That's not how email works

Posted by HotGarbage 5 hours ago

Comments

Comment by amprisewinner 6 minutes ago

I've been getting similar letters in the mail from Ameriprise for over 15 years. I receive all my account-related emails, but because they can't _track me doing that_ they _assume_ there is some kind of problem.

I've contacted them about this multiple times and always get the same clueless & useless responses that ultimately end with "just disregard the notices" result.

What a waste of resources, at so many levels.

Comment by jackfranklyn 3 hours ago

The http:// thing is what stands out to me. Someone had to actively choose to serve content over http in 2026. Even if the original template was ancient, any security review would have caught that - unless they skipped that step entirely, which honestly tracks.

I work with banking data day to day and the internal systems are often just as rough. CSV exports with inconsistent date formats between the same bank's own products. Transaction descriptions that are random truncated strings with no standardisation. Every bank formats their statements differently and some of them can't even stay consistent between their own account types.

You'd think with the regulatory pressure around data accuracy this stuff would be sorted by now. But the reality is most banks treat their digital infrastructure like legacy plumbing - it works well enough that nobody wants to risk touching it.

Comment by zahlman 1 hour ago

> But the reality is most banks treat their digital infrastructure like legacy plumbing - it works well enough that nobody wants to risk touching it.

They don't seem to have nearly the same concern for their online banking web UIs, though. Or even the UIs presented on screen at ATMs.

Comment by lcnPylGDnU4H9OF 38 minutes ago

Not that it justifies arbitrary UI updates but that has a different risk profile. It would be a potentially existential crisis for a bank to (for example) push an update to backend systems that credits one account without debiting another, especially at scale. In comparison, changing the graphical interface of clients which connect to those systems has a rather isolated blast radius.

Comment by crazygringo 3 hours ago

Does HTTP really matter in this particular case though?

HTTPS still typically exchanges the Server Name Identification. So you know somebody is talking to HSBC. And the rest of the URL is just an anonymized tracking ID. So I'm having a hard time seeing what the threat is this particular instance.

Comment by chowells 2 hours ago

The article addresses this, actually. Fetching any unsecured content is an attack vector. https://danq.me/2026/01/28/hsbc-dont-understand-email/#footn...

Comment by crazygringo 1 hour ago

In this particular case, injecting content into the image to make someone read a false message doesn't seem possible. The pixel <img> tag has width and height set to one. This overrides whatever the image size is. No altered message will be readable.

Comment by matthewmacleod 1 hour ago

This is true up until the point that someone finds a security issue with an image parser that’s present in a browser engine, and suddenly you have an RCE.

Comment by cryptonector 2 hours ago

Yes it matters. First, there can be much much more metadata in the URI local part than just in the SNI -- just because it looks anonymized doesn't mean that it is. Second, ESNI is a thing and it's going to get more deployment. Third, DNS queries for ESNI can go over HTTPS/TLS/QUIC.

Comment by wolfi1 3 hours ago

as it's a tracking pixel it's personalized, if you are reading your email in the cafeteria with their wifi, potentially everybody in the cafeteria know more about you than they need

Comment by crazygringo 2 hours ago

What do you mean it's personalized? It's an anonymous identifier token specific only to that email.

Like I said, even with HTTPS everyone in the cafeteria theoretically knows you're connecting to HBSC as well.

So I don't see the difference.

Comment by cryptonector 2 hours ago

You _think_ it's anonymous.

Comment by sharperguy 2 hours ago

They know that you likely read some email from HSBC and if you happen to read the same one again they will know it was the same one.

Comment by crazygringo 2 hours ago

Right. But even over HTTPS it's not rocket science to figure out that connecting to www.email1.hsbc.co.uk pretty strongly suggests you've opened an e-mail with an image. And the number of times you request the same URL tells someone... what exactly? Because HTTPS still tells people the number of times you access any URL on a domain.

Comment by awesome_dude 2 hours ago

Worst case scenario is the HTTP pixel request tells attackers that there is a verification chat happening.

HTTPS the attackers know a conversation is happening, but no idea what

But, I personally think the threat is being overblown (I am happy to be corrected though)

Comment by danaris 1 hour ago

What on earth makes you think it's anonymous?

It's trivial to encode each tracking pixel with a personalized hash of some sort linking it to the intended recipient of that particular email.

This is...just how tracking pixels work.

Comment by crazygringo 1 hour ago

Right. The hash is anonymous to anyone without access to the internal database of hashes at HSBC. That's how tracking pixels usually work. Sniffing the HTTP connection isn't giving you any way to de-anonymize the recipient. It's a hash, not a long-term identifier.

