Categories
hosting privacy Security Technology

Why is Backblaze tracking me?

This is a follow-up to my previous post: hey.com is onto something with its tracking-pixel blocker. I mentioned contacting Backblaze about their email tracking there.

I didn’t think too much of it at the time, and honestly (or naively?) was expecting some kind of a “Oh, yes, you’re right, there’s no need to track those emails”… But it didn’t unfold in quite the same way.

TL;DR

This is my own interpretation, obviously. Backblaze seems to think that tracking emails is totally fine, even under the GDPR. They’re not going to stop doing it until further notice.

Blow by blow details

Rather than describing the conversation, I think for the sake of transparency it’s easier to just quote the entire thread. So here goes, in chronological order… I removed names and identifying details to protect the privacy of the people involved, but the text was otherwise left exactly as-is. Some of the interaction is fairly mundane, but you can skip to the end to see how it was resolved (or rather, not resolved).

Initial conversations with Backblaze support

Jun 20, 2020

Hi Backblaze,

I started forwarding my emails to hey.com and they spotted the use of tracking pixels on your emails. I (and I believe many other customers, especially in Europe) would appreciate not being tracked without explicit consent (and I didn’t give such consent).

Respectfully,
Yoav
Jun 21, 2020

Hello, 

Thank you for writing in. We do use Sendgrid to send system emails, and only collect if an email was delivered, opened, and how many times it was opened. We do not gather other information beyond that. 

Please note that the terms can be found when you click on the link below and by using the service agree to our terms:
– http://www.backblaze.com/terms.html

All the best,
A.
Support Technician
Jun 21, 2020

Hi A.,

Thanks for getting back to me. Your terms page doesn’t actually say anything about tracking my email opens etc. Or at least I couldn’t find anything.

Regardless, I don’t believe this is permissible without explicit consent under the GDPR. I also don’t quite understand why you would even want to track those alert emails?

Sincerely,
Yoav
Jun 22, 2020

Hello, 

Email open timestamps cannot be used to identify a person, and do not apply as Personally Identifiable Information.
– https://help.backblaze.com/hc/en-us/articles/360004156834-What-is-Personal-Data-

All the best,
A.
Support Technician
Jun 22, 2020

Hi A.,

Perhaps the timestamps on their own aren’t considered personal data, but combined with my email address, IP, browser info etc, I’m pretty sure falls under personal data as defined by the GDPR. According to two articles I was able to find, this kind of tracking isn’t permissible by GDPR and the e-Privacy directive without explicit consent, which was not requested, nor given by me.

https://www.lexology.com/library/detail.aspx?g=ac233fd4-cd49-45a7-9494-6085512c0312
https://www.pipedrive.com/en/blog/gdpr-email-tracking

The links you provided so far do not appear to address this issue. Would appreciate if you could look into this more seriously.

Sincerely,
Yoav
Jun 23, 2020

Hello Yoav,

I asked my Compliance organization to review your concerns. They noted that much of the literature around this topic deals with Marketing Emails, which you can opt-out of at any time.  

For Service Emails, which the message in question is, the rules are less clear and they will contact our GDPR attorney in the EU for clarification. That said, I believe you have four choices:
1) You may alter the settings on your email system to receive such emails as text, this will remove all tracking,
2) You can discontinue using the Backblaze service and delete your Backblaze account if you remain an active customer we will continue to send you Service emails per our Terms,
3) You can wait to see what our GDPR attorney says, or
4) You may file a complaint with the GDPR authorities in your jurisdiction.

All the best,
A.
Support Technician
Jun 23, 2020

Hi A.,

Happy to wait and hear from your GDPR attorneys.

I agree that most resources talk about marketing emails, because those are the most prevalent and most common use-case of B2C and B2B emails these days. Transactional emails are generally considered legitimate use, and in this case, I explicitly asked for those emails. So there’s no question there about *sending* these emails. As far as *tracking* how I interacted with the email, as well as further personal data like IP address, device/browser info etc (that this type of tracking typically involves), and storing this info on Sendgrid’s servers, I’m pretty confident that this isn’t considered legitimate without informed and explicit consent under the GDPR and the ePrivacy directives. hey.com seem also quite confident that this is illegal (although I don’t take legal advice from them).

But besides that, I’m just curious to understand why Backblaze even cares to track those emails? what insights do you gain from knowing that X% of those emails were opened? (especially given that those stats are hugely inaccurate and some email clients block them anyway?). Wouldn’t it be easier to do the right thing here, respect your customers privacy, and stop tracking those emails? (or if you do gain important insights, explicitly and clearly ask for consent?)

Sincerely,
Yoav

p.s. I also believe the same rules apply to tracking of marketing emails, even if someone explicitly gives consent to *receive* those, it does not automatically mean that they give consent to being tracked, and the privacy implications of such tracking.
Jun 24, 2020

Hello, 

I have referred the matter to the legal department and will need to close this ticket. Any further communication will come from legal@backblaze.com.

All the best,
A.
Support Technician

A month passes…

I was losing my patience, so sent another message to Backblaze.

Jul 25, 2020

This is a follow-up to your previous request #ZZZZZZZ “email tracking”

Hi A.,It’s been a month now, and I still haven’t heard back. Would appreciate if someone can get back to me on this.

Sincerely,
Yoav
Jul 25, 2020

Hi Yoav,

Thank you for reaching out regarding this issue. Apologies for any delay. I’m sorry to say but further communication will need to go through legal@backblaze.com.

Please reach out to that email for additional information.
M.
Support Technician
Jul 26, 2020

Hi M.,

Yes, but it’s been a month, and I believe that under GDPR I can typically expect an answer within a month? see https://ico.org.uk/your-data-matters/time-limits-for-responding-to-data-protection-rights-requests/

Looking forward to hearing back from whichever team/person that can handle my enquiry.

Sincerely,
Yoav

Legal department steps in

Jul 31, 2020

Hi Yoav,

Thank you for following up on this matter. We take data privacy matters very seriously at Backblaze, Inc. We have reviewed your concerns and understand your sensitivity regarding the use of tracking technology on emails. In this particular case, we believe there is an exception allowed for doing so for a valid business purpose. There are two reasons we believe this is necessary.

The first reason is to accurately measure the reach and usefulness of our service email messages to our customers. Service emails communicate important information to the customer and if they are not being received or opened, valuable information is being missed. For example, the customer’s data we are storing could be at risk of being deleted, or their account could be in peril of being compromised. We use the tracking technology to provide an aggregated measure of this information versus using more invasive technologies such as user surveys or onscreen popups. Over the years we have sent many service emails and we have a full understanding as to the delivery and open rates of our service emails. As such, any anomalies are easily detected and can be acted upon to improve how well we communicate with our customers.

The second reason is for forensic purposes to respond to questions from customers and defend ourselves as needed. For example, we send multiple service emails to a customer whose subscription is expiring, as once it does expire, we will close their account and delete the data we are storing for them. From time-to-time an ex-customer will want their data and claim we did not notify them that their account was expiring. The tracking technology allows us to show what messages we have sent and what messages the customer received and opened. While not perfect, it has helped us defend ourselves in the past. There is no reasonable replacement for using the tracking technology in such cases. By the way, the same technology also allows us to prove the customer right in many cases, so it delivers value and protects both us and the customer at the same time.

Thank you for being a valued customer.

Best regards,
T.
Legal Department
Aug 1, 2020

Hi T.,

Thanks for getting back to me and explaining your reasoning in detail.

