Hacker News new | past | comments | ask | show | jobs | submit login
Superhuman: Read Statuses (superhuman.com)
169 points by DVassallo on July 3, 2019 | hide | past | favorite | 119 comments



No one who is outraged by this didn't know this was going on with almost every email tool out there. I don't understand how this manufactured outrage gets hyped, when literally every email tool in existence does this as standard practice. Every marketing email you get from a brand has this tracking. Every customer support email has this tracking. Every feedback form has this tracking. Every receipt for every purchase has this tracking. Every signup form for your kids friends birthday parties has this tracking. Every single pull request notification you get from GitHub has this kind of tracking. Go to your inbox right now pick any email message and view the source. You will most likely find a 1px by 1px tracking pixel.

I imagine anyone who works at any company that uses any kind of digital tool uses this exact same method to track people, so why the outrage here. Go tell your marketing departments to turn off email tracking in Salesforce, or to stop the marketing team from running campaigns with tracking in them.


Story time! Recently, I've been thinking back to when lack of SSL was a huge, widespread problem on the Internet. This was back in the mid 2009-2010's, and at that point, one company in particular was lagging: Facebook.

So some random person made a browser extension that automatically collected the login credentials of everyone who opened Facebook on whatever public network you were connected to.[0] Then they publicly released it for free. Ironically, the very first comment in the article I link here is, "Okay, it's evil, but how is this news?"

But the Firesheep plugin was a really big influencing factor in forcing not just Facebook, but a number of companies to switch their entire sites to HTTPS.

The point I'm trying to make is not that you should go out and blow up the world to make a statement -- it's that it's possible for there to be a problem that's trivial to exploit, and that is regularly exploited by criminals and businesses, and that is widely known to be exploitable, and for some reason people will still ignore it.

But if it's personal, if your next-door neighbor or your weird coworker can suddenly start doing it, then something clicks and people realize, "Oh, this is actually a real problem."

There's no technical difference between what Superhuman was doing and what every other marketer is still doing, but people are weird about what exactly they're willing to care about, and if the Superhuman controversy can be used to direct some of that anger towards structural, useful goals, then is that really a problem?

I understand that sometimes the specific triggers that make people care are stupid, but my response to that is never to ask people to care less. It's already hard enough to make people care about things.

[0]: https://lifehacker.com/firesheep-sniffs-out-facebook-and-oth...


> But if it's personal, if your next-door neighbor or your weird coworker can suddenly start doing it, then something clicks and people realize, "Oh, this is actually a real problem."

What is "it"? Knowing I read an email they sent me? That's not what criminals and businesses are doing; criminals and businesses build extensive personalised profiles of who you are, what you like, what times you're active, where you go, who your friends, family and coworkers are and what your personal trigger points are all for the goal of exploiting you. They use email tracking as a single metric among dozens of others, and the way they evaluate the metric is completely different to how an individual would evaluate it. That data is usually then sold to other groups that do the same thing.

How is that anywhere even close to an individual with email read receipts?

I don't think anyone would say "this is actually a real problem" besides people manufacturing a problem out of nothing. I'm also willing to bet that 99.9% of the people that are outraged are totally willing to establish, work for, or implement an extensive user tracking system for a company that actually acts on malicious grounds (such as monitoring users or for the objectives of making sales).

This includes you - by the way - a quick look through your resume shows that every single company you've worked for heavily participates in tracking and the first personal website of yours I accessed at reset-hard.com includes Google tracking which is dozens of times worse than a "weird coworker" knowing you read an email they sent. This is literally contributing to a global database of user tracking which we know is used for malicious purposes.

> I understand that sometimes the specific triggers that make people care are stupid, but my response to that is never to ask people to care less. It's already hard enough to make people care about things.

When people care about the wrong things is when we end up with homosexuality being criminalized, prohibition or terrorist groups. So hopefully in this case - just like many others - people would focus their energy into things that actually matter. And personal email tracking is not one of them - and will never be.


We could break down each of your personal accusations: some of them are fair and some of them aren't. But you don't really care about any of that. You're not trying to make a point here beyond, "you're hypocritical and therefore your obsession over privacy is unimportant."

The only thing worth saying on that topic is that it matters very little what you (or anyone else) thinks of me, whether it be good or bad. I don't even judge myself that way; I only care about trying to be better tomorrow than I am today. Anything else is a waste of time. And certainly, my response when I encounter hypocrisy is to try and fix the hypocrisy. Not to throw up my hands and say, "well, I guess none of it matters then."

The above out of the way, I want to try and engage with the deeper argument you're making in good faith.

What you're missing here is that all of the business tracking and personalized profiles you bring up as the real problem are using the exact same technology as these read receipts. The point is not that read receipts are the worst thing in the world (although I think they're unhealthy and they show a lack of respect for the person you're communicating with). The point is that they illustrate the broader pattern of tracking in a form that regular people understand and emotionally connect with. That's a good thing.

The other thing you're missing when you talk about criminalizing homosexuality and prohibition is that pervasive tracking is a tool that allows powerful people to oppress less powerful people. Pervasive tracking outs people's sexual preferences, it allows companies to illegally target individuals based on protected characteristics, to advertise to people at their most vulnerable moments, and to exclude them from opportunities that they would otherwise have. Far from being a nothing issue, privacy is fundamentally tied to people's ability to express themselves without fear and to hide from companies, governments, and even individuals that want to harm them.

Fixing personal email tracking has a pleasant side effect of also fixing the tracking that happens in both phishing and corporate emails as well. Like you quoted:

> I understand that sometimes the specific triggers that make people care are stupid, but my response to that is never to ask people to care less. It's already hard enough to make people care about things.

Yes, sometimes people can be encouraged to care about things that are actually unimportant, or even outright wrong. But privacy isn't unimportant; privacy is an essential tool to help protect individuals and marginalized groups from mobs, governments, companies, and individuals that don't have their best interests in mind.


My point is that this is manufactured outrage from people who don't actually care. They're just caring because it is today's flavor of the day. There are real steps people can take to support user privacy but they don't do them. People happily and voluntarily engage in objectively worse conduct for privacy day-to-day. This includes myself too -- my employer had me add not one but two separate tracking scripts on my company's homepage. I "care" about privacy yet here I am participating in stripping it away from people.

> using the exact same technology as these read receipts

What technology people use doesn't matter, what matters is how they use it. If I were to implement a system that tracked actions users do in a way that was ethical and completely not personally identifiable, then it doesn't matter - there is no problem, regardless of what technology is used to do it.

> Fixing personal email tracking has a pleasant side effect of also fixing the tracking that happens in both phishing and corporate emails as well

I don't think so. At all. This is like banning plastic straws to save the planet.

It is mutating what is basically a porch security camera into a discussion on oppressive government surveillance. The two are not the same. Personal email read receipts have almost no bearing on privacy at all. This is perhaps the point that is being missed by most people.


So, there is a part to this argument I agree with -- which is that getting mad exclusively at Superhuman ultimately accomplishes very, very little. Because you're right, this is absolutely everywhere, and literally every non-personal email you get has these same trackers.

My hope with this whole controversy of the week is that it leads people to disable loading remote images by default, and it leads email providers to change their default settings. I don't want to see people riled up just for angers sake -- I want to see that anger directed towards making changes that help with the entire spectrum of email pixel trackers.

This is where I think we disagree:

> What technology people use doesn't matter, what matters is how they use it.

You make a good point that Superhuman isn't doing anything unique, and you make an (arguable) point that what Superhuman is doing isn't even that bad on its own terms.

But if you have to trust companies or 3rd parties to be responsible with a technology, you're still leaving yourself open to less ethical attackers. The safest fix is to get users onto platforms where no one can track them, even if those trackers are deployed in responsible ways.

Think of it this way -- you make a completely reasonable assertion that including Google Analytics on a web page is a personal violation of privacy[0]. When I get around to removing Analytics from Loop Thesis, that will be an improvement. But I'm not under the illusion that doing so will affect anyone other than my visitors on my site.

There are two steps to this process. One is to be personally responsible about what we do. The other (equally important) step is to empower users such that they don't need to rely on us being responsible -- by encouraging them to install ad blockers, by building browsers that resist fingerprinting, and so on. I want to respect people's privacy, but more than that, I want them to be private regardless of whether or not I'm trustworthy.

Encouraging products like Gmail or Fastmail to block images by default is not the biggest step in the world -- it certainly doesn't fix everything. But it is a step, and it makes things slightly better. There is no short checklist to fix omnipresent surveillance; it's a long, arduous road where we hope that things gradually get better over time. The outrage over Superhuman will be beneficial if it encourages some people to change a setting in their email clients that they didn't know existed.

[0]: https://gitlab.com/danShumway/site/commit/c294dc81ae330ec432...


Fair point, the last thing I want to do is make people care less about privacy. I will say the one difference here is I think there are a lot of people who use this tracking for their day to day job, so its not just a random gray hat who is exploiting ignorance, in this case there are hundreds of thousands of people who are using this daily.


Yeah, people use tracking in their day to day jobs in specific contexts. The reason this generated so much outrage is that it’s not the expected behavior (thank God) for all business emails to contain tracking pixels.


There’s a big difference between a tracking pixel in a bulk marketing email and read-receipting direct, personal or business emails.

Also this so-called “manufactured outrage” was started by a product VP at InVision. The call is coming from inside the house on this one.


There's less of a clear line between bulk and "business" email than you might think, particularly prospecting email. Looks 1:1 in terms of content, but is sent in bulk and has tracking pixels.

But other than that, I agree. From a privacy perspective, there's some advantage to just being one row of millions in the marketing database; it's the aggregate behavior that they care about, not individual.


Exactly. And it's not just marketing emails.

The dichotomy between "marketing tracks, 1-to-1 emails don't" is false. There are hundreds of millions if not a billion installs of people using tracking for 1-to-1 email.

Sales people use dozens prospecting tools like Outreach.io, Salesloft, etc for tracking.

Likewise, millions of individual consumers use tools like Gmelius, Mixmax, Streak, etc.

This feels like either manufactured outrage or willful ignorance by a community of supposedly technology-savvy people who should know better.


That’s disingenuous on a lot of levels.

First, tools like Streak have been criticized for years. And something like MixMax which is sold as an email marketing platform thing is scuzzy and gross, but it’s fairly clear to the person signing up what it’s for and that it’s for people who send out bulk email for marketing purposes.

Superhuman sells itself as an email client for professionals — it sells itself in similar ways to how Mailbox was presented before the Dropbox acquisition.

