

Also, I saw a previous comment here by Tim about no visible pricing info by
Tim...why should I have to login just to see what is required for an upgrade?

I'm interested but too many reasons for hesitation has me clicking away...

------
johngalt
I'd rather have a "successful delivery response". It's enough to know that the
email was delivered to a device you are responsible for. Tracking who's
opening it and when seems a little creepy, also you'll have false positives if
the email is blind forwarded.

Having worked with attorney's. "I didn't get the email" is common. I'd like
just to have a list of the response codes from their server to prove that they
accepted delivery.

------
timdorr
The website mentions nothing of pricing. That's a little off-putting because
it either suggests to me there is a hidden charge or they are doing something
nefarious with access to my email account (like reading my email to send me
targeted spam or something like that).

~~~
gbelote
Once you sign up you can find an upgrade page:
[http://img.skitch.com/20101011-jgpkhbquapptemp64ggajwhuxx.pn...](http://img.skitch.com/20101011-jgpkhbquapptemp64ggajwhuxx.png)

~~~
emailoracle
Thanks Greg! Yes, we have the pricing table shown once you login.

------
heresy
Forwarded this to our network guys for blocking at the source, cheers.

------
knuckle_cake
I recall a similar service a few years back which went a step further and
encoded the text into an image, which allowed the sender to revoke the entire
message at a later time.

Google is not finding anything; maybe it's gone now.

~~~
anthony_franco
I think there are a few. BigString was the most popular I heard about.

~~~
pavel_lishin
> Until now, you’ve been the person with the least control over your emails
> because, after you send them, they can be stored and scanned in more places
> than you can imagine. Do you want anyone to permanently store your messages?
> Do you want your words to possibly live in infamy without your knowledge?

Um, isn't that kind of an accepted risk when giving someone something? This
whole thing sounds very fishy to me, actually.

How does it work? Their about page is very very vague, and uses some double-
talk to make your message seem incredibly secure (specifically, the hard-to-
print FAQ entry: <http://www.bigstring.com/info/faqs/answers/printed.php>)

------
malbiniak
wow, well at least you know who your customers are NOT. don't let it
discourage you.

i, for one, am looking forward to incorporating this into my workflow.

------
qeorge
This could be really useful for e-commerce apps that deliver critical
information via email, e.g., product keys or download links.

------
chris_l
That service working without the recipient changing his settings is by
definition a security hole in the email app.

