Spotlight, spam email, tracking pixels, and what you need to know

By default, OS X Yosemite's Mail app won't "load remote content" such as the types of images typically requested by marketing emails and spam. You can change that in preferences if you really want to see remote images in your emails — such as the products being advertised by Apple, Best Buy, or other retailers in their mailings — but if you accidentally or deliberately click on spam, those images will load too. Even with "load remote content" left off, however, if any such marketing or spam email shows up as a Spotlight search result, Heisse reports that such remote content will load. So, what's going on and what can you do about it? ITWorld translates:

The potential privacy glitch affects people who have configured the Mac Mail App to turn off the "load remote content in messages" setting, as security experts have long advised. Spammers, stalkers, and online marketers often use remote images as a homing beacon to surreptitiously track people opening e-mail. Because the images are hosted on sites hosted by the e-mail sender, the sender can log the IP address that viewed the message, as well as the times and how often the message was viewed, and the specific e-mail addresses that received the message. Many users prefer to keep their e-mail addresses, IP addresses, and viewing habits private, a goal that's undermined by the viewing of remote images.

When you visit a website, that website gets information about you. That includes your Internet Protocol (IP) address, the type and version of computer operating system and browser you're using, and other technical details. Your IP address can be used to determine your Internet Service Provider (ISP) and the general area where you're located. If you've ever used something like Google Analytics — which most sites, including iMore, use benignly to figure out how many readers come here, from where, and what they're reading the most — then that's the type of information that can be collected.

As described above, email can be turned into a pseudo webpage by requesting server-side images — including tracking pixels — be loaded into them. Instead of attaching an image, which embeds the image in the email, they pull it from a website: If "load remote content" is enabled, that image will be pulled as soon as you open the email, and the website will get your IP address and other information just as if you visited the site directly.

The issue here is that even if you have "load remote images" turned off in Mail, Spotlight will still load them. So, if a search you type into Spotlight returns a marketing or spam email message as the Top Hit, it will automatically load those images, and if it returns it as a Mail & Messages hit, and then you click on it, it will load those images.

I typically leave "load remote content" on, so I'm not overly concerned about this. I find it annoying to have to click on the "Load Remote Content" button every time I want to see an Apple or B&H or other product email I've subscribed to. A combination of Gmail, iCloud, and anti-spam means I almost never see spam anyway, and I don't click on them when I do. I also delete my spam messages frequently. So, I've also never, in all the years Spotlight search has been available, had a spam mail message return as the first, automatically previewed, result.

My guess is most people are similar, and won't run into this problem either. That said, it is a problem, and some people are really and rightly concerned about online tracking, especially those being stalked. It would absolutely behoove everyone if Spotlight, when providing Mail results, honored the "load remote content" setting in Mail.

Hopefully Apple will implement that as soon as possible. In the meantime, if tracking pixels are a concern, you can disable Mail as a result type in Spotlight. It's less convenient, but that's typically the price we pay for security.

Although Apple has almost certainly been notified about this issue, I've also filed a bug report with Radar, should anyone with access want to dupe it.

Bug report: rdar://19439666