The investors and sycophants defending this product might say that it’s clear to everyone that this is just an email tool for marketers, but that’s not how its own webpage sells it. If anything, this is selling itself as an email tool for VCs or people doing biz dev.

And maybe every person doing M&A uses tracking pixels, but that seems like a stretch. And for there to not be an ability to turn the feature off (until the outrage), says a lot to me about the core values that went into designing this product.

I would never pay for something like this or for Streak. I understand that emails I get from a marketing company or a newsletter have tracking pixels. I’m savvy enough to know others might send them too. But I will absolutely push back on the idea that it’s the expected behavior for all or even most emails, let alone willful ignorance.


Email tracking is wrong, and personally I have gone through many steps to try and keep myself safe from it. That being said you are incorrect if you think this is limited to Marketing and Sales. Literally every E-mail in my inbox when I wrote my initial comment had a tracking pixel. GitHub uses tracking pixels when they send you notification of Pull Requests. Square sends tracking pixels for receipts. Every notification I had in my inbox was accompanied by a tracking pixel. Superhuman isn't even the first client to do this. I know that Nylas and Mailbird both had it and I couldn't even figure out how to disable them in Newton Mail on Android. To say this is somehow about Superhuman is to deny the problem, this is an industry wide problem that everyone is culpable for


You’re talking about transactional emails —- Superhuman isn’t a client for sending transactional mail (that’s automated anyway), it’s a normal email client.

It’s disingenuous to conflate transactional or marketing email tracking with a manual, non-automated email one person sends to another. Yes, I’m sure plenty of people track those emails, that doesn’t make it common or the expectation from a sender. The fact that there is this much upset about this proves that this isn’t the expectation.


> this didn't know this was going on with almost every email > tool out there.

Which email tool was doing this? If I install cloudHQ email tracker, mixmax, streak, Gmelius tracking, Cloud hq autobcc to Salesforce, then I do this for marketing or sales. So these are CRM utilities...

But I do not expect that my email client which is promoted as "THE FASTEST EMAIL EXPERIENCE EVER MADE" has this creepy feature enabled by default.

Anyway, Superhuman seems to a CRM (maybe a good one - I'm not sure) and it is not an email client. That is the difference.


A lot of people genuinely didn't know about pixel tracking in emails until they read about it in recent coverage. I agree that Superhuman is being somewhat unfairly singled out here, but that doesn't make the outrage "manufactured"


Everybody knows that the government, three letter agencies, shady marketers and unscrupulous businesses will try to track them or do what would be considered as nasty and evil.

I think the distinction here is that Superhuman put that power (with location information) in literally everybody's hands by default (the wrong default, if one could even consider this as a switch). So someone who normally would be paranoid about a stalking ex would've taken other precautions but wouldn't have guessed that this would be so easy (yes, there are many ways people can personally track others, including using phishing and other covert methods).

So the "manufactured outrage" here is more akin to, if I may be completely hyperbolic for a moment, making it easy for anyone to buy assault weapons or nuclear weapons, when everybody knows that those with evil intentions for the masses (like terrorists) would be able to get them easily anyway.


Put me in the camp that this is not out of the ordinary for what most marketing emails are already doing. Also put me in the camp that it's unacceptable.

My takeaway is that Superhuman is a scuzzy company that I want nothing to do with, but my takeaway is also that Superhuman backing down doesn't really solve the problem. Everybody does this -- and I don't care if Superhuman is worse than everyone else, none of it is acceptable.

An immediate partial solution is for us to push very hard for email providers not to load remote images by default, and (better) for image providers to load remote images one-by-one, rather than in a single batch (which would make it less likely that a user will accidentally turn the tracking pixel on with a single click). An email provider loading images by default should be derided the same way that loading a blog post over HTTP currently is. Have good defaults that protect your users. There should be a swath of email providers on Twitter right now reassuring their customers that tracking pixels won't get loaded by default in their clients.

If you're upset about this, I don't want you to be less upset. But I want you to think about being also upset about stuff like Amp for email, which will make it even easier for companies to pull this crap. I want you to also be upset about email providers that don't turn off images by default, or that don't do any background caching to obscure IP addresses.

There's a large number of obvious improvements to make in this area, and a lot of discussion to be had about non-obvious improvements. If people are only mad at Superhuman, then the overall machine will continue as normal, and all that anger won't actually accomplish much in the long term.

Superhuman is calling this a critical feature, so they're not getting rid of read receipts. My perspective is that their business model is built on a technology that shouldn't work. They're speculating whether there could possibly be a technology to support consent. I couldn't care less about theoretical consent technologies, I want their entire business model to stop existing.


Just to follow up on this, I currently use Fastmail for email. I like Fastmail, a lot.

But why doesn't Fastmail block remote images by default? Yes, they have a setting, but why isn't it turned on for new accounts? If I tell my parents to sign up for Fastmail, I don't want to have to worry about whether or not their default settings are safe.


FastMail does block (well, decline to load) remote images by default: https://www.fastmail.com/help/receive/remotecontent.html

If you aren't using FastMail's webmail, it's your email reader's responsibility. FastMail quite reasonably doesn't rewrite email content.


Is that new? I set up an account maybe a month ago, and when the Superhuman story broke, that was my reminder to check my settings in the webmail client. It was set to load all images.

It's possible I would have turned that on by mistake, but only if I really wasn't paying attention.

