Fallout over Superhuman’s email privacy scandal continues

Needpix (Public Domain)

Why the company’s fixes are still not enough and what you can do to stop email tracking.

The popular email startup Superhuman landed in hot water after it was discovered that the company was using tracking pixels to let users know when and where recipients opened their emails.

The invite-only service, which charges users $30 per month, received widespread attention for its promise of being “the fastest email experience ever made.” Superhuman offers everything from an “Undo Send” option to an “A.I. Triage” feature to automatically sort users’ most important emails.

One of the features, however, has raised eyebrows among privacy advocates. Specifically, Superhuman’s use of tracking pixels is drawing criticism from some of the biggest names in the tech industry.

Tracking pixels are near-invisible images embedded in emails and many websites that record everything from your IP address to the type of device you are using.

In a blog post written late last month, Mike Davidson, Twitter’s former vice president of design, warned that Superhuman was using tracking pixels by default. Those tracking pixels, which enable Superhuman’s “read status” feature, would not only let an email sender know every time a recipient opened their message, but reveal their computer’s location as well.

“That’s right. A running log of every single time you have opened my email, including your location when you opened it,” Davidson wrote. “Before we continue, ask yourself if you expect this information to be collected on you and relayed back to your parent, your child, your spouse, your co-worker, a salesperson, an ex, a random stranger, or a stalker every time you read an email.”

Since Davidson tweeted about the issue last week, news of the tracking issue quickly spread and prompted Superhuman CEO Rahul Vohra to respond. In a blog post, Superhuman vowed to not only stop logging location information, but to delete all the historical location data it had collected. Vohra also stated Superhuman would make the read status feature disabled by default.

“I am so very sorry for this,” Vohra wrote. “When we built Superhuman, we focused only on the needs of our customers. We did not consider potential bad actors. I wholeheartedly apologize for not thinking through this more fully.”

While Superhuman’s response seemed like a win for privacy, Davidson argued on Monday that the changes aren’t enough.

https://twitter.com/mikeindustries/status/1148324949804769280

Davidson notes that those who choose to enable the read status feature will still violate the privacy of email recipients because anyone receiving an email from a Superhuman user won’t be informed that the email contains a tracking pixel.

“At the very least, Superhuman should display a message when you flip that switch saying something like ‘by turning on Read Receipts, you are monitoring your recipients’ actions without their knowledge or permission. Are you sure you want to do this?'” Davidson suggests.

Vohra defended the decision to keep the read status feature by arguing that it has become a “must-have” for email businesses.

“We are still keeping the feature, as Superhuman is business software for email power users,” Vohra said. “In the prosumer email market, read statuses have been ‘must-have’ for many years.”

So what option do privacy-conscious users have? For starters, those who are using something like Superhuman and take issue with these practices should stop. For those who are worried about being the recipient of emails that use this type of tracking, encrypted email service ProtonMail automatically blocks all remote content and trackers in emails sent to its users. Those who check their email in a web browser can also download add-ons such as PixelBlock and Ugly Email to block trackers.

READ MORE: 

Got five minutes? We’d love to hear from you. Help shape our journalism and be entered to win an Amazon gift card by filling out our 2019 reader survey.

Mikael Thalen

Mikael Thalen

Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.