Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Please help me get in touch with Apple's email privacy engineers
28 points by bengtan 44 days ago | hide | past | favorite | 13 comments
With Apple's recent announcements about blocking tracking pixels in emails, I wonder if they might also consider doing something about tracking links too.

I wrote https://bengtan.com/blog/whats-in-email-tracking-links-and-pixels/ and I know of some techniques that can be used to bypass tracking links (ie. Discover the destination URL of a tracking link without actually crawling the tracking link).

It would be great for privacy if Apple also started disrupting tracking links (and then the rest of the email service providers do so too).

How do I get in touch with the Apple software engineer(s) who are working on email-privacy/anti-tracking-pixel software? I'm just a random no-name person on the Internet. Can anyone help me please?


This seems like a case of inflated importance. If you want to contact engineers then you reach out to the company and see if they want to talk to you. This is like Joe Blow saying.. I have a great idea, we should change the background on Windows to rainbows... How do I get in touch with Bill Gates?

>If you want to contact engineers then you reach out to the company and see if they want to talk to you.

I don't disagree with your overall point, but getting feedback like this in front of the eyes of an employee who can actually assess its validity is easier said than done.

But that's exactly where the inflated importance part comes in.

Does OP really believe that no one in Apple's engineering department has ever asked "should we do anything about tracking IDs in email links?" Or that no one at Apple is able to reverse-engineer MailChimp links?

Your method seems to just involve knowing the standard rules that mail services use to provided tracking information, and removing those or reverse engineering them.

What happens when one of the biggest email services, Apple, starts removing those tracking IDs? Marketing just rolls over and dies?

It will be pretty trivial to keep changing up their url parameter system, or even to have unique urls that don't include query parameters at all, like the MailChimp system but without the simple Base64 encoding. Sure, it would be a bit of a pain to engineer, but needs must.

It seems this would be better to make a browser extension, which can keep up with changes, and, honestly, would probably be small enough that marketers wouldn't bother trying to adapt to it.

Write the blog post fully describing what you would say in conversation with them, then put a "I'd love to know that Apple privacy engineers considered these ideas, so please share it with them if you happen to know them." sentence at the top and wait?

"Apple software engineer" is just a guy doing what he's been told.

He has no decision making power.

Lots of things related to privacy and security are part of a way bigger multi-billion dollar game than what companies are trying to mislead public with.

>In those cases where the destination URL is embedded into a tracking link, it’s possible to avoid tracking by decoding the destination URL and navigating to it directly. This is true for ConvertKit and could be true for Mailgun retailers like Substack (when or if I eventually work out the decoding).

What stops a tracking link from using a different url in the get params than it actually returns? I don't think this is workable.

Exactly? I mean, let's say a link was:


That's obvious and easy to filter out, but let's say they changed it to:


That's less obvious because it's part of the URL to resolve instead of a variable. You could filter out the "12345678" now to instead direct you to:


OK, but let's say the company (through plausible deniability) didn't use permalinks, or (again through plausible deniability) used model numbers as their address. They could disguise the tracking link with


Which could again be detected, but then you'd just get sent to


instead of the actual page you wanted to visit.

The point is, that if you try to filter out affiliate links, you will invariably get to a point where all you can do is send them to the homepage of the website in this cat-and-mouse game of disguising affiliate links as product pages. And while sending you to the homepage is theoretically completely private, I think marketing folks and actual end-users would understandably complain.

Wouldn't something like https://example.com/correct/horse/battery/staple look like a real link and be very trackable?

Or even, https://correct.horse.battery.staple.example.com/

I mean, you could add rules, but the second your rules turns something like Slacks "magic link" into a thing that can't be used, users will rightfully be upset.

Nothing in theory, but he has shown what they do today.

The problem here is that it will probably work on a small scale. But if someone like Apple or Google adjusted to it, places like MailChimp would notice immediately, and "fix the glitch" as you describe.

I can see where tracking pixels need to be eliminated, but tracking links seem fairly legitimate because it requires an action on the part of the user to become effective. The solution is to not click links in marketing emails.

Do Apple email clients not let you disable external links in emails? Is this for cell phones? That would be a serious limitation of the client if true.

File a radar.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact