ProtonBlog(new window)

Proton Mail now protects you from tracking links

Share this page

Your email has become a prime target for advertisers seeking valuable information about your online activity. Many advertisers try to track you using spy pixels, which we recently discovered are present in over half of all emails(new window). These pixels allow advertisers to track when, where, and from which device you open their emails, compromising your privacy.

Proton Mail protects you from tracking pixels by default, but advertisers have more tools they can use to track you. After spy pixels, tracking links embedded in an email or newsletter are one of the most common ways companies try to spy on you.

These tracking links typically tell an organization which email you read, what you clicked to open the link, and what marketing campaign you engaged with. While not all tracking links are nefarious, they can relay sensitive information that companies can use to personally identify you, profile your behavior, and follow what you do across apps and websites.

Starting today, we’re happy to introduce Tracking Links Protection on our web app. It removes known tracking parameters from links in your emails and is turned on by default. We’re the first email service to offer this level of protection because we believe your inbox belongs to you.

How do tracking links work?

Tracking links can be particularly insidious. They’re often hard to detect: many times, it’s only after you click that you’ll notice an overly long URL in your browser’s address bar, filled with tracking parameters.

Most companies track links to monitor the effectiveness of their marketing campaigns, which can have a significant impact on your privacy. By attaching parameters to the URLs in their emails, these companies can track your interactions with their website over time and between apps.

They can then use this information to build a profile on you, refine it to better target you, and share it with third parties. Clicking a tracking link in an email you received can have a significant impact on your privacy because the advertiser already has your email address, which it can use to tie all your online activity together.

The most common tracking parameters are Urchin Tracking Module (UTM) parameters, which are supported natively by Google Analytics. They typically include the campaign name, audience, source (in this case, email), and touchpoint (such as a button in an email). While UTM parameters can be generic, they can also be customized just for you, depending on the sender’s needs. In addition, other ad and tech companies have developed custom tracking parameters that aren’t always documented, making it hard to tell what information they collect. 

With all this in mind, we believe tracking links are increasingly being used as a form of surveillance and privacy abuse.

How Proton Mail protects you from email tracking

Proton Mail already blocks tracking pixels used by snooping email senders, so cleaning links from tracking parameters was a logical next step as part of our commitment to protect your privacy. 

To accomplish this, we’ve created a blocklist of known tracking parameters using both internal and external, community-supported sources. This ensures that we block not only UTM tracking parameters but also some other custom parameters used by ad companies.

Cleaned links will still redirect you where the sender intended, but they won’t inform the sender that you clicked their link, where you came from, or anything else. We’ve added more details about links and the trackers we block that you can now access by clicking the shield icon.

While privacy-focused browsers like Firefox, Brave, and Safari offer or are developing similar features that block tracking links, it’s unclear whether Chrome or Edge will ever adopt such measures. To ensure you receive consistent privacy protection no matter which browser you use, we built Tracking Links Protection directly into Proton Mail.

Learn how to use Tracking Links Protection

It should be noted that email tracking remains a game of cat and mouse. It’s likely that some advertisers will change their tracking parameters to get around blocking technologies or make it so that removing them would break the link. (In such a case, we default to leaving the link intact.)

If you’re particularly concerned about link tracking, be sure to enable our link confirmation feature to make sure you always know where you’re being redirected. 

Use Proton Mail for a safer inbox, free from trackers 

By choosing Proton Mail, you can have peace of mind knowing that what you do in your inbox and with your emails will stay with you. We want to enable you to keep your personal information private and secure from companies trying to track your every move online. 

With our ongoing efforts to protect you from trackers, we’re building a higher standard for email where tracking has no place. Thank you for your support and let us know what you think of Tracking Links Protection on Reddit(new window) or Twitter(new window).

Protect your privacy with Proton
Create a free account

Share this page

Richie Koch(new window)

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Related articles

What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be
Looking into the Dropbox privacy policy
Dropbox was the first mainstream cloud storage provider, and still the biggest player on the market, with 700 million users in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions