Substack spies

They're tracking everything that they can and there's little we can do about it.

Sep 30, 2020

Tl;dr: Substack tracks the activity of recipients of emails it sends, and shares a lot of that data with authors. Authors cannot disable this tracking. It’s bad practice. According to its reply to my protestation it is unlikely Substack is interested in changing its tactics.

Substack

You’re receiving and reading this essay through Substack, a platform I use for sending out newsletters. It is dedicated to the form of newsletters and its simplicity and cleanliness is what attracted me to use it over other options. It also has an option to charge for subscriptions for 10% of earnings.

Tracking

Online tracking is used to record a pattern of a person’s behaviour through certain identifiers such as email and IP addresses, and other unique combinations of the tools they use like browser type, version, and its extensions, operating system, hardware components, and then further through language choices and time-zones. Companies track through a combination of techniques such as browser cookies, tiny images ‘tracking pixels’ in emails, unique urls, ‘analytics’, etc. All this information, often across platforms, helps companies build a detailed profile of a person’s online persona, habits, and desires, so that they could target adverts or influence people to vote for Brexit or Trump. It’s very valuable data that allows companies like Facebook, Google — and I assume Substack as well — to offer free services and then sell or use the data as their actual product.

What Substack does

When an email from Substack is opened by an email client it also displays or processes images referenced in the email. Those images are not attached to the email but linked and fetched from a remote Substack server. This way Substack knows when someone opened the email. If the email client also creates email previews, Substack also knows that the email was received without the recipient needing to do anything.

Substack uses at least two techniques to achieve this. Firstly, it includes a 1x1 pixel image that you won’t see, but that still needs to be fetched from their servers. You can see it if you examine the literal content of the email at the very end; visiting that url will give you the image above if your background is dark.

<img=width="1px" height="1px" alt="" src=”https://email.mg1.substack.com/o/<290 unique character identifier>”

Of course it does that for all the other intended-by-the-author images in the email’s body.

Substack also replaces all the links the author puts in the email’s text with unique links that when clicked first go to Substack’s servers and then forwarded to the actual destination. When I say ‘unique identifier’ I mean that it’s unique to the email recipient, and each email, such that the identifier in every link and in every email sent is different. This lets Substack fine-grain association of any click with an email address.

Substack therefore knows when you’ve received the email, when and how many times you opened it, and which links you clicked. It can even deduce that you’ve forwarded the email because when someone else receives the email or clicks on a link, they will notice that the other identifiers — IP address, browser, OS, etc. — are different than yours, but it’s ‘your’ unique link.

What I see

In ‘Settings’ Substack lets me do even more tracking, but not less of it. I’ve left all of those extra tracking empty, but there are no options to disable anything else.

Substack displays a lot of the tracking to me. I can see when a particular person opened the email (or not) and how many times they did, and when. It allows me and any other author to do second-hand spying on people I may be interested in knowing when they are awake or in front of their screen.

Why it’s bad

Including trackers in an email is not very neighbourly; it’s actually quite offensive. That’s because of the ability of the sender to choose to violate the recipient’s reasonable expectation of privacy without their explicit control, or ‘opt-in’. Those who use these aggressive tracking techniques take advantage of people who don’t realise the extent of the invasiveness that’s possible. But they are also excluding those who do know, those that are privacy-conscious enough to not let companies be so invasive in their prodding.

Both aspects are contrary to good healthy ethical business: underhanded privacy tactics, and exclusionary practices. Resistance to this stuff is getting traction. ‘Hey’ is a new email provider with anti-tracking stance as a headline feature. The ethics aspects of these techniques, and conducting business ethically in general, are increasingly being discussed and rewarded. Of course browsers and email clients do their part in this arms-race but are struggling to balance usefulness with strictness, and are sometimes a bit behind the baddies.

Considerable effort has been put in by those who care about privacy, like the Electronic Frontier Foundation, to educate people to not click on (suspicious) links in emails in order to avoid phishing attacks. Obfuscating the actual destination url by Substack and others isn’t helping (the punters… it does help the crooks).

I’d also say from an author’s perspective that this level of tracking isn’t all that useful. It’s nice to have aggregated data about my readership, although I’d instantly give that up too. I wonder how other authors use the data, if at all, to influence their writing, scheduling, and other considerations. On the balance, do most think it’s worth it? (To be clear, I’m talking about the actual tracking by Substack, not only the display of this data to authors.)

Finally, my ‘Assortment’ newsletter comes from

Assortment <saar@substack.com>

as if it came directly from me. People may not be aware or care that Substack is an intermediary between my keyboard fingers and their email client. They might think that I am tracking them; a bad look.

What they said

I’ve reached out to Substack about this on Twitter but they didn’t react. I’ve then sent them an email about my concerns. I’ve asked

* Will you commit to reduce the amount of tracking?
* Will you provide a way for me to reduce the amount of tracking in my
newsletters?
I feel that if that you won't I will look for another way to publish.

and they replied

We can't commit to changing our stats, nor can we provide a way to reduce the stats on the dashboard of your own publication.
If that's not for you, and you decide to publish elsewhere, I understand!

To me that indicates that aggressive tracking is part of their business model, not just something that they thought was a harmless nice-to-have feature. So far they’ve received $17m in VC funding and so if history is any reliable guide I wouldn’t expect things to improve.

I’m singling out Substack here because I’m a new user and I’m disappointed with their response; somehow I expected better. Most such services use these techniques to various degrees. Mailchimp for example only allows to turn off some tracking if you’re on a paid tier.

What can you do

Some email clients allow users to choose not to automatically open or load images. Do that and restrict any kind of tracking as much as you can. Unfortunately, there’s little that you can do about the unique links other than not clicking them. Even using proxies or TOR won’t help because once clicked they know it’s you no matter what route you took to get there. Further, when you hover on the link in the email you’ll see Substacks’s link, not the actual link, so you can’t cut-and-paste it unless the link is spelled out in the body of the text which is stylistically horrible in an essay.

Specifically for Substack emails, if you’re concerned about tracking I’d suggest that once you get a notification of a new letter via email, you go to the newsletter’s page and read it there. The links will be the actual links so you can avoid clicking them. If you do click on them, Substack will know someone clicked them, but they won’t be able to tie it to your email unless they have other identifiers that allow them to do so, like cookies.

You can also write to Substack — privacy@substack.com, hello@substack.com, support@substack.com — to let them know privacy matters to you. If it hurts shareholders’ bottom line they might force C-level types to reconsider spying on their own users unnecessarily.

What can I do

This letter is the first thing.

I’ll look for alternatives to Substack that meet my criteria; until then, I might stick with Substack for a while because focusing on writing is important to me right now.

I’ve written this essay in order to bring this issue to the attention to my readers and I will link to this post in my future letters. I’ve only covered the basics of tracking and defences and there’s a lot to learn and keep track of. The EFF is a good resource for getting a handle on it:

https://www.eff.org/

In my writing style I avoid the use of links in the body of the text wherever possible so not interfere with the flow of reading. I also try to provide the terms for people to search for themselves instead of providing a link. I do, however, allow myself to link more liberally in the ‘Notes’ section of the letter where flow is less of a concern.

Notes

Substack says that it’s GDPR compliant. I checked that before starting to use the service and it was good enough for me at the time. It’s unclear to me, though, if this level of default tracking is essential to the service of sending emails (Data minimization), and whether consent to receive emails is reasonably also consent to be tracked (Purpose limitation). I doubt it.

Thanks to

Steven Murdoch and Caroline Gasperin for commenting on drafts of this essay.

Assortment