Stop Gmail click tracking

May 6 2020 by Jeff Johnson

I have a Gmail account, but I always access it in Mail app, never in webmail, so I wasn't aware of some Google mischief until recently. I had previously written about how Google Search hijacks your link clicks and replaces the apparent URL with a tracking URL. It turns out that Gmail also does something similar.

One of the ways that StopTheMadness protects your privacy is by trimming tracking tags such as utm_source from the end of the URL of a clicked link. A customer contacted me to report that this feature wasn't working in Gmail, and after some investigation I was able to reproduce the problem. I discovered that StopTheMadness did in fact successfully trim the tracking tags from the link URL, but the URL that gets loaded when you click isn't the URL that you clicked!

A clickable link on the web is an "anchor" element, represented by something like <a href="">Click Me</a> in HTML. The href attribute of the anchor contains the URL. Under normal circumstances, the href URL is what gets loaded when you click a link. In this example, StopTheMadness would remove ?utm_source=tracker from the href when you click the link, before the URL gets loaded. However, Gmail uses another attribute of the anchor, called data-saferedirecturl, to hide the original tracking URL, then hijacks the link click event using JavaScript and opens the data-saferedirecturl URL in a new tab. Sneaky! (The "safe" part of the attribute name must be ironic.) If you just clicked a link in Gmail without ⌘-clicking the link, then this technique would bypass the privacy protection feature of StopTheMadness.

The good news is that you've always been protected if you ⌘-clicked links in Gmail, because StopTheMadness ⌘-click protection prevents the click event from getting hijacked. The bad news is… there is no bad news, because StopTheMadness version 14.0, now available in the Mac App Store, has a fix for this form of Google madness. When you click a link, the data-saferedirecturl attribute will automatically get removed from the anchor, so Gmail can't swap the tracking URL for the non-tracking URL.

You can rest easy now, because Gmail is safe again! Well, except for the thing where Google scans the contents of all your email and harvests information for advertising purposes. But other than that.