this email is being tracked

Every industry has practices that burst into flames on contact with the public. Things which are accepted, and not even doubted, within the field, but which, if enough normal people pay enough attention to them, are indefensible.

Journalism, of course, is full of this. From the practice of "door knocking" relatives of murder victims, to the ease with which too many stories are simply cut-and-paste from a press release, it's not a sector which copes with detailed scrutiny from outside.

But journalism isn't unique. A couple of years ago, I reported on Apple contractors who listened to users through Siri. People were caught having sex, buying drugs, or undergoing medical consultations, and had no idea that strangers were listening to them. The report caused an uproar, and Apple paused the programme before relaunching it months later with significant alterations.

And yet, when I first wrote about it, the company insisted that it wasn't a story at all. I think they were sincere: they thought it was obvious that that was what they did, they knew that it was the same behaviour as all their competitors, and in fact, they were proud that on some measures – such as whether or not the contractors were able to easily tell whose phone they were listening to – they were better than the competition.

But they made the mistake of only ranking themselves according to the bubble of their industry, and not pausing to think about whether the wider world thought the same way. When the wider world wasintroduced to the eavesdropping, it turns out they did not in fact feel like they had given consent, and Apple – and Facebook, Microsoft, Google and Amazon, all of whom were exposed at about the same time for similar practices – had to scramble to fix things.

So let's talk about Substack.

The service occupies an odd niche. It's a free, simple-to-use newsletter provider, aimed at ensuring that people like me, who want a platform that makes sending a newsletter barely more complex than sending a tweet, can readily sign up and get working.

But it's also built to let people like me build those half-assed emails into a bona fide media business. Substack has tools for multi-author newsletters, for accepting payments and sending subscriber-only missives, for gifting subscriptions and for adding a podcast, or for moving the entire thing over to a custom domain name. 

I've obviously used none of those, but they're there for me if I wanted to use them. Also there for me are things I absolutely don't want to use, because I think they're borderline unethical. I can, for instance, add to my newsletter a number of tracking pixels, from Facebook, Twitter, Google Analytics, and so on.

Tracking pixels, for those who don't know, are a common way of tracking people across email and the web. You send each email subscriber an email which is identical in every way except for one picture: a single-pixel transparent image, which is loaded directly from your servers. That pixel is technically different for each email, and so when you see someone loading it up, you know exactly who they are, what their IP address is, and when they clicked to open the email.

That way, if I paid for adverts on Facebook telling you to sign up for my newsletter, I'd be able to see how people actually did. I'd even be able to buy a "lookalike audience", advertising my newsletter to people with demographic profiles similar to those of my actual newsletter readers.

Facebook would do that, of course, by using the pixel to track not only readers who sign up through the advert I place, but every reader of my email, and connect those readers to their Facebook accounts. Technically you have given permission for this; I think you may even be able to withdraw consent without deleting your Facebook account, though it's not easy. 

But I do not track you with the Facebook pixel.

I don't need to.

As well as the commercial tracking options, Substack comes with a bunch of in-house features. I can obviously see how many subscribers I have (1,088, thank you everyone!). I can also see all of those subscribers' email addresses. I can also see, for each individual subscriber, how many emails they have been sent, how many they have opened – using a tracking pixel similar in principle to Facebook's – and how many links they have clicked on. I am shown this in granular detail, from the tech journalist who signed up last year but only opens emails that are about video games, to the academic who has opened last week's email six times so far.

I have similar analytics on the Substack landing page itself. I can tell that half of my visitors just come to the site directly – or, more likely, from an email client that doesn't track referrals – but almost as many come from Twitter. I can see that my Guardian predecessor Charles Arthur's blog and Matt Round's Vole site continue to refer people to me, showing the value of a good old-fashioned link.

I also have a lot of power over the running of my newsletter. I can turn on, or off, the practice of double-opt-in, requiring people to confirm that they were the one who signed up for my emails. I can add people to my mailing list at will, and remove them as well. I can even export the entire list as a CSV, and save it on my personal computer to do whatever I will with. 

That last "can" is a description of the technology available to me. There's another "can" to look for here, which is the legal limits. Operating in the UK, under the data protection act, there are plenty of things I am technically able to do from which I am nonetheless legally barred. I cannot legally sell that mailing list to purveyors of dick pills and pornography. I cannot legally re-add a user who has repeatedly attempted to unsubscribe from my wonderful prose. I cannot legally take that mailing list and just begin sending emails from my personal mail client with you all cc'd in.

But I'm sort of… not comfortable with this state of affairs. I'm all for having the power available to those who want it, but I'm somewhat less in favour of handing me, A Bloke Who Just Wants To Write A Blog, responsibility as a data controller and the ability to commit crimes against data protection. And I want to be up front with my readers, too: I have no interest in scanning through my read receipts to make sure that people are actually opening my emails, but I feel it's important to flag that, well, I could.

I don't think this is up there with Apple's Siri snooping. But it's still something I want to be open about, and ideally something I want to pressure Substack to change. I have no desire to see how many people have opened my email, nor track which links they click on (in fact, I'm far more concerned with making sure the links in my emails continue to work even if Substack goes bust, which is currently not the case thanks to the tracking apparatus). I don't want the hassle of registering with the ICO as a data controller to continue to send a blog post out every week, and certainly don't want the hassle of a stiff fine from the ICO for not registering as a data controller. 

(Imagine! Five percent of the annual turnover of The World Is Yours*! It would bring our profit to zero!)

The commercial economy might rely on data, tracking and surveillance – though I still think it could do just fine without it – but the email newsletter boom shouldn't.