Avatar/Gravatar privacy issue

As revealed by network monitoring emClient sends http requests to a sender’s domain in order to get some icon to display as the sender’s avatar (/favicon.ico /apple-touch-icon.png /apple-touch-icon-precompressed.png among others). From my point of view this behaviour clearly violates the user’s (my!) privacy because this can easily be used to track the reading of emails (and worse). We can turn off the loading of images embedded in emails but how to turn off this wild search for pictures in the internet!?

I do not want my email client to load ANYTHING from ANYWHERE until I explicitly tell it to.

Best regards,

Hello Manual,
users’ privacy is very important for us. We believe that the privacy risk because of this feature is very small. The images that are included in e-mail messages are quite a different beast. In this scenario the sender (or spammer) can easily detect that you opened a particular e-mail by including a specific image that when requested, the information is easily captured. For Favicon this would be really hard to do, because there is just one favicon on the website, thus it would be quite hard to identify anyone.
However you can completely disable this feature in Settings->Contacts->Avatars->Download avatars from external sources.

Hello Michael,
thank you very much for pointing me to the right direction. I didn’t see this checkbox before. :frowning:
I agree with your view of this feature being a small risk compared to images embedded inside emails. But I didn’t feel that comfortable knowing that emClient sends requests to arbitrary servers - identifying itself (correct but chatty) as “eM Client/7.1.30794.0” in the user-agent field. IMHO, the avatar-favicon-lookup feature should be disabled by default. At least for e-mail messages within the junk folder - emClient should not provide the spammers with ANY information. Especially no records containing our IP and email client id string - this is precisely what emClient does.
Thank you again and best regards,

Concerning ‘privacy’, I notice that when I view an email in my inbox, that the images aren’t downloaded until I give permission - which is good - BUT when I then move those messages to the Junk Mail folder, it then displays all the images! This is BAD. This completely negates the value of having not downloaded the images when in the inbox, and is even worse, because these are specifically senders that I don’t wish to reveal any information to, hence why they are being placed in the Junk mail folder. So why does emClient ignore the security risk of downloading images, when it is in Junk Mail, but apply it when in Inbox. Seems like a gaping security hole to me!