Am I being tracked? Solutions to online user tracking

Are you making mindful choices in your digital life?

Many companies have been profiting from exploiting your data, whether you choose to share it or unknowingly do so while using online services.

One of the most commonly used methods of exploitation is tracking. The good thing is that there are many empathetic people and companies that are also working to protect us from it.

Today I’m joined by Dave Smyth, designer and developer with a keen passion for privacy and ethics. Dave is using empathy to guide his clients to choose solutions that enhance privacy while also helping them grow their business.

I’m delighted to have Dave on not just as a guest on the podcast but also as a co-host! This is the first of many conversations where we’ll explore the implications of lack of empathy in tech and, particularly, in cybersecurity and privacy, as well as the options and solutions to the problems this generates.

In this episode, you’ll learn about why empathy is important when addressing privacy and cybersecurity issues. You’ll also learn about email tracking and the information this invasive – but inconspicuous – strategy harvests. Lastly, we’ll discuss the steps that Apple has taken to enhance the privacy of its users and the impact that those initiatives are expected to have.

In this episode, you will learn:

• Why empathy is becoming a big deal in tech and cybersecurity (04:51)
• How email tracking works and why many people are unaware it exists (06:56)
• Tools you can use to block companies from tracking you and how they work (10:52)
• How Apple mail protects users from being tracked (15:33)

Guest

DAVE SMYTH

Designer and developer with a strong interest in privacy and ethics. Spreading awareness of privacy and surveillance capitalism issues through my writing, No To Spy Pixels and Below Radar.

Show Notes

• Dave’s personal website
• Dave on Linkedin
• Dave on Twitter
• Forbes: Empathy is the most important leadership skill according to research
• No to spy pixels
• Below Radar
• Fathom Analytics
• Buttondown email platform
• The iOS 15 privacy settings you should change right now
• Personally Identifiable Information definition

Transcription

[01:30] Andra Zaharia: Today’s episode is a collaboration with Dave Smyth – a designer and developer interested in privacy, type, and ethics. I actually met Dave through his work on Twitter, because I saw his keen interest in privacy and a more empathetic approach towards empathy, and technology, and making sure that you have alternatives to use that are outside of this surveillance economy that we all live in. It’s very interesting that his work combines setting up business owners with all of the – let’s say – technology that they need to run their businesses, building websites, and creating enjoyable experiences that are based on healthy, ethical principles. So, for example, as part of his personal projects, he set up notospypixels.com, which helps educate people on the fact that most, if not all, of the emails that they receive and they send have tracking pixels in them, which tell companies where they opened their email from, how many times they opened it, which links they clicked, and so on and so forth – and then he shows people what options they have to block that sort of tracking and how can they report that and then do something about it. Another one of these projects is belowradar.co.uk – a community for business owners and freelancers who don’t want to rely on Facebook, Google, and surveillance capitalism to build and grow their businesses. And more recently, we’ve started doing this podcast together and sharing both our experiences and helping you figure out a better way to cultivate and practice empathy towards yourself and towards others by making more mindful choices in terms of technology. So, I’m very excited to share with you this first conversation that we had together, and making sure that this is one of the many to follow from now on. So, this is your chance to meet Dave. And here’s talk about one of the key things that popped out for us, which is, why empathy is becoming a core topic now? In technology and obviously in other subsets of technology, like cybersecurity and privacy, because they’re all interlinked and becoming even stronger in terms of how they depend on one another. So, here’s our conversation. Enjoy.

[04:21] Andra Zaharia: Hi, Dave. I am so glad that today we are recording together an episode for the Cyber Empathy podcast. We’ve been talking about this for a while and it is finally happening. We finally picked one of the many topics that we’d like to discuss together. So, again, I’m so thrilled that we’re doing this.

[04:42] Dave Smyth: Well, thanks. I’m thrilled to be here and to explore some of these things and talk about them. So, thanks for asking me.