Edit: I just set up a brand new trial account and checked, and the webmail client is definitely set to load remote images by default. If that's not intended, maybe it's a bug that needs to be fixed.


I'm not sure. I've been a FM customer for years and don't remember what the default was when I signed up, so I'm just trusting their docs.


Remote images have always been blocked for me by default in the web client. I've been a customer for a couple years now.


gmail does this too.

(which just means you've chose to leak your privacy to Google instead of Superhuman...)


I'm not a fan of Google, but to me leaking your privacy to a mail provider you chose to sign up for belongs to a different privacy category.

It's very good that Gmail proxies images, it's one of the few features that I wish everyone else would copy. Now, on the other side of that, unless their policy has changed since the last time I checked, Gmail still loads images by default and it doesn't cache them, it only proxies them.

So it's good that Gmail obscures your IP address, it's bad that Gmail still loads images from remote servers by default when you open a message, and it's bad that it will reload them every time you open it in a new client/environment instead of serving them from a Google cache.

Read receipts do work in Gmail, and Google should be shamed for that. I didn't call out Gmail in particular because I don't think Google cares about privacy enough to change anything. I'm hopeful smaller companies like Fastmail might.


> Read receipts do work in Gmail, and Google should be shamed for that.

Work how? There's a responsible way to handle read receipts (where the client notifies you the remote side would like a read receipt, and offers the choice to send it), and if it's done in that manner, I'm not sure why they should need to be shamed.

I'm not sure what Gmail does, but I see stuff when searching about how to configure it for G Suite accounts to always/never/selectively respond, and about how to disable Gmail's nagging about it, so I'm not sure the current status.


> unless their policy has changed since the last time I checked, Gmail still loads images by default and it doesn't cache them, it only proxies them.

That's a read receipt, in practice if not in name. I put a unique tracking pixel in the email, and when you open the email by default Google proxies it from my server. It's uncached, so unless the browser itself decides not to re-fetch it, I'll also know whenever you reopen the email.

Google also allows you to request a read receipt the responsible, official way that you're thinking of, but why would I ever use that feature when I can just give you a tracking pixel instead? The responsible read receipts require consent, and tracking pixels don't.

Again, I haven't checked Gmail's default settings in... probably years. So maybe this has changed, and it doesn't load images by default anymore. But any client that loads images by default has non-consensual read receipts, and they should be shamed for that.


> Google also allows you to request a read receipt the responsible, official way that you're thinking of, but why would I ever use that feature when I can just give you a tracking pixel instead? The responsible read receipts require consent, and tracking pixels don't.

Read receipts (as opposed to email tracking through images, let's not overload terms here) have the benefit that they might be returned by clients that don't load images by default. That's probably a relatively small portion of clients, but it is only one setting change away on Gmail.

> Again, I haven't checked Gmail's default settings in... probably years. So maybe this has changed, and it doesn't load images by default anymore. But any client that loads images by default has non-consensual read receipts, and they should be shamed for that.

A client that loads images by default does what 99% of people desire. That Gmail does so in a safer way than many others is a good thing, and maybe shame is a strong word for transparently making people's default behavior slightly safer while doing what they want (showing emails as they were visually intended and looking nice).


Are you certain Google fetches all images on opening a message? I have not verified this recently, but when they launched the feature to not show images by default they made the privacy argument that it would defeat these trackers…


I'm not certain.

I know that at launch it only obscured your IP address.[0] I don't know if they've changed the default behavior since then. Of course there is a setting to disable images -- maybe in recent years they've switched it to being on by default. Someone other than me would need to confirm, since I've had my images turned off for years now.

[0]: https://blog.filippo.io/how-the-new-gmail-image-proxy-works-...


This article seems to confirm my memory:

“Note: you can turn automatic loading off and gain the privacy benefits of the proxy anyway.”

Not a panacea because sometimes you just need to see the images, but most of the time I never actually need any included images.


The primary worry was about showing info to other users, not to service itself. As in, google or superhuman or ad agency knowing where you are and when you read is not dangerous. Individual people who want to harm you are.


Proton mail blocks by default.

Although there is of course nothing to prevent the email sender from putting some relevant or interesting content within an image which would then encourage me to load the remote data..


> An immediate partial solution

Why this is a partial solution? Tracking is only possible because receivers' MUAs do a wrong thing. If the technology makes tracking impossible (except for various hacks/exploits), then the whole problem is resolved.


You still have user error to consider -- a user might deliberately choose to load all images by default, or they might click "load all" from the email settings without thinking.

Arguably, this is their own fault at that point, but I'm not sure it's reasonable to expect them to understand the risks. This is why I would prefer click-to-display on each individual image instead of a "load all" button.

Even that isn't necessarily perfect, but it does take you a long way.

An even better solution might be for the email provider to preload images when the email is delivered (not opened), and then either serve them from an online cache when you opened the email, or inline them into the message itself. However, now you're talking about rewriting emails, and I can understand why people might not want that -- it comes with its own set of downsides. It would also probably increase operating costs as well, I assume.


Click to display cannot solve this completely, it will change general practice from using one tracking pixel to make all images tracking. Although, it could work for text emails with just tracking pixel.


Honestly: This was... pretty fast, the response is not just a statement of belief, but a clear list of changes they intend to implement quickly, and I really have no major complaints about how they've handled this.

