David Heinemeier Hansson

February 25, 2021

Why Apple, Google, and the rest of email's big players let spy pixels happen

After the BBC ran their big story on spy pixels being endemic, there's been a surge of interest in the phenomenon. And for a very good reason: Most people still don't know they're being spied upon when opening emails, and they're shocked when they learn that they are!

I went on CNBC Europe this morning to talk about spy pixels, and one of the questions was "why haven't the big players in email done something?". Yes, why indeed have they not! Let's examine this question. I think there are two separate answers.

For Apple, I think they're actually philosophically aligned with addressing spy pixels. They've done tremendous work with Safari to tackle tracking on the web, forcing data-use disclosures in their app stores, and they've run campaigns non-stop about how iPhone = Privacy.

The reason Apple hasn't done anything is because iOS Mail has simply not been under any real competitive pressure for a very long time. Until just a few months ago, you couldn't even change the default Mail app on iOS! And Apple sells email services as part of the iCloud bundle. So Apple Mail just doesn't have to compete on market terms.

In short, Apple's monopoly position has halted innovation. Because Apple innovating in Mail wouldn't make a lick of difference to the bottomline. That is to say, I think Apple missed the boat on spy pixels because nobody was paying attention. The competitive football was happening elsewhere. Not because they want spy pixels to continue to be endemic.

With Google, it's quite a different matter. Google already spies on your emails! Every email that hits your Gmail inbox is analyzed five ways from Sunday by Google. Mined for data in all the ways. Hell, your email receipts are even scanned to spy on your purchase history, so they can build a more detailed profile on you!

Asking Google to do something about spy pixels would be like asking the mob to help stop larceny. It's possible they'd do something, if they could eye a three-dimensional chess advantage on a broad political board, but it's not the natural place to ask for remedy!

The sad thing is that Google is the bigger gorilla of the two in email. In the US, they're responsible for well over half of all emails. So they set the tone, and Google's tune has been "collect it all" since the moment they got into targeted advertisement.

As far as the other dominant players, like Verizon, which owns both AOL and Yahoo Mail (the very distant number 2 and 3 in email after Google), you'll find a variation of the Google answer. Verizon gives you "free" email such that they can sell you as a product to advertisers. You'll wait until the end of the earth for Verizon to stand up to spy pixels.

So while I think it's possible to get traction with Apple, and Gruber is trying his best to whisper in the ear of the giant, I don't think we're going to get any traction from the other dominant players in email. The real change will come from regulation, enforcement, and culture.

The GDPR already outlaws the generally applied use of spy pixels. You can't collect people's data like this without opt-in informed consent, but since there's been no enforcement on the matter, companies just do it anyway. I think that's highly likely to change.

Somebody – or manybody! – will file the necessary complaints with European regulators, it'll take forever and a day for those to work through the bureaucracy, but eventually there'll be the obvious verdict: Yes, spy pixels are an egregious violation of the GPDR. Duh! Here's a (inconsequential) fine against the company that was the subject of the complaint.

Once that happens, respectable companies will no longer be able to hide behind the nonsense that spy pixels are "industry practice". There'll be a clear ruling. Corporate compliance departments will tell corporate marketing departments "cut that shit out", and that'll be that for big companies.

Additionally, I bet you that someone is going to drag in Mailchimp, Campaign Monitor, Sendgrid, Postmark, or some other bulk email sender, and essentially charge them with knowingly abetting the violation of the GDPR. The argument is pretty simply: You knew your customers didn't have consent to use spy pixels against their recipients. You never audited any of your customers for this consent. It was an open industry secret that nobody ever secured consent. Therefore, like a bank accepting large deposits from a cartel, you're liable for the conduct you enabled.

I'm convinced that spy pixels are already dead trackers walking. It's just going to take a couple of years for reality to catch up with this historical inevitability. Cat's out of the bag. People don't want to be spied upon for opening their emails.

Until that happens, though, I'll be making sure we keep the spy-pixel blockers up to date in HEY.

In other spy-pixel WTFs of today, read this creep's confession in the Independent.

About David Heinemeier Hansson

Made Basecamp and HEY for the underdogs as co-owner and CTO of 37signals. Created Ruby on Rails. Wrote REWORK, It Doesn't Have to Be Crazy at Work, and REMOTE. Won at Le Mans as a racing driver. Fought the big tech monopolies as an antitrust advocate. Invested in Danish startups.