[04:51] Andra Zaharia: So, first of all, I think that we connected so easily because we have so much in common in terms of things that interest us, in terms of ethical dilemmas that we’re trying to figure out and help others understand as well. And when it came to the topic of empathy in cybersecurity, but in technology in general, I think that one of the things that came up for us is why it’s becoming a hot topic now? There was this article on Forbes that everyone shared that empathy is one of the most important leadership traits, which feels obvious and it feels instinctive, but that still doesn’t tell us how to actually do this. So, let’s start with this question: Why empathy now? Why is it becoming such a big topic right now, in tech, in cybersecurity, and everything else that technology touches?

[05:49] Dave Smyth: Yes, it’s a big topic. I was thinking about this a little bit. I think there are lots of things that are happening at a similar time that are kind of bringing it to a head. If you think about the number of security breaches, there’s lots of stuff that everybody’s got used to, like, every week there’s a new data hack with millions of people’s addresses or phone numbers or email addresses. And it’s not really acceptable, but everyone accepts it. Or nothing seems to happen, or if there’s a fine, where does that money ever go? There doesn’t ever seem to be any actual real punishment or an impact for companies when that sort of thing happens. But I think with things like the recent, like Facebook things that have been coming out, like the whistleblower and the documents; things like Apple rolling out changes that make it easier for people to easily stop tracking on their phones and their emails. I think it’s just coming to a head through lots of different avenues.

[06:56] Andra Zaharia: That’s true. There’s a compound effect that’s happening. And I think that even though there’s this distance between, let’s say, cause and effect, there’s this distance between a data breach happening and people realizing or experiencing themselves the consequences of a data breach. Those are two things that are very difficult to connect because they’re abstract notions because they happen in places where we can’t see them or we can’t interact with them and touch them. And as hard as cybersecurity specialists, or people such as yourself, who spend so much time understanding the challenges of the surveillance economy and how we can just step away from that and carve out a more private and secure place for ourselves on the internet, and off. In spite of all these efforts, it’s still a big thing for people to process because they’re not emotionally invested because there’s no skin in the game for them at the end of the day. So, I think that that’s one of the reasons why I’m grateful that we’re able to have this conversation today that, hopefully, people will resonate with and take it as something personal, as something that is part of their lives and not just something that’s external and that’s in the news and that techies talk about, and bring that topic closer. You were mentioning… So, you’ve done so much work around making people aware of tracking online. What is a reaction that you’ve seen in people who weren’t aware that this is happening that someone is counting how many times they’ve opened their email, and where’d they opened itf from, and which email client they used, and things like that? What’s their reaction when they realize that this is happening?

[08:45] Dave Smyth: I think the email thing is actually a really good example because it’s so pervasive – the use of the tracking pixels and things — and no one knows about it. Obviously, people who work in marketing, or tech, or anybody who’s running newsletters knows that they can track open rates. And I would guess that a lot of consumers suspect that companies know when they’ve opened emails. But when you start putting together, it’s not just whether an email has been opened or not; it’s, this data is sent back every single time the email is opened, and it probably reports the location. It will definitely report the day and time for each open. That’s stuff that people don’t know about at all, really, or they certainly don’t think about it like that.

[09:37] Dave Smyth: I remember when I launched the notospypixels.com site. I talked to family members and people I know who don’t work in tech, and it kind of blew their minds that this log of their location was being tracked and there’s nothing they could really do about it. Obviously, you can block it with your email provider or your app or something. I actually spoke to my bank, or one of the banks I use about it because I noticed that they were sending tracking pixels in their statements. I don’t know why they need to send that. But the person I spoke to there was their Head of Customer Service or something like that, and he said to me, “We’ve never had a complaint about this before.” So, I’ve had to look into this. And I’ve run it past the data protection officer, and he said, “Personally, now, I’m going to go and review my emails, and how I access my emails.” Because he had no idea about it. We’re in a kind of a bubble working in this. But as soon as you talk to people who are outside it, who don’t know the technicalities of it or the practicalities of it, it’s pretty mind-blowing when the first time you hear that.

