How to stop "Tracking"

[samsonette]

I don't like this "Tracking"-Shit of marketing and spammer people.

Aqua Mail is loading the following tags (tested by emailprivacytester.com )
- Audio tag
- Object tag - data
- SVG attachment with CSS
- CSS content
- CSS background-image
- Object tag - Flash
- Video poster
- Image Submit Button
- SVG inline with remote image
- Background attribute
- Iframe tag
- CSS import
- CSS link tag
- Iframe meta refresh

Could I switch off loading these html tags anyhow? 

[druckmusik]

I don't like this "Tracking"-Shit of marketing and spammer people.

Aqua Mail is loading the following tags (tested by emailprivacytester.com )
- Audio tag
- Object tag - data
- SVG attachment with CSS
- CSS content
- CSS background-image
- Object tag - Flash
- Video poster
- Image Submit Button
- SVG inline with remote image
- Background attribute
- Iframe tag
- CSS import
- CSS link tag
- Iframe meta refresh

Could I switch off loading these html tags anyhow?

+1
I also don't like this!

[Kostya Vasilyev]

That test is really comprehensive, which is a good thing, but some of its cases are really unusual (although technically valid).

AquaMail has a spam control feature for linked images. It works.

JavaScript in SVG (or anywhere else) is turned off.

Blocking the rest requires deep inspection of HTML and CSS code.

FWIW, stock Email (Android 4.3) hits identical cases, but also executes JavaScript (which brings up a web browser).

[mb]

+1
You can verify Thunderbird - they filter out every single tracking attempt on emailprivacytester.com.
Not sure if the source code is available, but maybe it can help to improve privacy in Aqua Mail.

Privacy is currently a really big topic, and running email clients that protect my privacy is for me equally important than for millions of other users.

Cheers, M.

PS: Kostya, apart from privacy issues I love your work, I'm using the "Pro" version.

[Kostya Vasilyev]

To a large degree, this comes down to parsing actual message content. Recent dev. builds of AquaMail already do this for other reasons (phone number highlighting).

Thunderbird source code is available, to my knowledge, but how would it help?

[samsonette]

I don't be an expert, but I think it should be easy to show only the real content of the email and disable all contacts to other servers for reload additional content or send feedback.
I'm using outlook 2010 on desktop. It saves my privacy, because it is showing the pure content of the email. Only by clicking on a hint frame, it loads the rest.
If I trust the sender, I could click for to loading the rest.

I like aquamail very much, but I and all my colleagues in my company must not longer use aquamail on there business android devices because of this issue.
It's a pitty!

Markus

[dirkliesenfeld]

+1
An option for hint frames for unknown sender would be perfect. Spamming is still atrocious.

[Kostya Vasilyev]

Hint frames? What is that?

Have you checked app settings -> contacts -> indicate unknown?

[ntm]

Hi Kostya,

thank you for this great app. So please don't get me wrong on this. I think this is a big security and privacy issue, because spammers and tracking companies can check, if and when and how often a user opened an email, the DNS-IP, possibly even the worldwide location where the user opened the email, or even that hes using aquamail on android to read his mails. This behaviour opens up the possibilities for cross-device tracking and device-fingerprinting, which allow the assignment of universal unique user ids to devices and can compromise your users privacy severely.

Please fix this. Thank you in advance!

cheers!

ntm

[Kostya Vasilyev]

@samsonette - I'm curious about what you and your colleagues ended up switching to?

K9 -- which I've seen have trouble even with images (the most basic stuff...)?

myMail -- which collects your messages on its own servers (and the company is known for installing pretty-much-malware, on Windows)?

Stock Android Email -- which does not filter anything more, but also allows JavaScript / SVG?

Gmail -- oh wait, they can do their own tracking, because they're calling themselves the good guys?

Pretty much all these are holes in the Android HTML rendering component. They are going to be difficult to plug.

[dirkliesenfeld]

Hint frames? What is that?

Have you checked app settings -> contacts -> indicate unknown?

I was referring to post #6
Like a "button" to push before external content is loaded.

[Kostya Vasilyev]

@dirk - Ah, yes. That's already in place for linked images.

The rest requires even deeper HTML inspection than I have now... I'm sure I'll get to it sooner or later.

[dirkliesenfeld]

Ah, OK.