Comment by cess11 2 hours ago

The author put some text in base64 in the URL:s, perhaps the original had information encoded in such a way that might leak something interesting.

"Not the real HSBC", and "Also not real HSBC" respectively.

Comment by nickname-derail 4 hours ago

NAB Australia does exactly the same thing. Unless I "load remote images" when I receive their emails, they'll start mailing letters saying that they switched me to paper statements as their emails are not going through. It also took me a bit to investigate as their emails were obviously coming through.

Comment by awesome_dude 2 hours ago

I'm in two minds on this - the bank does need to know that its communications are being received

But, they have no idea if the paper statements are making it to your desk, or if they are getting swiped from the letterbox (I'm in an apartment in Melbourne, and the snail mail is not reliable at all, mail is sometimes delivered to the wrong building, sometimes the wrong address entirely, it's also swiped by miscreants who have nothing better to do, and, in some cases, the pricks set the letter boxes on fire, taking all the mail with it)

Comment by ryandrake 4 minutes ago

If the bank really needed to know that its communications are being received, they would send them in a way that would reliably return this information (signature-confirmed postal mail). It's very unlikely that the bank actually needs to know this information.

Comment by 63stack 4 hours ago

So what do you think, what's happening here?

My experience with IT in banks is that this entire "feature" of tracking who's opening/not opening emails must have went through about 50 people, and it must have taken at least a year from the idea forming in someone's head, going through all the administrative bureaucracy, getting approved, developed, tested, and rolled out.

Is it that HSBC has 0 competent people who could have mentioned that "tracking pixels are unreliable, especially in 2025/26"? Or is it that everybody who mentioned this was overruled by middle/upper management because they know better? What about the http:// part? I imagine there must have been a few developers saying we should not be serving anything under http://.

Comment by malfist 3 hours ago

I ran a team at FAANG where I supported people creating content, including emails, and no matter how many times I explained open tracking was only useful as a trend and not an individual evaluation it just went over people's heads.

Senior leadership wouldn't believe me, kept harassing my team to explain why so and so who said they opened the email didn't have an open event, and why so and so who said they didn't open the email did have an open event.

Authors wouldn't believe me because email open was the highest scoring metric they had. Less than 3% of recipients would land on the page for the publication, but >50% would "open" the email that has a teaser and a call to action to open the webpage. If they had to go off of the click through metrics which are accurate it'd make it sound like they were bad at their job.

So everyone used open rates because it made them feel good. Either that they were writing engaging content, or made them feel like they actually had a handle on who was/was not reading their mail.

No metric would have been better than this metric.

Comment by estimator7292 1 hour ago

At the last startup I worked at, CEO grabbed me just happening to pass by his office to proudly show me how many people at Apple had "opened" his newsletter.

I explained what that number actually means and watched his eyes totally glaze over. Doesn't matter. The "Apple number" was greater than zero so clearly he was successful at his job. (Entirely unrelated, he now has one employee and zero customers)

Comment by jrs235 1 hour ago

>why so and so who said they didn't open the email did have an open event

This was one of the first known issues when Gmail and others began checking and preloading images/content in emails. It was "triggering" that events/requests to tracking pixels. Eventually folks learned and knew to check the user agent to determine if it was just the mail provider preloading/checking the email content.

Comment by stackskipton 3 hours ago

They might have competent people but most tech people working at a bank like are out of fucks to give.

At these massive, unable to go bankrupt companies, you quickly lose all fucks to give. No one cares about opinion of ICs or even direct managers, Senior Management makes the calls and you either execute quietly or replaced with someone who is. When I worked for $MegaUSBank, there was two types of people. Those who realized their "spark" was draining out of them and got a new job after a few years and those who were just "Whatever, I push buttons and get paycheck." and had been there for 15 years.

Comment by pavel_lishin 2 hours ago

This isn't exclusive to megabanks, either.

Comment by stackskipton 2 hours ago

Sure, any large enterprise where they have massive moats so actual work product rarely matters.

Comment by dwedge 4 hours ago

At least they email him and don't send the stupid "you have an important message, login to see it" email. No idea what those important messages are, I'm sure sometimes they were important

Comment by jandrese 3 hours ago

CRITICAL MESSAGE -- READ IMMEDIATELY

The automatic payment you set up has processed successfully.

Comment by nrds 3 hours ago

And if the automatic payment doesn't go through, well, then there's nothing to report on so no email generated.

Comment by dmd 4 hours ago

"hello we are your bank"

Comment by m463 3 hours ago

I think of the term "state of the practice"

Same thing happens with renting apartments. Slowly but surely, conveniences like apartment-phone-app (to open doors, to access mailboxes) get accepted by people and then they "throw the switch" and make the remaining 3% do it. Or maybe new renters must accept it to move in. And then they can deny access to apartments imeediately, track their residents, match with online activity and more...

Comment by brendoelfrendo 50 minutes ago

My take: someone wanted a technical solution for what is a people/process problem. A hypothetical version of events, just one of many possible scenarios of course: 1) Important communications required by law and/or regulation are sent by email. 2) Contacting customers via email is sometimes unreliable. It is unreliable enough that problems caused by missed emails caused enough pain in some exec's silo that they demanded a solution. 3) "Make sure people read their email" isn't really an actionable demand. The business knows this, so they turned to IT. 4) "Make sure people read their email" isn't really technically feasible either, but at this point it's not about making sure that the customer got the message: it's about making sure that the company is covered if a customer complains about missing communications. 5) To that end, a variety of technical solutions are proposed, and everyone knows that they're all bad or incomplete. The tracking pixel is chosen because it's at the intersection of "least bad" and "lowest effort to implement." 6) Around now, someone probably pointed out the issue with serving the content over http, but changing that requires buy-in from another team. It'll go to their product manager as an inject and maybe get prioritized for next PI (it won't, something more important will come up between now and then). 7) The tracking pixel ships. The team that implemented it stresses that this is an incomplete solution and the business really needs to re-evaluate their processes around customer communications. 8) The email tracking pixel solution gets a bullet point on a slide in a presentation given to managers 3-5 levels higher than the devs who made it. No one mentions that the solution is incomplete and requires additional work and investment. No one ever thinks of it again.

Comment by raverbashing 4 hours ago

I think people are overthinking this, though the discussion about reliability is merited

For every HN technically inclined people you have dozens of other customers who will give any email (thinking it's just writing "John.smith@bt.co.uk" or something) - or worse- and they have to find a way of identifying those customers

Comment by wat10000 3 hours ago

I'd guess one of two things. One is a conversation that goes like:

"I want to send letters to everyone who doesn't open our emails."

"We can't really detect that. We could add a tracking pixel, but–"

"Yeah, do that, the tracking pickle thing."

The other is that the "did they open this?" feature was rolled out purely for metrics knowing that it's imprecise, and later on got repurposed for something unsuitable without looking at how the "did this email get opened?" facility actually worked.

Comment by rkomorn 3 hours ago

I would definitely open my mail if it came with a tracking pickle.

Comment by antonvs 3 hours ago

> Is it that HSBC has 0 competent people who could have ...

In the chain of command for a feature like this, that's quite possible.

> Or is it that everybody who mentioned this was overruled by middle/upper management because they know better?

Or just learned helplessness, they don't bother because they know it's not worth trying.

Comment by esskay 3 hours ago

All sounds about right for HSBC. They've got some of the worst banking tech in existence. How the heck anyone puts up with their crap is beyond me, I moved away a decade ago but still have a close family member with them and they're forever having issues (genuinely not user error) with the crippled online banking app they've got that looks like something from the early days of app development.

Comment by anonymousiam 2 hours ago

Years ago, I used to get marketing spam emails from Bank of America. In their email, they did not offer a way to opt out from those types of email, so I invalidated the unique email address that I had created just for them. A few months later, I got a snail mail letter like the one Dan got, telling me that emails were being rejected and that I needed to correct my email address. I went through the same sort of nonsensical dialog with them, and they simply would not let me opt out from their marketing emails, so I left it disabled for a few years. Eventually they offered "email preferences", so I re-enabled it.

My wife continues to get spam snail mail from Citi, and they offer no way to opt out. If it was my account, I would switch banks.

Back to the main topic: I think it's pretty stupid of the HSBC IT folks to assume that an email was not read because the tracking pixels were never accessed. Lots of email clients these days do not load images by default.

Comment by loloquwowndueo 4 hours ago

Want them to really listen to you? Cancel your accounts - move to another bank.

This works well as a bluff, but of course you need to be ready to follow through in case they call the bluff. Which if you are, you may as well switch banks for real anyway.

Comment by direwolf20 4 hours ago

Cancelling costs them no money — banks these days don't make money on customer accounts.

Comment by tadfisher 4 hours ago

On the face of it, this is not true; net interest margin is still the main profit driver, followed by fees. But besides that, retail deposit customers are a conversion funnel for more lucrative financial products such as credit cards and personal loans.

And besides that, banks need capital reserves in the form of customer deposits; if too much money flows out then they will have to either acquire customers or pause their real moneymaking activity (loans).

Your account doesn't make them significant money. Retail banking in general makes boatloads of money, and deposits are central to this now that we're out of zero-interest-rate-land.

Comment by nerdsniper 3 hours ago

> And besides that, banks need capital reserves in the form of customer deposits

USA's fractional reserve requirement is now 0%. UK has also gotten rid of their reserve requirement as well. In the UK, the limit to what the bank can loan out is more determined by the market cap of the bank (committed shareholder value). Cash is only strictly needed to cover ... customer deposits.

So in the UK, if a bank gets rid of customer deposits entirely, then it kind of doesn't need any cash anymore. It can just lend money out of thin air based on its total net worth (market cap).

Comment by tadfisher 1 hour ago

Thank you. I should probably know this, but I'm on the engineering side of things and not the business/operations/finance/whatever side.

Comment by 3 hours ago

Comment by bigbadfeline 3 hours ago

> Retail banking in general makes boatloads of money, and deposits are central to this now that we're out of zero-interest-rate-land.

Talking about banking in general is generally a huge mistake. While deposits may be central, retail deposits are irrelevant for the banks that do > 70% of banking.

> now that we're out of zero-interest-rate-land.

Doesn't matter to them.

Comment by loloquwowndueo 3 hours ago

> retail deposits are irrelevant for the banks that do > 70% of banking.

We’re talking about an individual sticking it to the bank he has an account with by cancelling it. Retail sounds entirely relevant here.

Comment by bigbadfeline 2 hours ago

The bulk of deposits in those banks don't come from individual retail and thus the individual's got no sticking power.

Citibank interest rate on savings accounts is less than 1%, more like 0.1%, and there are account fees too. They're telling you load and clear "We don't want your money" - you can't argue with that empirical evidence, straight from the horse's mouth.

Comment by direwolf20 2 hours ago

Banks get their reserves by borrowing from the Fed or from other banks that may have deposits. The idea that banks get reserves from deposits is severely outdated. Deposits are free reserves to the bank, but the overhead of maintaining customer accounts makes them an unattractive option.

Comment by malfist 3 hours ago

If banks didn't make money on customer accounts they wouldn't offer customer accounts.

Comment by direwolf20 1 hour ago

They're not making a loss, but it's not a lucrative business.

Comment by loloquwowndueo 4 hours ago

Maybe. But I still have to find a bank where you say you’re leaving and they say “oh ok, here’s your account balance, there’s the door”.

The main thing is that they do care about retention.

Comment by pfortuny 3 hours ago

As long as they keep other people’s money, they make money on it.

Comment by bayesnet 3 hours ago

This is arguable for HSBC (in the UK at least). Ringfencing laws post 2008 have made customer deposits in the UK very difficult to invest profitably, to the point where (at least last time I cared about this) they were charging commercial customers to have UK domiciled accounts.

Comment by yjftsjthsd-h 3 hours ago

> Ringfencing laws post 2008 have made customer deposits in the UK very difficult to invest profitably, to the point where (at least last time I cared about this) they were charging commercial customers to have UK domiciled accounts.

I don't follow; why would regulations on consumer accounts change the price of commercial customer accounts?

Comment by JumpCrisscross 3 hours ago

> Want them to really listen to you? Cancel your accounts

Just loop in your regulators. This costs them far more and properly documents the problem for follow-up in case it becomes a pattern. Possibly more annoying than moving accounts. But far more effective (unless you have nine figures with the firm).

Comment by loloquwowndueo 3 hours ago

Happy to hear you live in a place where regulators are effective - at least when it comes to consumer complaints.

Comment by JumpCrisscross 2 hours ago

Author looks like they’re in the UK. The UK has a responsive consumer financial regulator, possibly moreso right now than any federal regular in America.

Comment by theyneverlear 3 hours ago

[flagged]

Comment by 3 hours ago

Comment by kayo_20211030 5 minutes ago

Hang on. The OP gets a paper statement already (there's a picture). If the email address is correct, and OP does nothing, what's the worst that could happen?

If the bank wants to waste time and energy with this nonsense, that's their business. As long as nothing real bad can happen, let them at it.

