Facebook Knows When You Open Their Emails. How? Creepy Silent Sounds...

By Greg Kumparak , written on March 6, 2012

From The News Desk

With Facebook rapidly approaching 1 billion users, how many e-mails do you think they're sending each day? Hundreds of millions? Billions? Whatever the number, it's absolutely massive... and they appear to be keeping tabs on as many as possible. If you open that email they sent, Facebook wants to know about it, and they've got a rather clever way of figuring it out.

You see, the Internet's biggest emailers, from the big, nasty spammers to the generally innocent heavy senders like Facebook, have long sought after ways of determining whether or not the recipient of an email ever actually opened it. It began with read receipts, a feature built into select email clients that prompted users to confirm that they've received an email.

The problem, of course, is that few people ever actually hit the confirm button. Many senders (Facebook included) then turned to "tracking pixels," which is a fancy way of describing invisible images that, when loaded, ping the sender's server to let them know you've opened the email. Most email client developers responded by requiring users to manually confirm that they want images to load on an email-by-email basis.

A friend-of-a-friend tipped us off over the weekend to a rather clever way that Facebook is taking it one step further: non-existent sound files.

You can see it yourself by opening just about any email sent by Facebook in the past year or so (and possibly even earlier) and looking at its raw HTML. Somewhere in there will be a bit of code that looks like this:

<img src="" style="border:0;width:1px;height:1px;" />

<bgsound src="" volume="-10000"/> The first bit, the img source line, is Facebook's tracking pixel. It tells the mail client to ping Facebook's server for an image that doesn't seem to actually exist. Facebook's server sees the request, and can use the email's unique 28-character identifier, shown above as a series of X's, to flag that email as having been opened.

The second bit, the bgsound line, is where Facebook is getting tricky. It's essentially the same exact idea as a tracking pixel. But rather than trying to load an image, it uses a rather antiquated (and universally-despised) HTML tag to tell the client to try to load a sound file. It sets the volume to negative 10,000, ensuring that absolutely no sound is actually emitted. When the image call fails (because it's blocked by the mail client) the bgsound call can swing in to pick up the slack.

Now, there's a bit of good news...sort of: The bgsound tag is proprietary to Microsoft, and pretty much everyone else omits it from their product. In other words, this sneaky little workaround should only affect folks on Internet Explorer and Outlook. Given that Internet Explorer's chunk of the marketshare still hovers around 50%, however, that's no small number. Using Chrome, Firefox, OS X's Mail, or pretty much anything else to read your mail (as you should be doing anyway) should keep you in the clear.

I've pinged Facebook's policy team for details on why they're using this code and what details, if any, they're storing. They've acknowledged the request and say they're "working hard to get answers," but have nothing yet. It could very well be that they're just storing a single binary "read/not read" value. If they're logging the IP of users who open the email, however, it raises some privacy concerns for how Facebook follows its users when they're not even logged in. And what about Facebook emails forwarded from one person to another? However it's used, why isn't the user given any indication of its existence, or given any way to disable it?

Update: After a morning/afternoon of prodding, Facebook got back to me. They confirmed that they are in fact using these methods to track whether or not an email has been read. Their statement:

"Similar to other services that send a large number of emails (e.g. notifications users have rquested [sic]), Facebook uses several industry standard technologies to confirm that emails are received and whether they are opened. We only use this information to improve the emails we send and no other data is tracked or collected."

For the curious, I did the math on how many different unique emails a 28-character string could actually be used to tag over time. Assuming that Facebook is only using upper/lowercase letters and numbers 1-9 and that my math isn't far too rusty for this sort of stuff, it works out to seventy-three sextillion — or seventy-three followed by twenty-one zeroes. (Million < Billion < Trillion < Quadrillion < Quintillion < Sextillion.) In other words, an absolutely absurd amount.