That's not how email works

2026-01-2818:12325180danq.me

A confusing letter from HSBC informed me that I've not been receiving their emails, and I have to change the email address they use to contact me. Except I've been receiving all of their emails just…

Show article

I have a credit card with HSBC¹: you know, the bank with virtue-signalling multiculturalism in their ads.

Not long ago I received a letter from them telling me that emails to me were being “returned undelivered” and they needed me to update the email address on my account.

“What’s happening?”

I logged into my account, per the instructions in the letter, and discovered my correct email address already right there, much to my… lack of surprise².

So I kicked off a live chat via their app, with an agent called Ankitha. Over the course of a drawn-out hour-long conversation, they repeatedly told to tell me how to update my email address (which was never my question). Eventually, when they understood that my email address was already correct, then they concluded the call, saying (emphasis mine):

I can understand your frustration, but if the bank has sent the letter, you will have to update the e-mail address.

This is the point at which a normal person would probably just change the email address in their online banking to a “spare” email address.

But aside from the fact that I’d rather not³, by this point I’d caught the scent of a deeper underlying issue. After all, didn’t I have a conversation a little like this one but with a different bank, about four years ago?

So I called Customer Services directly⁴, who told me that if my email address is already correct then I can ignore their letter.

I suggested that perhaps their letter template might need updating so it doesn’t say “action required” if action is not required. Or that perhaps what they mean to say is “action required: check your email address is correct”.

Edited version of the letter, now saying 'What's happening? We need to ensure that the email address we're using for you is correct' and 'Action required: Please check that you've been receiving our emails and that the address in your account is correct'. — Say what you mean, HSBC! I’ve suggested an improvement to your letter template.

So anyway, apparently everything’s fine… although I reserved final judgement until I’d seen that they were still sending me emails!

“Action required”

I think I can place a solid guess about what went wrong here. But it makes me feel like we’re living in the Darkest Timeline.

Scene from Community episode 'Remedial Chaos Theory'. Pierce lies injured on the floor, tended to by Annie and Abed, while Jeff swings a flaming blanket around his head. Troy stands in shock at the door, holding a pile of pizza boxes. — You know the one I mean. Somebody rolled a ‘1’, didn’t they…

I dissected HSBC’s latest email to me: it was of the “your latest statement is available” variety. Deep within the email, down at the bottom, is this code:

<img src="http://www.email1.hsbc.co.uk:8080/Tm90IHRoZSByZWFsIEhTQkMgcGF5bG9hZA==" width="1" height="1" alt=""> <img src="http://www.email1.hsbc.co.uk:8080/QWxzbyBub3QgcmVhbCBIU0JDIHBheWxvYWQ=" width="1" height="1" alt="">

What you’re seeing are two tracking pixels: tiny 1×1 pixel images, usually transparent or white-on-white to make them even-more invisible, used to surreptitiously track when somebody reads an email. When you open an email from HSBC – potentially every time you open an email from them – your email client connects to those web addresses to get the necessary images. The code at the end of each identifies the email they were contained within, which in turn can be linked back to the recipient.

You know how invasive a read-receipt feels? Tracking pixels are like those… but turned up to eleven. While a read-receipt only says “the recipient read this email” (usually only after the recipient gives consent for it to do so), a tracking pixel can often track when and how often you refer to an email⁵.

If I re-read a year-old email from HSBC, they’re saying that they want to know about it.

But it gets worse. Because HSBC are using http://, rather than https:// URLs for their tracking pixels, they’re also saying that every time you read an email from them, they’d like everybody on the same network as you to be able to know that you did so, too. If you’re at my house, on my WiFi, and you open an email from HSBC, not only might HSBC know about it, but I might know about it too.

An easily-avoidable security failure there, HSBC… which isn’t the kind of thing one hopes to hear about a bank!

Zoom-in animation showing two tracking pixels at the bottom of an email, rendered visible in red and blue. — Tracking pixels are usually invisible, so I turned these ones visible so you can see where they hide.

But… tracking pixels don’t actually work. At least, they doesn’t work on me. Like many privacy-conscious individuals, my devices are configured to block tracking pixels (and a variety of other instruments of surveillance capitalism) right out of the gate.