I don't think I'd be inclined to do the "bank's job" when it affects me not a bit. As sure as eggs is eggs, I wouldn't spend hours on the phone or chatline explaining what their problem is. It seems like it's their problems and not the OP's.

Comment by Dwedit 3 hours ago

Gmail automatically downloads images ahead of time, so the tracking pixels will have been fetched by Gmail themselves regardless of when the user opens the email.

Comment by ChicagoBoy11 3 hours ago

I had a demo for some high-school students for an ethics and tech class that successfully demonstrated these with a GMail account, so when this started happening I got very upset lol.

Comment by jdhawk 2 hours ago

So does Apple's Mail Client. So do most webmail providers. Open signals are generally worthless.

Comment by extraduder_ire 2 hours ago

I think gmail adds some heuristics on top of it, like if the same image was included in emails to multiple people.

At least that's what I remember from them announcing the feature. No idea about other providers, and I haven't tested the feature myself.

Comment by danaris 1 hour ago

With a proper personalized tracking pixel, a simple deduplication won't catch it—the whole point is that each email's tracking pixel has a unique URL that lets them know that you opened the email.

It is, of course, very possible that Google has heuristics that can catch tracking pixels—in fact, I would go so far as to say that if they chose to, they 100% could, probably tomorrow. But given where Google makes its money, I would not in the least trust them to do that for me.

Comment by zzyzxd 4 hours ago

Capital One does this to me as well, but at least they make it clear so I actually understanding what they mean ("You haven't opened an email from us lately...").

It's fine, Capital One. I did open your emails, I just didn't load your shady tracking pixels.

Comment by burnte 4 hours ago

Ditto, I get them all the time and just ignore them. I actually have a gmail rule that if it sees that phrase it marks it read and deletes it. Them not knowing if I read an email is not a problem I need to solve.

Comment by bmenrigh 4 hours ago

Charles Schwab has something very similar. They keep unenrolling me from their paperless thing and then send me a letter every month telling me they unenrolled me because emails aren't being delivered.

But I get their emails just fine. It's their tracking that (intentionally) isn't working.

Comment by TheCraiggers 3 hours ago

Capital One is the same. I eventually stopped caring; I know these paper mailings are costing them money. Maybe they'll get the point someday.

Comment by WorldMaker 28 minutes ago

An issue is the number of banks now charging you back for paper services. At least one of my banks the fee is now $15/month for paper statements. That's way more than postage.

I'd almost prefer paper statements from a few of my accounts, but not enough to pay for it directly.

Comment by 3 hours ago

Comment by blackhaz 4 hours ago

Can somebody please tell Barclays their 3DS widget is never redirecting back to the seller when transaction has been approved on user's device?

In fact, the sheer amount of systems not working correctly in Britain is astonishing. Feels like the whole country is falling apart.

Comment by sd9 4 hours ago

Counterpoint: gov.uk is widely regarded as one of the best government websites in the world

Comment by nomel 37 minutes ago

I'm always curious how much these sorts of things costs each citizen, per year, from a more wholistic view?

Comment by treetalker 1 hour ago

Who has two thumbs and (1) will never open an HSBC account because of this and (2) will advise his legal clients to bank elsewhere?

Comment by fragmede 41 minutes ago

What do you tell your illegal clients them?

Comment by bennyp101 4 hours ago

I noticed this a couple of years ago too, I just ignored the letters, continued to receive the emails, and they stopped sending me letters about it /shrug

Comment by barbazoo 3 hours ago

> But it gets worse. Because HSBC are using http://, rather than https:// URLs for their tracking pixels, they’re also saying that every time you read an email from them, they’d like everybody on the same network as you to be able to know that you did so, too. If you’re at my house, on my WiFi, and you open an email from HSBC, not only might HSBC know about it, but I might know about it too.

> But we’re in the Darkest Timeline. Tracking pixels have become so endemic that HSBC have clearly come to the opinion that if they can’t track when I open their emails, I must not be receiving their emails. So they wrote me a letter to tell me that my emails have been “returned undelivered” (which seems to be an outright lie).

Comment by reaperducer 3 hours ago

Tracking pixels have become so endemic that HSBC have clearly come to the opinion that if they can’t track when I open their emails, I must not be receiving their emails. So they wrote me a letter to tell me that my emails have been “returned undelivered”

Tracking pixels are the key of thing that my computer filters out. So I wonder if this explains why I get paper statements for my Apple Card.

