Fernando Cassia of The Inquirer took a look at AOL's new AIM Email service and generally liked what he saw. With 2 GB of space (the same amount as GMail, approximately), a nice DHTML application (like GMail), and IMAP access (which allows you to use external programs like Mozilla Thunderbird to access the mail server directly, meaning that you could seamless import messages from another program; GMail only offers POP access, which only allows you to download messages), it would seem that AOL actually did something right for a change.

GMail: Supress external images that may be dangerous.But while Cassia's only hangup with the service was searching, which was nowhere near as good as Gmail, I found more dangerous problems. As you can see from the partial screenshot to the right, when security-conscious email applications like GMail or Mozilla Thunderbird notice images in an email messages, they initially do not display them. Why? Because external images linked in email messages can act as "web bugs," allowing the email's sender to track when and how often the email is read. It works like this:


  1. I send you an HTML email message with includes a link to http://media.marteydodoo.com/images/web_bug.gif. That image is 1x1 in size and transparent, so it is virtually impossible for you to see it unless you look through the email message source.

  2. You open the message in an email program that can display HTML messages. Since as I mentioned before, some programs that can display external images in emails choose to suppress them, we will assume that you are using Outlook Express or an suspectible webmail system.

  3. The image is downloaded from www.marteydodoo.com.

  4. Worried about the fact that you have not yet replied to my email, I check the logs to see if web_bug.gif has been accessed. I see it was downloaded the day before at 11:43 pm, which suggests that you read my message then.


While you might not worry about me knowing when you read emails I send you (if I do send you emails, you should not worry about this; I only send plain-text emails, which do not allow for the inclusion of such images), consider the ramifications - if the email program you are using does not block external images, any email you receive could be tracking you. This includes spam messages, if you happen to read them. It is a well-known fact that spammers have added web bugs to their messages in order to find out which email addresses on their lists of millions are valid. Therefore, by opening one spam email - even if it is by accident - could cause the amount of spam you receive to increase significantly.

AIM's Email: Either display images or do not read the message at all.
Which is why I find it strange that AIM Email does not block external images at all. It would be nice to give them the benefit of the doubt and assume that they simply did not consider the problems that external images can cause in HTML messages, but this is obviously not the case, as you can see from the screenshot to the left. It shows the confirmation box that appears when an image is embedded into an HTML message. Since the image is not being downloaded from an external web server, it cannot act as a web bug. AOL, however, is concerned that users might find attached pictures "objectionable." Recall that images linked in HTML messages are displayed as-is, with no "You may find these images objectionable" prompt.

The part that rankles the most about this entire state of events is the fact that AIM Email does not seem to have any way to suggest improvements or complain about problems. While the above issue was probably just some programmer's oversight, the lack of the ability to send feedback makes me feel like AOL just does not care. Perhaps this is a result of being "spoiled" by companies like Google and Apple, but a company that does not listen to me does not deserve my business, IMAP access or no IMAP access.