The curse of HTML mail

It’s been most of a year since I last posted here, but I wanted to rant about HTML mail, and this is the right blog for it. People complain about the intrusiveness of Web tracking, but email tracking is even worse. I’ve noticed this especially after subscribing to a couple of Substack newsletters. They’re sent as HTML, and whenever possible, I click the link to the equivalent Web page, which is less intrusive. Every link in a Substack newsletter is a tracking link, with the odd exception of the link to the Substack page.

The links in a Substack newsletter don’t go to the target page but to a Substack redirection URL. Their purpose is to let Substack know about everything you click on. There are no terms or privacy policy in the email telling you what Substack uses the information for.

It has a privacy policy on its website, but there’s no direct way to get to it. The policy says it collects personally identifiable information, including your name, address, picture, and phone number, and shares them with “affiliates.” Other services, such as Mailchimp, do much the same. Some HTML email services put “web bugs,” single-pixel images, into their mail. If your client displays images, the service knows each time you open the message.

The tracking links are tailored to you, so email is less private than opening a page on a site you haven’t logged into.

Tracking links make it difficult or impossible to tell where a link is actually going. Substack links use an encoding that doesn’t show the actual target in plain text, even if you view the message source.

You can read Substack messages as plain text; they’re sent as multipart messages with a plaintext version. With some newsletters, this doesn’t work too badly, but others are so interspersed with long URLs that they’re painful to read.

There is one way email is less bad than websites. Few modern email client applications, if any, will run JavaScript in email. Some early ones did, but opening a message from a malicious spammer and letting it run JavaScript would be a security disaster. If you read your email in a Web client, though, it will usually run its own JavaScript (the client’s, not the sender’s). It could also modify the links to add its own tracking.

The security risks of HTML email are widely known. Before the format was widely used, the idea of spreading malware by email was a joke. Now people are advised not to open email from suspicious-looking senders, with good reason. The battle is lost, and email for personal communication has gone into steep decline.

Thunderbird and some other clients offer “simple HTML” as a compromise. It does basic formatting but doesn’t display images. If you have to open HTML messages, that’s the safest way.

Personally, I view all my email as text when it’s possible. If a message is unreadable that way, I discard it unless it’s really important.

Comments are closed.