Each time one comes in the mail, it has a letter with it stating that Goldman Sachs was unable to contact me at the email address on file, which they show as my Apple ID email address. Which works fine for everyone else in the world, including Apple.

Comment by barbazoo 3 hours ago

The German bank I have an account with solves this by making the statements available online and considering them delivered if the statements were downloaded. I’m assuming this proper way is too expensive for some banks.

Comment by dpoloncsak 1 hour ago

Isn't this the exact reason we 'verify email address'?

What's the point of that entire handshake then?

Comment by mmmlinux 1 hour ago

Id be willing to bet the number of people who sign up for ebilling, then screw up their email address is huge. then those people blame the bank for not contacting them to tell them the issue.

yes, its not how email is supposed to work. but people can be really really stupid.

Comment by adastra22 2 hours ago

“We need to confirm you are receiving our emails, please click this link” is a phishing setup. That is absolutely not what they should do.

Comment by crabmusket 1 hour ago

Agreed. What would be a good way for a bank to do this? What about "reply to this email"?

Comment by WorldMaker 24 minutes ago

"Reply to this email" might not be a bad idea for some basic "making an explicit action" check.

Arguably if the question is mail delivery, email already has a complex system of delivery failure reporting. Just trust that, like email programs have been doing since email was invented? "No failure is a success," doesn't have an explicit acknowledgement action from a user, but it is still a meaningful criteria.

Comment by adastra22 1 hour ago

Send a verification code on login.

Comment by jrs235 1 hour ago

Using tracking pixels in emails is like using AI to generate solutions/code. It is not deterministic, is is only probabilistic.

Comment by hrimfaxi 3 hours ago

The same exact thing would happen to me with interactive brokers.

Comment by sparrish 4 hours ago

I've heard CapitalOne does the same thing... send paper mail saying their emails aren't being read.

Comment by bdangubic 54 minutes ago

> We need to check that you’re receiving our emails. Please click this link to confirm that you are

mate was on a toll till this. I mean after all that amazing write-up we gon be clicking links in emails??!

Comment by renewiltord 4 hours ago

Tracking pixels don’t even work with Gmail because Google fetches them out of band. It doesn’t reveal open rates.

Comment by gweinberg 4 hours ago

True, but HSBC thinks you read the email, because somebody fetched the tracking pixel, right? The irony is that HSBC and others who use this kind of thing probably aren't in the least interested in when or how many times you open the email. Whoever came up with this idea (probably) really did think it was (just) a pretty good way of figuring out if they have your correct email.

Comment by wrs 4 hours ago

They do work for the inferred purpose here though, assuming Gmail only downloads them when the email is successfully delivered to the mailbox (and thus the address is valid).

Comment by extraduder_ire 1 hour ago

IIRC, google limits their opening of remote images if they're unique per email or from less reputable sources.

They also send you an email back saying your email wasn't delivered after a few days or hours, so there's little benefit in using the tracking pixel to determine if an address exists.

Don't know if they fetch images from emails sent to non-existent addresses, but I would if I were to design such a system.

Comment by jldugger 3 hours ago

> Gmail because Google fetches them out of band. It doesn’t reveal open rates.

"Our open rates have skyrocketed! send more emails!"

Comment by CGMthrowaway 4 hours ago

Same with Apple Mail

Comment by Almondsetat 4 hours ago

I mean, they still work in some way. If you use tracking pixels to see if an email was read, I agree with you that this break the functionality. But if you just want to see if the email exists, then the fact that google fetches them (and triggers the parametric URL) still tells you something

Comment by bummy_commenter 4 hours ago

It would be better if google also fetched tracking pixels in emails sent to addresses that do not exist.

Comment by renewiltord 1 hour ago

So, why use a tracking pixel for that? Just send an email. e.g.

    $ head -n 100 /dev/random | md5sum
    a6cc1b7c09ccb122cb066c89e16b3140  -

And that yields an instantaneous error message https://i.imgur.com/twHhIU3.png that reads "Address not found. Your message to a6cc1b7c09ccb122cb066c89e16b3140@gmail.com was not delivered because the address could not be found".

Comment by philipwhiuk 4 hours ago

What do you mean by 'fetches them out of band'?

Comment by CGMthrowaway 4 hours ago

It downloads them and stores in serverside cache before you ever open the email

Comment by philipwhiuk 1 hour ago

That does mean the email address exists though which was what HSBC was questioning.

Comment by nkrisc 4 hours ago

Frankly the best outcome as it makes them useless.

Comment by johnea 1 hour ago

It seems the article and most of the comments here are nonsense.

