Guest Column: Kentik's Doug Madory, Last Call for Upcoming ISOC Course + More

Sat Sep 9 03:33:51 UTC 2023

Ryan Hamel <ryan at rkhtech.org> wrote:
> For you to say, "my privacy has been sold", is simply not true.

I agree with you somewhat about tracking links.  They only spy on a
person when that person tries to follow them.  I do find it much less
useful to read mailing lists that include references to external
resources that I decline to access, because I don't want to follow
bugged links.

But the "web bugs" that I mentioned as a second default-on Mailchimp
tracking technology ARE specifically designed to be triggered any time a
recipient reads a message in an HTML-based web browser.

Back when postal mail was the default, senders had no idea whether the
recipient opened, read, or forwarded a letter, versus tossing it into
the fireplace as kindling.  Society carried forward that expectation
when postal mail was gradually replaced by electronic mail.  Ordinary
email senders don't know if you have read their message (unless they get
social clues from your subsequent actions, just as with paper mail).
Tracking was never part of the Internet email protocols; it was glued-on
by abusing HTML email features and making unique URLs sent to each
recipient, whose corresponding web server logs when they are accessed.

These email tracking technologies deliberately violate the social
expectation that reading a letter is a private act.  They produce
detailed records of the private, in-home or at-work activities of every
recipient.  They do all this covertly; you will not find a MailChimp
mailing list message plainly telling you, "If you want to safeguard your
privacy as an email reader, do not open these messages, because we have
filled them with spyware."  That would produce too many unsubscribes and
too much outrage.  Instead, a recipient has to be technically
sophisticated to even notice that it's happening.  (Many bulk email
senders also don't know that their emails have spyware quietly inserted
into them as they are distributed.  I have engaged on this topic with
many nonprofit CEOs and marketing executives, who really had no idea.)

Those detailed email-reading and link-clicking records are not just
accessible to the sender.  There's an agency problem.  They are kept and
stored and sold by the intermediary (MailChimp), both individually and
in bulk.  They are accessible to any government that wants to ask,
without a warrant, without probable cause, in bulk or individually,
since they are "third-party" records about you, like your banking
records or license-plate-reader records.  They are accessible to private
investigators via data brokers.  They are accessible to any business
that offers a sufficiently attractive deal to MailChimp -- places like
Google or Facebook who make billions of dollars a year from tracking
people to manipulate them with advertising.

And wouldn't you like to know just which emails your competitors'
engineers and executives are reading, and when, and where, and how many
times, and whether they forwarded the messages?  (I've often wanted the
Google Detective Agency, that I could merely pay to tell me what my wife
or my competitor or that rude guy who insulted me is searching for on
Google, what web pages they are looking at, what emails they are reading
or sending, and exactly where they are navigating in their car or on
their bike or on transit.  Google has all this information; why won't
they sell it to me?  They definitely sell it to the government, so why
not to me?  It's amazing to me that people treat Google like Santa Claus
giving them free gifts, when it's really like an NSA.gov that is
unencumbered by laws or oversight.  MailChimp isn't as bad as Google.
Its scope is smaller, but its defaults are deliberately bad, and it's
created quite a honeypot of trillions of records about billions of
people.  The point is that besides being a gross violation of the
personal privacy of the home and office, this data also has real
commercial value.

I suggest that as a technically aware organization, NANOG.org should not
be creating detailed spy dossiers on its members who read emails, and
then letting its subcontractor MailChimp sell or trade that info out
into the world.

	John Gilmore