[10:52] Andra Zaharia: It definitely is. And it brings that feeling of betrayal, I guess, because there’s that inherent relationship of trust that people have with their favorite kind of tech companies and technology providers. Whether you’re using an iPhone or an Android-based phone, whatever it is, you have that inherent trust that tech companies will keep you safe by default, which, if you ask any cybersecurity specialist ever will tell you it is not true, simply because we have all of these things, and they work, and they have good UX and nice designs and everything else, it does not make them inherently safe. Technology is complicated, that’s why we see all of these complicated issues. And the lack of empathy makes things tenfold more complicated because they don’t build on the premise of “We’re building technology to help people.” There are exceptions, but it is not the general rule; “We’re building technology to make money.” And that changes everything. We are in this paradigm right now, and I love that there is a very passionate, very determined, and hardworking group of people, including you, who are doing a ton of great work in either educating others or building the tools to help them have alternatives to big tech, alternatives that don’t involve tracking, and you know plenty about that. And I think that that is a very good and practical example of how empathy looks like when you actually apply it. So can you share some examples? Because I know one of the things that I appreciated about you the most is the fact that you walk the talk. So, if you could share some examples of tools that you built and that you use to build on this more independent way of being and working on the internet, I think that that will be very helpful to listeners.

[12:55] Dave Smyth: Well, I think one of the first things to say is that, actually, for anybody wanting to be more independent or not to rely on these tools so much, in a way, now is the best time there’s ever been because there are so many alternatives that simply didn’t exist or weren’t viable for one reason or another a few years ago. A common example would be website analytics, and there are so many alternatives that have cropped up now, largely off the back of Fathom’s work.

[13:27] Andra Zaharia: Big fan as well. I use Fathom as well.

[13:30] Dave Smyth: The analytics that you get from a tool like Fathom is simpler than something like Google Analytics but that’s a plus – you don’t need a Ph.D. to drill down into what’s happening. But something that I talk about with clients a lot with a tool like that is, obviously, one of the benefits is that they may not need a cookie banner, depending on what else is going on in their site, that’s a plus. But something that they don’t really think about is that Google Analytics is blocked by ad blockers and different browsers – so, I think Firefox blocks it by default. So, they’re already missing so much of their traffic already. And if they’ve implemented it properly, then Google Analytics wouldn’t even fire until a user opts in. So, there are all these business advantages to using these tools. So, that’s one tool.

[14:23] Dave Smyth: Another one, think about newsletters. I discovered Buttondown a couple of years ago. It’s just one guy who runs it. He’s constantly developing it. And I saw recently, in the past six months or something, he changed it so that by default analytics are not turned on. So, by default, there are no tracking pixels, which is a really cool development. And people can turn them on and I think it’s possible in Buttondown to turn on UTMs – the extensions to URLs so that you can see where the traffic’s coming from, from an email. So, that allows people to track the source of clicks without having to track individual subscribers, which is a nice alternative to sort of link tracking that happens in lots of emails. Someone actually told me there’s a new newsletter tool, I think it’s called SendStack, that’s completely privacy-focused. I don’t think it will have analytics at all. But there are lots of tools out there and alternatives.

[15:33] Andra Zaharia: I’m very excited for that as well. I think that those are excellent examples. And plus, I’m really glad that you highlighted that there are extra benefits to this as well because people might think that some of these tools are okay for private use, but they’re not as feasible, or not reliable, but just something that works for business, but they definitely are because most people do not need complicated, super complex, enterprise-grade software; they do need solutions that work. And being able to offer customers or subscribers, whether you’re an independent creator or any type of community that you serve, being able to offer them that level of privacy, that level of anonymity, just respecting their data and their behavior, and keeping that private, I think that that is a major benefit to offer users, and an act of being empathetic towards their needs, and not adding to the surveillance economy that we all live in. I say this as a marketer because I have to use tools that involve tracking for some of my clients. I am trying to introduce – the best I can – alternatives to these things and I’m glad people are quite open to it. And the fact that there are more and more alternatives who hopefully get well-funded so they can develop and, hopefully, become mainstream solutions as well. I think that that’s going to help a lot in their adoption because so far, privacy-focused technology and security has been — I get that people don’t want to jump into that because they fear that it’s too technical for them. It used to be complicated. I mean setting up a VPN used to be a thing that only very few people were able to do. And now it’s as simple as install and click one button, and that’s it. So, things are getting a lot easier. And I think that it’s fitting that empathy is becoming such a core topic because there are so many ways that we can practice it, whether it’s in education or building products, or like you do, educating your customers, which has, obviously, a ripple effect in the community. There are so many options. Some are the likes of Apple who are taking such a huge stand on “We’re helping you set up accounts without giving your email.” Can you talk a bit about that? Because I think that, well, people in tech know what’s going on, but given that we’re trying to reach people outside of the tech bubble, I think that this particular example, with your explanation, would have a big positive effect on people to know that it’s there.