If someone wants to use tracking pixels, they'll find software that does it, so I'm really okay with them keeping the feature in... with the removed location information. (I am going to block it anyways, let's be honest.) And most importantly, they recognized the power of defaults for setting how people tend to behave. Making the feature non-default will crater it's use percentage across their customer base.


> the response is not just a statement of belief, but a clear list of changes they intend to implement

Sure. But it's also an indication of what their team thought "this is fine!" about, before an internet shitstorm rained down upon them.

In my mind they're always to be suspected of being either naive or actively evil in their use of personal data.

Anybody who launches "a powerful business tool", and then later tells us "We did not consider potential bad actors. I wholeheartedly apologize for not thinking through this more fully." is not someone I'd want running _my_ business tools. I'm now wondering if they considered "bad actors" finding their open MongoDB databases on Shodan? Or their public S3 buckets with their backups? Or their production API keys and secrets in their pubic GitHub code? Or all those other mistakes that everybody goes "but nobody except idiots would do that!" and yet we read about it multiple times per week anyway...

Maybe these guys have a great Email tool. I strongly doubt they have an entrenched culture of "considering bad actors" and appropriately investing effort and securing all the non customer facing infrastructure...


To be honest, I would suspect a large percentage of tech startups had failed to consider bad actors until the last year or two.

Don't get me wrong, it's not perfect, but I've seen far too many companies respond to controversy with how they care and will think about how to make things better, while not making any significant changes at all. This is a big step above that.


"Recipients of emails cannot opt out....I would love to find better technology to solve this problem."

How about...put a notification of tracking in emails that contain it rather than making it invisible and then include an opt out link? That seems....not hard.


It doesn’t seem to me like a problem worth solving. What’s so bad about sending an email and trusting that the recipient will get around to it? Send a follow up email if you need to. Or use old-fashioned read receipts (which depend on the recipient to enable them).

Tech shouldn’t really be creepy by default, nor should it really establish needy/clingy behaviour, which is what I think non-consensual read tracking tends towards.

I mean, personally, I would consider it a significant invasion of my privacy if anyone who sent me an email knew when I opened it and, roughly, where, without me knowing.

The problem with the internet and tech companies now is that there is an established pattern of you being able to consent on behalf of other people purely by virtue of giving access to your contact list, or using a certain mail client. You are giving away their data, not your own.


Meh. I'll risk the downvotes and say that I fully support tracking pixels in emails.

One of the reasons I use WhatsApp heavily is the read statuses. A single checkmark underneath the message means it was sent. Two checkmarks mean it was delivered. When the checkmarks turn blue, it means the recipient read the message.

I love, love this feature. If I could wave a wand and instantaneously make it standard for ALL methods of communication, I would do it in a heartbeat.


Conversely, I would gladly push a button to make such tracking technically impossible. The idea that sending me an unsolicited message entitles you to any information about my activity is absurd.


> The idea that sending me an unsolicited message entitles you to any information about my activity is absurd.

What about for solicited messages? Just curious.


I think read receipts solved this problem already. If you want someone to know when you open their messages, enable it. Disable it and they don’t find out. If you want to improve that setup, enable read receipts for a whitelist of contacts. People who you do want to notify when you open their message.

I think a mistake was made when some messaging apps turned it into an opt-out and also made it punitive, in that opting out would mean that other people’s read receipts would be disabled.

I don’t think it would be so bad if every single data point wasn’t hoovered up and sold to third parties. They’re probably using this read status feature to measure engagement and decide how to target more ads. They can infer a lot: who you respond to quickly, who you don’t... who is intimate and who is an acquaintance. Who is important, who isn’t.


If I want someone to know I've received their email, I can do so by replying. Also, I turn on read receipts for a few of my iMessage friends. I would consider doing the same for some of my email contacts if it were possible.

But I don't like non-opt-in "features" like Messenger's activity indicator. It is no one's business when I was last on FB, or if I have accessed it via computer or mobile.


I pretty much agree with you.

However, given that I'm extremely doubtful that SuperHuman will remove the feature completely, I'm going for what I consider a minimum standard of decency: disclosure and the ability for recipients to opt out.


I casually proposed[1] a vendor-agnostic, free Web service and API for any email address to opt out of open tracking/read receipts. Imagine Gravatar but for obtaining an email recipient's preferences via an API.

Obviously this would depend on whether a sending app decides to honor it, but responsible senders would have a harder time justifying ignoring it.

[1]: https://twitter.com/troyd/status/1146554065553256448, https://twitter.com/troyd/status/1146561165687869440


How would that improve upon the existing MDN [1] system which relies on the client?

[1]: https://en.m.wikipedia.org/wiki/Return_receipt


Good question. I don't think they're mutually exclusive. It seems like existing client-side options don't cover these 3 uses that a third-party service might:

1. A recipient-specific "Do Not Track" option could apply to recipient-specific link/click tracking, not just open tracking.

2. Ideally, all email clients would have an option not to load images by default, but based on the comments in this thread, some don't. One popular example seems to be [Gmail for iOS](https://support.google.com/mail/answer/145919?co=GENIE.Platf...): "Images will always appear in the Gmail app on your iPhone or iPad."