This means that even though I do read most of the non-spam email that lands in my Inbox, the sender doesn’t get to know that I did so unless I choose to tell them. This is the way that email was designed to work, and is the only way that a sender can be confident that it will work.

But we’re in the Darkest Timeline. Tracking pixels have become so endemic that HSBC have clearly come to the opinion that if they can’t track when I open their emails, I must not be receiving their emails. So they wrote me a letter to tell me that my emails have been “returned undelivered” (which seems to be an outright lie).

Surveillance capitalism has become so ubiquitous that it’s become transparent. Transparent like the invisible spies at the bottom of your bank’s emails.

The letter from HSBC again, but this time corrected to say 'We cannot conceive that there's anybody left who hasn't given up on trying to fight back against surveillance capitalism. Action required: turn off your privacy software so we can watch you read our emails. (We'll be letting anybody you live with read them too.) — I’ve changed my mind. Maybe *this* is what HSBC’s letter should have said.

So in summary, with only a little speculation:

Surveillance capitalism became widespread enough that HSBC came to assume that tracking pixels have bulletproof reliability.
HSBC started using tracking pixels them to check whether emails are being received (even though that’s not what they do when they are reliable, which they’re not).
- (Oh, and their tracking pixels are badly-implemented, if they worked they’d “leak” data to other people on my network⁶.)
Eventually, HSBC assumed their tracking was bulletproof. Because HSBC couldn’t track how often, when, and where I was reading their emails… they posted me a letter to tell me I needed to change my email address.

What do I think HSBC should do?

Instead of sending me a misleading letter about undelivered emails, perhaps a better approach for HSBC could be:

At an absolute minimum, stop using unencrypted connections for tracking pixels. I do not want to open a bank email on a cafe’s public WiFi and have everybody in the cafe potentially know who I bank with… and that I just opened an email from them! I certainly don’t want attackers injecting content into the bottom of legitimate emails.
Stop assuming that if somebody blocks your attempts to spy on them via your emails, it means they’re not getting your emails. It doesn’t mean that. It’s never meant that. There are all kinds of reasons that your tracking pixels might not work, and they’re not even all privacy-related reasons!
Or, better yet: just stop trying to surveil your customers’ email habits in the first place? You already sit on a wealth of personal and financial information which you can, and probably do, data-mine for your own benefit. Can you at least try to pay lip service to your own published principles on the ethical use of data and, if I may quote them, “use only that data which is appropriate for the purpose” and “embed privacy considerations into design and approval processes”.
If you need to check that an email address is valid, do that, not an unreliable proxy for it. Instead of this letter, you could have sent an email that said “We need to check that you’re receiving our emails. Please click this link to confirm that you are.” This not only achieves informed consent for your tracking, but it can be more-secure too because you can authenticate the user during the process.

Also, to quote your own principles once more: when you make a mistake like assuming your spying is a flawless way to detect the validity of email addresses, perhaps you should “be transparent with our customers and other stakeholders about how we use their data”.

Wouldn’t that be better than writing to a customer to say that their emails are being returned undelivered (when they’re not)… and then having your staff tell them that having received such an email they have no choice but to change the email address they use (which is then disputed by your other staff)?

</rant>

Read the original article

Comments

By 63stack 2026-01-2819:029 reply

So what do you think, what's happening here?

My experience with IT in banks is that this entire "feature" of tracking who's opening/not opening emails must have went through about 50 people, and it must have taken at least a year from the idea forming in someone's head, going through all the administrative bureaucracy, getting approved, developed, tested, and rolled out.

Is it that HSBC has 0 competent people who could have mentioned that "tracking pixels are unreliable, especially in 2025/26"? Or is it that everybody who mentioned this was overruled by middle/upper management because they know better? What about the http:// part? I imagine there must have been a few developers saying we should not be serving anything under http://.

By malfist 2026-01-2819:383 reply

I ran a team at FAANG where I supported people creating content, including emails, and no matter how many times I explained open tracking was only useful as a trend and not an individual evaluation it just went over people's heads.

Senior leadership wouldn't believe me, kept harassing my team to explain why so and so who said they opened the email didn't have an open event, and why so and so who said they didn't open the email did have an open event.