[18:17] Dave Smyth: I’ll do my best. So, I think it’s in iOS 15, Apple is rolling out a couple of things. So, one is that users of the Mail app will be able to block the use of these spy pixels or tracking pixels, which hasn’t been the case before. So, there’s actually an extension that people have been able to install into Apple Mail called Mail Tracker Blocker, I think, that does this. But now everyone will be able to do it. It’s really cool because anybody who uses Apple Mail, no matter where your email originally comes from — so, if somebody is forwarding their Gmail account into Apple Mail, Apple Mail will strip the pixel from it, and their location and open history and stuff will be protected. I saw a stat from an email industry body article that was talking about the impact of this. And they reckon that that would affect 30% to 40% of newsletter lists in terms of the open rates that they see. But the other feature that you’re really talking about is the ability for users to set up temporary email addresses. I’ve not actually done it myself yet but the basic premise is that instead of giving a company your actual email address, you can give them a temporary one that still comes to your email. And your experience of it is just like using your standard email, but the company at the other end doesn’t see your actual email address. Initially, it feels like that’s like some extra work to do that. But when you think about it, it’s actually an amazing thing because your email address is so intrinsically tied to you.

[20:02] Dave Smyth: People talk about personally identifiable information, things like your IP address or something that’s identifiable about you. And an email address gets bundled into that category, but it’s actually even more than that. Because if you have somebody’s email address, you’ve got a direct line of communication to them. And without getting into this other topic, something I’ve been thinking about for a while is how wild it is that newsletter operators, people like me, in every newsletter service there is, you can see people’s email addresses right there. And there’s almost no need to be able to see people’s email addresses. I don’t know if that makes sense. But it’s so easy to access people’s email addresses if you run a newsletter. And all you really need is aggregate data, really. And this is a way of people keeping a degree of privacy with their contact information but still registering for stuff. I suspect it will be a bit of a slow burn – the uptake on something like that – but the fact that they’re rolling it out, if they can make it super easy for people to generate these email addresses, that’ll be an absolutely incredible thing.

[21:12] Andra Zaharia: It does help a lot. And there’s one more thing that I started to use. Generally, I do not recommend that people sign in into various services and set up accounts using social logins. So, things like “Sign in with Google” and “Sign in with Facebook.” I generally think that is a bad idea because it gives you a central point of failure, which is what it’s called in cybersecurity. It basically makes you super vulnerable because if someone hacks into that particular account, then they get immediate access to all of the other accounts that are connected to it. And then our email is that central point of compromise. And what Apple has also rolled out is the option to sign in with Apple, which means that you can set up an account but they also don’t see your email address. For example, I use Notion but they cannot see my email address. I do have an account, it works just as well. I have no downside. I have two-factor authentication on and everything else. But they cannot see my email. So, that means that they won’t be able to send me emails unless I expressly sign up for something. And it makes it super easy to sign in. And it goes through all of the privacy steps that Apple has. That is exceptionally helpful and useful. And this is something that I would endorse and support because it’s much easier to protect one email or let’s say two inboxes if you’re the kind who likes to separate primary accounts from the rest, which I like to do. It is super simple to use, and it’s easier to protect that one thing.