The focus on http versus https in allowing surveillance of fetching the tracking pixel are all but completely irrelevant.

In any case, the domain name of the tracking pixel locations will be resolved through DNS, which is almost always unencrypted. So anyone on the LAN will see the DNS query, revealing the banking URL, in plain text.

The big issue here, which I couldn't find one comment regarding, is that the email client is interpreting HTML.

Use plain text email! Problem solved. At least use a "Simple HTML" or similar mode when viewing email. Where the HTML is rendered, but no links are followed.

Comment by almosthere 3 hours ago

This isn't going to get to someone at HSBC. Nothing will change.

  They hired another company to do it.
  The project has been over for 4 years.
  The man who determined the requirements no longer works at HSBC or the other company.
  The coder doesn't even know HSBC is using his code.

It's absolutely useless - humans going into the age of software. It's a death spiral of I don't know's for a hundred miles.

Comment by kkfx 3 hours ago

Banks have some of the worst IT in the world. Being purely manager-led, with developers completely subservient to the bean counters, the results are terrible.

This is one of the reasons why in 2019 they wrote about their own demise https://web.archive.org/web/20240213185758/https://www.cimb.... against fintech (which is only slightly less archaic) and how cryptos, I don't know which ones, but maybe some yet to be born, will eventually displace them because regardless of their dominant position, the level of poor service and archaic systems is not humanly/socially sustainable for much longer.

Their leadership is mentally incapable of changing. Unfortunately, I fear that most of the population isn't either.

Comment by MagicMoonlight 4 hours ago

Who still banks with HSBC when we have Monzo and Starling?

Comment by reaperducer 3 hours ago

Adults.

Comment by kylehotchkiss 3 hours ago

HSBC, truly the pinnacle of Great Banks. Surprised they haven't earned your breakup yet.

Comment by SilverElfin 4 hours ago

Some may treat these as an inconvenience or annoyance, but I think it’s a sign of rot. And it may run a lot deeper. Unfortunately I feel like most financial institutions have terrible websites and practices in general, so I don’t know if switching will let you avoid problems.

Comment by CGMthrowaway 4 hours ago

Email is not a core competency of banks. They are actually pretty good at snail mail though.

Comment by reaperducer 3 hours ago

An extra century or two of experience will do that!

Comment by barbazoo 3 hours ago

The rot goes deeper because for every story like this there were hundreds of people involved in making it happen. Some by choice, some less so but rot nontheless.

Comment by jmclnx 3 hours ago

>used to surreptitiously track when somebody reads an email

Not in my email client, mutt. I use Thunderbird once in a great while. For some reason I thought there was an option to stop that and I enabled it. Will need to check the next time I fire up Thunderbird.

Comment by Analemma_ 4 hours ago

> I have a credit card with HSBC: you know, the bank with virtue-signalling multiculturalism in their ads.

Was this opening sentence necessary? It is not germane at all to the rest of the article. Ironically, it is itself virtue-signalling (for some definition of virtue), just to a different audience.

Comment by CodesInChaos 3 hours ago

It doesn't even link to an ad, it links to a weird parody attempt of the ad on the same site as the article. Which makes little sense for people unfamiliar with the original ad it parodies.

Comment by enlightens 4 hours ago

I took the use of "virtue signalling" to be an intentional jab at HSBC given everything

https://en.wikipedia.org/wiki/HSBC#Controversies

Comment by Analemma_ 3 hours ago

If that's true it only makes the opening sentence worse: of all the things you could have accused HSBC of in your opener (laundering money for dictators and violent drug cartels, manipulating markets to fleece people out of billions, and on and on), you decided their most noteworthy sin was multicultural ads?

Comment by throwaway902984 4 hours ago

My first instinct was to close the article as I didn't want to read a Republican virtue signaling to his audience. I wonder if they were trying to sound Republican?

The article itself is a nice, well interesting, dive into the topic; kinda unfortunate.

Comment by 1over137 4 hours ago

"Republican"?! US defaultism strikes again. He's in the UK, and he states his pronouns here https://danq.me/about/ so doesn't sound very "Republican" to me.

Comment by extraduder_ire 1 hour ago

I didn't find anything from a short keyword search and a read through some of his other blogposts, but I would not be surprised if he were a republican in the "prefers a republic as a form of government" sense. (I'm one, and am very much not a fan of the US political party by that name)

Surprisingly neutral on topics regarding monarchy/monarchs, in favour of the AV referendum to get rid of plurality voting, and very annoyed at the electoral system for unilaterally changing his name on the voter rolls. (His surname is Q)

Comment by cosmicgadget 4 hours ago

On the other hand, Twitter is full of Republicans who are not from the US.