Authors wouldn't believe me because email open was the highest scoring metric they had. Less than 3% of recipients would land on the page for the publication, but >50% would "open" the email that has a teaser and a call to action to open the webpage. If they had to go off of the click through metrics which are accurate it'd make it sound like they were bad at their job.

So everyone used open rates because it made them feel good. Either that they were writing engaging content, or made them feel like they actually had a handle on who was/was not reading their mail.

No metric would have been better than this metric.

By yobbo 2026-01-290:32

Email-marketing tools present these numbers as if they were ground truth.

Arguing with non-tech users means you are challenging the legitimacy of their tool, and they typically can't let go of faith in the tool. It's like Trueman trying to convince the actors that everything is somehow fake. There's no "script" for that.

By estimator7292 2026-01-2822:22

At the last startup I worked at, CEO grabbed me just happening to pass by his office to proudly show me how many people at Apple had "opened" his newsletter.

I explained what that number actually means and watched his eyes totally glaze over. Doesn't matter. The "Apple number" was greater than zero so clearly he was successful at his job. (Entirely unrelated, he now has one employee and zero customers)

By jrs235 2026-01-2821:35

>why so and so who said they didn't open the email did have an open event

This was one of the first known issues when Gmail and others began checking and preloading images/content in emails. It was "triggering" that events/requests to tracking pixels. Eventually folks learned and knew to check the user agent to determine if it was just the mail provider preloading/checking the email content.

By stackskipton 2026-01-2819:431 reply

They might have competent people but most tech people working at a bank like are out of fucks to give.

At these massive, unable to go bankrupt companies, you quickly lose all fucks to give. No one cares about opinion of ICs or even direct managers, Senior Management makes the calls and you either execute quietly or replaced with someone who is. When I worked for $MegaUSBank, there was two types of people. Those who realized their "spark" was draining out of them and got a new job after a few years and those who were just "Whatever, I push buttons and get paycheck." and had been there for 15 years.

By pavel_lishin 2026-01-2820:281 reply

This isn't exclusive to megabanks, either.

By stackskipton 2026-01-2820:41

Sure, any large enterprise where they have massive moats so actual work product rarely matters.

By brendoelfrendo 2026-01-2822:37

My take: someone wanted a technical solution for what is a people/process problem. A hypothetical version of events, just one of many possible scenarios of course: 1) Important communications required by law and/or regulation are sent by email. 2) Contacting customers via email is sometimes unreliable. It is unreliable enough that problems caused by missed emails caused enough pain in some exec's silo that they demanded a solution. 3) "Make sure people read their email" isn't really an actionable demand. The business knows this, so they turned to IT. 4) "Make sure people read their email" isn't really technically feasible either, but at this point it's not about making sure that the customer got the message: it's about making sure that the company is covered if a customer complains about missing communications. 5) To that end, a variety of technical solutions are proposed, and everyone knows that they're all bad or incomplete. The tracking pixel is chosen because it's at the intersection of "least bad" and "lowest effort to implement." 6) Around now, someone probably pointed out the issue with serving the content over http, but changing that requires buy-in from another team. It'll go to their product manager as an inject and maybe get prioritized for next PI (it won't, something more important will come up between now and then). 7) The tracking pixel ships. The team that implemented it stresses that this is an incomplete solution and the business really needs to re-evaluate their processes around customer communications. 8) The email tracking pixel solution gets a bullet point on a slide in a presentation given to managers 3-5 levels higher than the devs who made it. No one mentions that the solution is incomplete and requires additional work and investment. No one ever thinks of it again.

By dwedge 2026-01-2819:132 reply

At least they email him and don't send the stupid "you have an important message, login to see it" email. No idea what those important messages are, I'm sure sometimes they were important

By jandrese 2026-01-2819:471 reply

CRITICAL MESSAGE -- READ IMMEDIATELY

The automatic payment you set up has processed successfully.

By nrds 2026-01-2820:02

And if the automatic payment doesn't go through, well, then there's nothing to report on so no email generated.

By dmd 2026-01-2819:23

"hello we are your bank"

By wat10000 2026-01-2820:171 reply

I'd guess one of two things. One is a conversation that goes like:

"I want to send letters to everyone who doesn't open our emails."

"We can't really detect that. We could add a tracking pixel, but–"

"Yeah, do that, the tracking pickle thing."