A third-party service could give some control to users of clients without this feature. (Whether the responsibility belongs on the sender, the recipient, or both is totally debatable and in practice, not very relevant. For all stakeholders, the goal is to communicate in a way that satisfies all parties well enough to keep communicating. Recipients have been at a disadvantage due to lack of information, and as their awareness increases, their expectations will rise.)

3. Right now, there's no way for companies which actually care about privacy and/or recipient preferences to stand out from those which don't, or which don't yet claim to. This would be one of few ways to discern white/light grey-hat senders and mail delivery services from dark grey/black-hat ones.


This is a good idea.


That allows you to opt out only after having had your first open tracked. Presumably a technological solution would allow the client to opt out of even that first pixel (hopefully while not having to opt out of displaying non-tracking images.)


Maybe Superhuman could delete the tracking info it gathered when you opt-out


And we should 100% trust them to do that, because they've demonstrated responsible stewardship of user data so far. Or not.


Ya, that makes my proposal imperfect, however I contend that it would be a huge improvement over the status quo.


How about you include an opt in link? If the service is so valuable then this should be fine.


Make it opt-in with a link on the first email sent to that address?


Neither is an initial request for consent from the recipient.

He could benefit from consent training.


I'm not sure more "Agree to do X with my data" popups are the right direction to move in.


Once the email is opened, you can't opt out of being tracked.

You could opt out of future emails I suppose, but there's not really a way to stop this. Nothing stops me from embedding my own tracking pixel in the email either.


I am pretty sure that opening an email in a client that is configured to load remote images is consent. After all, it’s your own computer, configured by you, that is sending your IP address to the sender of the email. It is entirely opt-in, just like the use of email in the first place.

If you don’t want that to happen, configure your computer to not do that. Same thing for storing cookies.

The thing that really troubles me is that in this new app-based world, these sorts of options are slowly becoming extinct.


There is no universe in which “side effect of technology I do not fully understand” would be considered consent.


The medical one? I don’t think most people understand the full implications of most medical treatment choices they make, but they still opt for them, and we still call it informed consent.


Are users responsible for any other piece of machinery they purchase that they don’t fully understand?

The very fact that you can choose different web browsers, some that accept and save cookies and some that don’t, or different email clients, some that load remote content and some that don’t, means that the user made a choice.

They purchased hardware that they chose, they installed and configured apps and services that they chose, or that came preinstalled on the hardware that they chose.

I would venture a guess that most consumers do not opt to fully understand the consequences of their consumption choices, sure. But that doesn’t mean that their choices, or the consequences thereof, are any less their own. Ignorance of the consequence of one’s choices is itself a choice.


I doubt very much anyone would consider it informed consent. I doubt 1 in 100 users understand the implications of email image urls or ip geolocation.


Just have a button that links to the superhuman account in the email to opt out. Like tapping on unsubscribe.


Honesty? This is tech. This is business. You're speaking a foreign language to both.


Discussion yesterday of controversy: https://news.ycombinator.com/item?id=20336762

Highly visible blog posts are indeed the best way of effecting change, although the investors who were criticizing the original article now look very silly.


Yes, not even a few hours ago a VC at Founders Fund tweeted “...there's a strong correlation between the people outraged by privacy and the people that I think are dumbasses in the valley.”

Source: https://twitter.com/zebulgar/status/1146430814374117376?s=21


Amazing to find a VC who not only isn't concerned but actively derides concerns around privacy. Maybe he has a terrible personal opinion (in my opinion), but this seems like a poor perspective from someone who should be worrying about existential threats to companies. Someone should tell the US Senate that "capitalism baby" is an appropriate response to privacy violations!


Good to know that Founders Fund thinks human rights are stupid, and therefore should be avoided at all costs.


I don't think Superhuman should have caved to this criticism as quickly as they did. Good that they kept the feature, albeit dumbed down. People pay for a power user email client because it's exactly that - a power user tool, which should be fully featured. If you remove read receipts then there are a whole host of other email clients that will gladly give you that feature (bye-bye revenue). Is someone going to write a Medium post calling out each of these companies too? There is also a bunch of companies that aren't primarily email clients - like CRMs (Pipedrive etc) that offer this feature out the box, as it's exceptionally useful for sales teams.

If there really was such mass hysteria regarding read receipts in emails (WhatsApp has it by default too?) then it should be your email provider that should be leaned on to secure their system. Google has known for a very long time about this, and has changed the loading of images to stop location tracking, presumably the only thing they actually think is controversial with read receipts.


Read receipts for email are the worst. Groupwise shops used to often have an awful culture about waiting on/complaining about when mail was opened.


Now the CEO is getting praised on Twitter but this doesn’t address the main complaint which is the read status itself. Yes, location made it worse, but that data was mostly bunk anyway because Gmail (and probably others) will show the location of the Gmail server and not the user themselves.


It does address it. He specifically says that it is table stakes for his software and that they are leaving it in. You may not like that but it is addressed.

Personally I like that response, though I think they have legal problems in some jurisdictions. They didn’t try to weasel word their way out.


You can still get location data from any email on an external mail client (mail.app, Mail app, etc with images loaded). Gmail only proxies images in the browser client (and maybe the the mobile app?).


It's remarkable that he was able to quantify the demand for his feature: "at the time of writing only 32 out of 26,000+ requests [was for turning off Read Receipts]".

There's a lot of Superhuman skepticism in the comments, but their CEO owned the decision and responded quickly. If you assume good intent, it's remarkable in its comprehensiveness, transparency, and speed.