[22:50] Andra Zaharia: So, prioritizing what you want to protect, what you want to keep private, I think that is the key to actually making a dent into this problem that we’re all trying to face, and an act of empathy towards yourself because you cannot secure all the things, you cannot protect all the things. It would be a full-time job. You probably don’t want to become a security specialist. If you want to, then that’s great. But most people don’t, and shouldn’t. So, prioritizing just like in life, just like at work, just like with anything else that requires our time and resources, anything that is self-empathy and a way to actually move forward and reap some results so we can see if this thing makes sense and is worth our time and energy.

[23:37] Dave Smyth: Actually, I’ve never really used the single sign-on with Gmail or Facebook or anything like that, mainly because I think maybe I did it once or twice and I instantly realized I could never remember which service I’d used to sign up. Now, I know it works. There’s a way for them to hook it all up at the backend. So, it doesn’t really matter what you sign in with, but still. If you’re using a password manager, you don’t have to worry about it then, actually. You just back up with your email address and your password. But what you’re talking about with Apple, that sounds like a really cool new way to access services and keep more privacy.

[24:18] Andra Zaharia: Yeah, hopefully. Because hopefully there will be many other conversations that we share together on so many other topics that we want to explore and help people wrap their minds around as well. But before we wrap up this particular conversation, I wanted to ask you, what are the ways where you’re practicing empathy as a developer, as a business builder because you relate so easily to other people who are building their businesses, and you’re supporting them with the right technology platforms, and advice, and the right custom stuff that they need. What does empathy look like for you in this particular context?

[24:59] Dave Smyth: I’m not sure if this would be a good answer. But I think trying to pitch these things or talk to people in terms of the benefits to them. We touched on this a little earlier. But rather than it just being “You should do this because it’s a good thing to do, or it’s the right thing to do, or you’re morally bankrupt if you don’t.” So, instead of taking this sort of approach with a stick, when we talked about analytics earlier, all these other benefits that come with switching. And for so many things, there are these benefits. You mentioned earlier, taking or having acts of empathy toward yourself. And something for them, for people to think about is, well, if I use a privacy-focused service and that gets hacked, I don’t have to worry about it. Or the possible implications of something like that. You’re reducing your exposure. And there are so many little things like that and ways to think about that aren’t necessarily obvious. But I think that’s really my answer is: trying to get people to see it in a way that kind of benefits them rather than it just being…

[26:09] Andra Zaharia: A nice to have.

[26:11] Dave Smyth: Yeah, exactly.

[26:13] Andra Zaharia: I think that’s super, super helpful. To me, I think, that is so important because if you get that aha moment, if you get that moment that flips the switch on this, it’s just that I think it’s called a differentiated perception. For example, you want to buy a new car, and then you start seeing that car brand everywhere you go. Once you start privacy, and security, and empathy, and that mix that they form together rises up to the top of your priorities and becomes top of mind, it’s so much easier to find alternatives to be open to the topic, to find the right advice, to soak it all in and use that to make healthier decisions that set you up for better business and a better, more sane life, hopefully, online because it’s unlikely that we’ll be able to fully disconnect ever from now on, unless we want to live in the mountains and raise goats, which is what I want to do when I get older.

[27:18] Dave Smyth: You’re totally right there. It’s like as soon as your ears have been pricked to it, suddenly it starts to become a consideration. And every time you’re choosing at all, it becomes a thing of what are the implications of doing this. So, it’s just raising that awareness in the first place, and then kind of takes care of itself from there, in terms of your interest, and at least you’re thinking of it.

[27:47] Andra Zaharia: And I hope that this conversation that we just had is that trigger and that thing for people, and I hope that many more will follow. So, thank you so much for sharing so much with us. I know that you have a wealth of information that goes far beyond what this conversation can cover. But hopefully, we’ll continue to have these talks and explore more of that. So, thanks so much, Dave.

[28:12] Dave Smyth: That would be great. Thank you. You’re the grandmaster pulling this all together.

[28:19] Andra Zaharia: Barely, barely. I’m just creating the space for us to have these conversations, and then we’ll see what happens.