I have to admit, it sounds a bit like a husband spying on their wife “because they love her” to some extent. I don’t feel like these are valid reasons for blanket tracking of ALL emails across all customers, which seems to be the case at Backblaze. As far as I can tell, all Backblaze emails are tracking me and all other customers, from newsletters, across minor service notifications all the way to billing and other messages. Not all messages are the same, but they are all tracked in the same way as far as I can tell. Furthermore, not only there is no informed consent for this tracking, there’s actually no opt-out mechanism either. As a customer, I cannot tell you that I want your service emails, but I don’t want them tracking me. I don’t believe this meets the spirit nor the letter of the GDPR.

The first example does not at all sound like a legitimate reason to me, and I doubt the data protection authorities will accept it as legitimate either. Especially when it applies to all emails, including minor notifications, newsletters and other marketing materials. What you’re describing is that you’re compromising the privacy of your customers for your own internal reasons for marketing purposes. And as I mentioned before, with no informed consent, nor opt-out options. But besides that, given that email open tracking is unreliable at best (some email clients will block those tracking pixels), then the data you get is already statistically biased and heavily skewed. If you’re looking at anomalies and aggregate data anyway, why don’t you ask for permission to do so from your customers? Using link tracking in aggregate without personal data being exposed, or get data from customers that are not covered by the GDPR? Delivery rates are easily measured at the SMTP level, and this is the most reliable measure anyway.

The second reason sounds a little bit more plausible, but even then, applying it indiscriminately to ALL emails and all customers, without informed consent, and without an option to opt-out sounds far reaching. How does this argument apply to the latest newsletter that Backblaze sent for example? or even to the notification email that triggered my initial contact to Backblaze? Still, it feels more like the “wife-spying husband” to me, rather than someone who legitimately cares for their customers. As I mentioned before, you can show that the message was delivered to the destination mail server via SMTP, and this is sufficient proof that you did notify the customer. Compromising the privacy of all your customers, across all emails for this specific purpose is overreaching in my opinion, and therefore is not a legitimate reason for uninformed, non-optional email tracking.

And one final note regarding your claim that “There is no reasonable replacement for using the tracking technology in such cases.” … I’m pretty sure there are legally-recognizable ways to confirm receipt of a notification without invading their privacy silently and covertly. Recorded-delivery postal mail, a phone call to the customer, or seeking explicit confirmation for certain actions (for example, when signing up to Backblaze you send an email with a unique confirmation link, you can use the same technology there in those cases).

I hope you can re-consider your email tracking policies and refine and limit them, ask for informed consent for tracking, and give the option to opt-out.

Sincerely,
Yoav
Aug 3, 2020

Hi Yoav,

Thank you for your reply and we appreciate your comments.  We have discussed these matters internally, as well as externally with specialized EU privacy counsel.  While we do not anticipate making any changes at this time, we regularly review our data privacy policies and will revisit your input and other developments as part of our future reviews. 

Best regards,
T.
Backblaze Legal Department  
Aug 3, 2020

Hi T.,

I appreciate the update, but find your position very strange, I have to say.

I will also discuss this with the privacy lawyers at noyb.eu and will then consider whether to file a GDPR complaint. I like Backblaze and appreciate what you’re doing as a company, but I do not feel that indiscriminate tracking of all emails going out to me (and all other customers) is reasonable. Especially after I explicitly voice my concerns over this tracking, yet I’m not given an option to opt-out of it.

Sincerely,
Yoav

What can we do?

Backblaze is actually one of the better companies out there. I truly like what they’re doing and respect them. In a way, this respect made me even more disappointed. I was hoping that a company like Backblaze would know better. They’re not like all the other sleazy companies out there that profit off your data… But if even Backblaze is using tracking without blinking an eye, then I’m pretty pessimistic about what else is happening out there.

So sure, I can block those tracking pixels pretty easily, but it still doesn’t make it right in my opinion. I hope more individuals and companies wake up to the fact that this kind of tracking isn’t ethical, let alone legal.

One reply on “Why is Backblaze tracking me?”

It is legal, these panic induced posts by someone who is not a lawyer makes me immediately negatively biased against anything else on your site or this article…

Leave a Reply

Your email address will not be published. Required fields are marked *