The other is that the "did they open this?" feature was rolled out purely for metrics knowing that it's imprecise, and later on got repurposed for something unsuitable without looking at how the "did this email get opened?" facility actually worked.

By rkomorn 2026-01-2820:211 reply

I would definitely open my mail if it came with a tracking pickle.

By efreak 2026-01-2920:16

Rejected. You send me a pickle, I'll send it back. If your antivirus doesn't like pickles and wants safetensors, I'll return that email as well.

(Physical mail with a pickle will also be returned to sender. I don't like pickles)

By m463 2026-01-2820:14

I think of the term "state of the practice"

Same thing happens with renting apartments. Slowly but surely, conveniences like apartment-phone-app (to open doors, to access mailboxes) get accepted by people and then they "throw the switch" and make the remaining 3% do it. Or maybe new renters must accept it to move in. And then they can deny access to apartments imeediately, track their residents, match with online activity and more...

By raverbashing 2026-01-2819:05

I think people are overthinking this, though the discussion about reliability is merited

For every HN technically inclined people you have dozens of other customers who will give any email (thinking it's just writing "John.smith@bt.co.uk" or something) - or worse- and they have to find a way of identifying those customers

By antonvs 2026-01-2819:42

> Is it that HSBC has 0 competent people who could have ...

In the chain of command for a feature like this, that's quite possible.

> Or is it that everybody who mentioned this was overruled by middle/upper management because they know better?

Or just learned helplessness, they don't bother because they know it's not worth trying.

By Nextgrid 2026-01-299:55

> Is it that HSBC has 0 competent people who could have mentioned

Given the salaries, tooling and working conditions for tech people in such companies, why would anyone competent work there?

By nickname-derail 2026-01-2818:553 reply

NAB Australia does exactly the same thing. Unless I "load remote images" when I receive their emails, they'll start mailing letters saying that they switched me to paper statements as their emails are not going through. It also took me a bit to investigate as their emails were obviously coming through.

By awesome_dude 2026-01-2821:121 reply

I'm in two minds on this - the bank does need to know that its communications are being received

But, they have no idea if the paper statements are making it to your desk, or if they are getting swiped from the letterbox (I'm in an apartment in Melbourne, and the snail mail is not reliable at all, mail is sometimes delivered to the wrong building, sometimes the wrong address entirely, it's also swiped by miscreants who have nothing better to do, and, in some cases, the pricks set the letter boxes on fire, taking all the mail with it)

By ryandrake 2026-01-2823:231 reply

If the bank really needed to know that its communications are being received, they would send them in a way that would reliably return this information (signature-confirmed postal mail). It's very unlikely that the bank actually needs to know this information.

By awesome_dude 2026-01-2823:36

I appreciate that that has a stronger guarantee of delivery, it is also prohibitive from a costs point of view, which I, as the customer, will be paying either through fees or reduced interest for deposits or higher interests for borrowings.

By rendaw 2026-01-294:36

CapitalOne balance alerts for a low-use credit card - they silently disabled the alerts because "I wasn't reading them". Because I have read notifications disabled and don't load remote resources.

Even if they truly believed I wasn't reading them, disabling them makes no sense to me. They certainly weren't bouncing and I wasn't reporting them as spam.

I dropped CapitalOne after that (not sure I moved to something better though...)

By pabs3 2026-01-3014:27

If NAB has an option to turn on plain text emails, that might help, since they obviously can't do tracking that way.

By anonymousiam 2026-01-2820:39

Years ago, I used to get marketing spam emails from Bank of America. In their email, they did not offer a way to opt out from those types of email, so I invalidated the unique email address that I had created just for them. A few months later, I got a snail mail letter like the one Dan got, telling me that emails were being rejected and that I needed to correct my email address. I went through the same sort of nonsensical dialog with them, and they simply would not let me opt out from their marketing emails, so I left it disabled for a few years. Eventually they offered "email preferences", so I re-enabled it.

My wife continues to get spam snail mail from Citi, and they offer no way to opt out. If it was my account, I would switch banks.

Back to the main topic: I think it's pretty stupid of the HSBC IT folks to assume that an email was not read because the tracking pixels were never accessed. Lots of email clients these days do not load images by default.

Hacker News