If you don't, well, you probably wouldn't be satisfied by anything other than ripping the feature out. Which wouldn't make sense for the business given the demand from its primary customer segment.


> It's remarkable that he was able to quantify the demand for his feature: "at the time of writing only 32 out of 26,000+ requests [was for turning off Read Receipts]".

A company managing customer feature requests is suddenly remarkable? For a tool aimed at professionals? I would take that as par for the course.


It's remarkable to track 26k requests. That's non-trivial. Especially with the ability to drill down to a single feature request.

I know this is non-trivial because I run a business that helps product teams do this. I talk to PMs at companies you've heard of and probably use that struggle with this.


I don't know what tool they use to get user feedback, but it would be trivial for me to find out how many user requests we've gotten for a feature like read receipts: just do a search for "read receipts" in our contact email inbox. Might it miss some requests that didn't have the exact phrase? Yes, but it's in the CEO's interest to have a count that is very low, since he's trying to say that their users haven't asked about this much.

So it might be hard to get an exact count of how many people asked for some feature (particularly if it doesn't have an agreed-upon name, like "read receipts", but if you're just looking for one phrase and don't mind erring on the low side, this should be a pretty easy exercise.


Or on the high side: “read receipts are awesome!”

I think my broader point stands: given their 26k requests (which you can’t figure out using your method) it’s impressive to know that N of them are for Y feature.


"I am so very sorry for this. When we built Superhuman, we focused only on the needs of our customers. We did not consider potential bad actors. I wholeheartedly apologize for not thinking through this more fully."

Rare to hear such honesty from a CEO. I don't think I've ever seen a corporate leader admit they didn't consider product security. Concerning? Maybe - but I think it's miles better than the usual "we value your privacy and use industry standard blah blah blah.." canned spiel everyone gets in their inbox after a breach goes public.


> "I am so very sorry for this. When we built Superhuman, we focused only on the needs of our customers. We did not consider potential bad actors. I wholeheartedly apologize for not thinking through this more fully."

> Rare to hear such honesty from a CEO. I don't think I've ever seen a corporate leader admit they didn't consider product security. Concerning? Maybe - but I think it's miles better than the usual "we value your privacy and use industry standard blah blah blah.." canned spiel everyone gets in their inbox after a breach goes public.

A company that has access to your email did not consider bad actors, and that is a "maybe" of a concern for you?


Perhaps I should have included the full context:

"1. Location data could theoretically be used nefariously

This criticism is the most severe. Upon reading the commentary, I have come to understand that there are indeed nightmare scenarios involving location tracking. I should note that we deliberately do not show cities — we only show states or countries — but a determined attacker could still misuse this information.

I am so very sorry for this. When we built Superhuman, we focused only on the needs of our customers. We did not consider potential bad actors. I wholeheartedly apologize for not thinking through this more fully."

This isn't a case of them having invalid SSL certs or improperly validating data sent to an endpoint. This is them building a feature that could have been used in bad ways and not realizing it. To that end, I am not very concerned about product security in this instance, because I have no reason to not trust their honesty.


Super on brand response: personal, quick, and well thought-out. Kudos to the team for their ability to handle a crisis.

On the topic of read receipts, I'm glad this is opening up a broader discussion about (pretty common) industry practices that track individual user activity across the web. IMO this will be a whole set of behaviors that will be viewed as having been on the wrong side of history:

We'll look back in 50 years and wonder why we would have ever legally let so much invasive tracking technology into our lives (we didn't know! but everyone was doing it!).


It's tracking without consent, plain and simple. Forcing users to choose between HTML email and being tracked is nefarious. Users by default do not assume they're being tracked. Just like unsub, highly visible opt out of tracking should be the law. Morally there's no question.


The technical solution to tracking pixels isn't to disable remote image loading, it's to load all remote images when receiving the mail over smtp, and embed them in the mail. That way the sender gains no information whatsoever that they didn't already get from the smtp exchange.


Can't believe the amount of jabronis here saying "what is the big fuss, everyone tracks everything anyways".

Companies (and individuals) should act ethical and in good faith, regardless of what others do. So, if you have a chance to improve something, you should do it. Make a superior product that also doesn't track users without explicit content. Superhuman definitely acted the right way with this decision.


Some food for thought: Imagine how crazy it would be if we would have these tracking devices on real life physical mails, you'd get a letter in the mailbox and you open it and read it. Without you knowing the sender has put a tiny device in there to track whether you opened it or not.

When framed like this, I can't help but feel we are all kind of crazy on the web!


You used to send sealed letters with the reasonable expectation that it would arrive intact and unread. Now everyone[1] sends the equivalent of a postcard - the vast majority of which are actually read/scanned by the entities doing the delivery.

[1] apart from the weirdos who use encryption


Shot in the dark, but could tracking pixels fall afoul of wiretapping laws? It's a single bit of information, but it is a 1-bit recording gathered without the other party's consent.


Tracking pixels have been a normal part of the email ecosystem for more than 20 years. If an esoteric use of the law was going to stop it it would be done by now.


Tracking pixels have been complained about for a long time too. There are actual real people who have actual real physical problems with being tracked and their law says they have freedom to privacy but it's normally violated.


We should leave Jim Crow voting laws in place because they have been a normal part of the electoral system for 150 years.