Comment by apublicfrog 3 hours ago

Funny, the tone sounded UK/Australian to me. Just be aware, beyond a surface level awareness there are very few people who know what a specific ideology in your country sounds like, or care enough to learn.

Comment by direwolf20 1 hour ago

I think this kind of virtue signalling has become known as "vice signalling".

Putting diverse races in an ad, while not doing anything else about diversity, is virtue signalling. Complaining there are other races in the ad is vice signalling.

Comment by dwedge 4 hours ago

> I didn't want to read a Republican virtue signaling to his audience. I wonder if they were trying to sound Republican?

It would be very surprising behaviour for a British guy living in the UK

Comment by 01HNNWZ0MV43FF 4 hours ago

I've seen this sentiment on the left. I think the author just phrased it a little oddly.

Sometimes called "pink capitalism" or "rainbow capitalism", where a company will show the rainbow pride flag for Pride Month, but not put any more substantial effort towards diversity, plurality, LGBTQ rights, etc.

I expect nothing from companies, and it's nice to see that virtue signal. If they're signalling, it means they think we haven't been exterminated yet. But I don't expect good works from anything for-profit. It's just business.

Edit: The author using the phrase "surveillance capitalism" is generally a left wing thing. I don't hear right-wingers rallying against capitalism (let's not even get into the weeds of defining "capitalism" the word) even when they happen to oppose surveillance

Comment by direwolf20 1 hour ago

I don't think anyone on the left would phrase it the way TFA did. It's very right–coded.

Comment by swiftcoder 3 hours ago

> just to a different audience

And apparently not targeted all that well, since half the comments here think it is a right-wing (anti-multiculturalism) sentiment, and the other half a left-wing (anti-corporate-reputation-laundering) sentiment.

Comment by arduanika 3 hours ago

Not only a distraction, but also fails to distinguish HSBC from pretty much any other bank, so the "the" comes off as crankish and aggrieved.

Comment by 2 hours ago

Comment by rjsw 3 hours ago

People used to bank with Barclays to register their support for Apartheid in South Africa.

Comment by 4 hours ago

Comment by bstsb 4 hours ago

precisely this. it sort of put me off an otherwise excellent article

Comment by JasonADrury 2 hours ago

[flagged]

Comment by koakuma-chan 3 hours ago

> I can understand your frustration, but if the bank has sent the letter, you will have to update the e-mail address.

That's why I fucking hate society. This is everywhere.

Comment by drdec 3 hours ago

I would have asked, "or what?"

Comment by crazygringo 3 hours ago

I don't see anything wrong with attempting this. A significant number of people mistype/change their e-mail address, and security messages from banks can be important, so anything that catches no-longer-working e-mail addresses is better for everyone involved. And I assume a very small proportion of people try to disable tracking pixels.

But this post is entirely speculation. The author has no evidence they're basing it on tracking pixels. They're literally just guessing.

And I'm dubious that tracking pixels would be a reliable enough signal to be worth it. Doesn't Gmail download images in advance anyways? Plus, I regularly filter predictable emails or just archive them directly from my inbox based on the subject line without opening.

I'd more likely assume they have an e-mail bounce detector that just has a bug in it.

Comment by jmholla 3 hours ago

> But this post is entirely speculation. The author has no evidence they're basing it on tracking pixels. They're literally just guessing.

They literally admit to this and go on to provide the evidence for their guess:

> I think I can place a solid guess about what went wrong here.

Comment by crazygringo 3 hours ago

I know they admit it. I'm just pointing it out, since many of the comments here seem to be taking it as truth.

And they don't provide any evidence. Not a single piece. Merely claiming it's a "solid guess" doesn't make it solid. It's based on nothing. Tracking pixels are extremely common, so there's nothing to suggest it's tied specifically to this. As opposed to, like I said, a buggy bounce detector.

Comment by stronglikedan 3 hours ago

> I don't see anything wrong with attempting this.

I do, when the result of that attempt is to tell people to change their email addresses unnecessarily. Most people will fall for that.

Comment by crazygringo 3 hours ago

I think most people will just think it's weird and ignore it?

The wording could obviously be better, it should use softer language with a note that if you're sure the email is correct then you can ignore the letter.

But the general concept of trying to detect unused email addresses seems valid.