This is basically what GDPR is designed to stop.


That’s not reusing old law, that’s a law designed purposely to stop this.


That single bit carries a lot of potential information with it: - location - time when the person is active i.e does the victim use computer at 11pm? - mail client used - potential to connect user with other services using ip/MUA tracking


When these things happen, to me the more important thing is what will leadership do to change the thinking that led to the problem. Issuing a patch is a solid step, but it's a symptom that points to a need for change in how features are vetted and thought through.


Please have your email solution tell me that you are tracking opens, so that I will never correspond with that sender again.

I think tracking opens without notifying the recipient is a blatant privacy violation. If that’s where society is heading, I want to part of that.


This pisses me off more than it should. I used to be interested in Superhuman, but after they backed down I no longer care about getting an invite.

It’s nobody’s business what email client I use. I would like to see a bold email client that offers all these extensive tracking features and makes no apologies. Call it Supervillain for all I care, there is a market for it. If you don’t want to be tracked, don’t accept images from me or anyone else. Simple as that.


The quality and depth of introspection from the leadership of an organization, when they get caught with their hand in the cookie jar, is a truly epic spectacle to behold.

The more cynical among us might even think they knew exactly what they were doing but did it anyway for their own profit and to the determent of others and the only thing they are actually sorry for is that they got caught.


how is this working ? Gmail caches pixels - https://help.litmus.com/article/166-how-are-gmail-opens-repo...

>When Gmail automatically downloads and caches images, those cached images—including open tracker pixels, like the ones used with Email Analytics—are stored on Gmail’s servers. Gmail then loads the same images from the same servers for everyone—regardless of whether they open using Gmail in a web browser or a Gmail Android or iPhone/iPad app.


Presumably every email gets sent a unique pixel name.


Even so. It will get cached, so the analytics should fire only the first time it's opened. Not subsequent times.


Why do 'power users' care if people read their emails?


how about a browser or email extension that repeatedly and randomly loads the pixel. for bonus points, through a wide set of proxies.


Sadly they followed the path of nearly every surveillance capitalism startup out there.

1. Breach user trust by acting without user consent. 2. Market it as a service. 3. Eventually get caught. 4. Offer an apology.

Rinse, Repeat.

I don't have any real complaints about the steps they took to correct this. I have complaints about the fact that they did it in the first place and didn't consider the users. I also take offense at their investors who continued to invest while knowing this was going on.


Surely this a massive breach of GDPR ?


IANAL but this discussion of the topic seems to indicate that you are correct if any SuperHuman users send emails with invisible tracking pixels to anyone in the EU.

https://www.gdpreu.org/compliance/email-tracking/


‘Massive’? I’d be surprised if they have anywhere near the incidents of tracking pixels that a bog standard small ad network has.

No one will be able to tell accurately until a ruling comes down but I believe this is a gdpr violation but one they won’t be fined for if they do basic location filtering for their tracking pixels.


A "bog standard small ad network" does not typically have the email address of the ad viewer.


I was thinking, massive is the sense that any (business) user of the service might be considered in breach of GDPR for obtaining personal datan without consent.


Every statement ever made by a tech company that went over the line and decided to step back from it should automatically, in your mind, be appended by "for now."

Superhuman is getting rid of this _for now_.

Also works for mobile carriers and pretty much any statement they make ever.


I didn't expect this, but it's actually everything I would have reasonably wanted from them. Dang!


I really don't get what the fuss is about here. You are being tracked online. Why get upset about this specific instance?


I have no idea either. I track every email I send out. The issue with tracking, when done by companies, is what they use that data for. People don't want to have sales profiles built on them or have their literal privacy - in terms of their personal web traffic - being invisibly tracked and potentially exploited by bad actors.

On a personal level, I send emails for a variety of reasons, and I haven't found a good reason why I wouldn't want to know when they were accessed.

1. I've sent legal correspondence and it's important for me to have a record of when and how frequently it was accessed in case it ever reached court.

2. When I send emails to my staff, I'm less interested in whether or not they reply and more interested in whether or not they read the emails at all. If not, then I can use alternative and more immediate forms of communication.

3. Sometimes I'm ignored by people that owe me money for one reason or another (in one particular case, I was almost scammed out of $40,000). Knowing that the correspondence I was sending was being accessed but was being ignored allowed me to take more immediate action.

I'm not building profiles on people, I'm not trying to sell anything. And I'm not going to apologise for it either. My intentions are not malicious, so that's where it starts and stops for me.


My intentions are not malicious

In scenarios 1 and 3, your intention is to spy on people to gain an advantage over them in legal proceedings. That's going to qualify as "malicious" from their perspective.


You think having a transactional log to stop people from lying in court is a bad thing and has me doing harm? What unfair, malicious gain do I receive by being able to present evidence that says that someone did in fact read correspondence?

Respectfully, you’re in a very small camp there. You might as well call security footage or fingerprint evidence malicious as well. The same goes for snail mail that has delivery confirmation.

If anything, this thread has just reinforced my belief that I’m doing the right thing.


You might as well call security footage or fingerprint evidence malicious as well.

Security footage of your property is fine. Embedding a hidden camera into a package that you mail to someone is not.

If anything, this thread has just reinforced my belief that I’m doing the right thing.

And it's reminded me to verify that image loading is disabled on all my clients. Win win, I suppose.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: