This article is making it seem like tracking pixels are illegal and require a search warrant. This is definitively not the case. Search warrants are required only when requesting that information from a third party or against a person's will.
When through the normal course of using a technology you reveal information to the government (in this case the military) they can use that information against you.
Having an embedded image from a third party server in an email is well within normal usage of email. Logging IP addresses of machines that access content on a web server is also well within the normal usage of that server.
I'm also not sure what the journalist is afraid of in this case. Your IP address reveals almost nothing about you beyond a rough physical location on its own. Considering the Navy sent this email they already know WHO the recipient is. From an editor or authors name I could most likely find what city they live in with no extra help beyond Google.
There absolutely isn't anything illegal or even suspicious about this. If you want to go absolutely crazy mad with paranoia maybe they could collude with another federal agency to tap that network connection... but that is INCREDIBLY unlikely for this.
> The Navy email to Navy Times contained hidden computer coding designed to extract the IP address of the Navy Times computer network and to send that information back to a server located in San Diego. Under U.S. criminal law, authorities normally have to obtain a subpoena or court order to acquire IP addresses or other metadata. Not using one could be a violation of existing privacy laws, including the Electronic Communications Privacy Act.
They lay it out pretty clearly in the article. What you are describing might be true for a private company, but that same behavior from a military branch of our government is very different.
This is a really interesting area of law that I don't think has been settled.
One could argue that attaching this tracking pixel to an email is similar to attaching a GPS tracker to a vehicle. In United States v Jones in 2012, the supreme court ruled that placing a GPS device on violated the 4th amendment.
> "the Government's installation of a GPS device on a target's vehicle, and its use of that device to monitor the vehicle's movements, constitutes a 'search'"
Regardless of whether it was "well within normal usage of email" or not is kind of irrelevant.
It is also very different coming from the government as opposed to a private institution.
It is also very different to be targeting a news outlet (especially one that has been critical of you!).
I would absolutely challenge you on both points - this is ABSOLUTELY suspicious, and as they pointed out in the article, likely illegal – and I haven't gone crazy mad with paranoia.
>One could argue that attaching this tracking pixel to an email is similar to attaching a GPS tracker to a vehicle. In United States v Jones in 2012, the supreme court ruled that placing a GPS device on violated the 4th amendment.
One can't make this arguments based on the Jones ruling because Jones doesn't apply in this situation. The entire reason why the court ruled that physically attaching a GPS tracker to a car is against the fourth amendment is because attaching the device involves physical trespass on a suspect's vehicle which they considered part of his "personal effects." A tracking pixel doesn't have the physical intrusion bit that the court found unconstitutional. In Jones the court only addressed the physical intrusion, not the GPS data itself.
>Also left unanswered was the broader question surrounding the privacy implications of a warrantless use of GPS data absent a physical intrusion – as might occur, for example, with the electronic collection of GPS data from wireless service providers or factory-installed vehicle tracking and navigation services.[27] The Court left this to be decided in some future case, saying, "It may be that achieving the same result through electronic means, without an accompanying trespass, is an unconstitutional invasion of privacy, but the present case does not require us to answer that question."[36]
The real problem is that it is acceptable for lawyers to use email for sensitive communications. Many lawyers just don't understand-- and don't want to. The rules that allow them to practice forbid being nefarious.
My take on it is that the real problem is email software not making it clear-as-day to the user that the message they are about to open is in fact a webpage, and that they will be actively connecting to the World Wide Web to load it, and potentially allowing third parties know that they have opened the message.
Regular people won't make the mail <-> WWW connection in their head without being told, nor should they be expected to.
> The entire reason why the court ruled that physically attaching a GPS tracker to a car is against the fourth amendment is because attaching the device involves physical trespass on a suspect's vehicle which they considered part of his "personal effects."
I understand how you're just trying to reason from the other side. Just trying to show how the reverse argument might happen.
As far as I'm aware, one of the reasons "hacking" has been defined to be a crime, is that unauthorised access to someone's machine has also been defined as a kind of trespass. Allowing them to rule that deploying code from one location to another is also trespass against the physical location.
Carpenter is a fascinating case and you're astute to bring it up. If the tracking image were capable of actually tracking the entirety of someone's location (the way CSLI is), then Carpenter would probably apply.
Assuming it is just a normal tracking image, though, it doesn't provide "detailed, encyclopedic, and effortlessly compiled" information about someone's activities - just whether they opened that particular email while displaying remote images, and - if so - their HTTP request. I think it's unlikely this fits the facts under Carpenter.
Also, Carpenter was about a warrantless search. We really have no idea if the prosecutors did this on their own initiative to try to address the violation of the protective order, or if they did it at NCIS's behest after a warrant. It's entirely possible that this is at NCIS's initiative. Still a lot of facts to uncover here.
I've already argued against your first quote in the post. The privacy acts only apply when the government is getting the data from third parties such as from an email provider or ISP. In this case the image is directly communicating back to their servers and no third parties are involved. Communications between two parties are not subject to the privacy laws when you are one of those two parties.
The target is irrelevant in the case of legality. The only additional protections a journalist has is on not revealing their sources. This doesn't impact or interact with other emails so no sources could be compromised via a tracking pixel. Being "shady" isn't illegal and I wouldn't even say a tracking pixel is shady. The closest approximation of what this tracking pixel is doing is as a read receipt for a piece of mail.
If you want to quote "United States v Jones in 2012" against others you should probably be aware of what the presiding judges actually ruled. It was determined that the action was illegal only because physically attaching the device was considered trespass of private property not because the tracking of the vehicle's location required a search warrant.
If you wanted to make a similar argument you would have to instead refer to the Computer Fraud and Abuse Act to cover something similar to digital trespass. A tracking pixel does not violate that law under any circumstance that I'm aware of.
Any action by the government that can be seen to be chilling toward a free press can be interpreted as a violation of the first amendment. It's not as black and white as you make it out to be, and remember new precedents are being set all the time. They're also in the ninth circuit which is historically hugely favorable to these kinds of cases. You get a strong enough case, a lot of money and a creative lawyer, you might be able to make some caselaw here. There's at least a baseline argument for it.
That said, target is not irrelevant for illegality. There's also an issue of ethics in targeting other lawyers; if I was the defense lawyer this is the issue I'd be pushing like crazy with the judge, ethics panels, etc. Right or wrong, they can do something with that, esp. if they can get some discovery that proves there was actually an attempt to target -- that would be huge. (And they're not allowed to delete any documents to that effect since they are the government).
It ups it entirely another level in that it also was received by defense counsel. That really isn't going to look good for them.From the article: "In the judicial part of this equation, tracking devices give the user an unfair advantage in court proceedings. If you know who your opposing counsel is contacting, you can divine how they are building their case and find ways to counter it."
They can also do discovery to find out the intent behind the pixel -- if they find anything about tracking to find the source of the journalist or learn about the defense, they risk having the entire case thrown out.
This could get really, really interesting. If I was the defense lawyer I would push this as far as I possibly could.
Conversely, it’s also like the police offering you a can of soda as they question you and then later swabbing the empty van for DNA evidence. Totally legal if a bit sneaky.
> They lay it out pretty clearly in the article. What you are describing might be true for a private company, but that same behavior from a military branch of our government is very different.
Belated edit: Given that Constitution-based arguments are being used against the Navy, it's interesting to note that the Constitution outlawed private corporations. Unless they had public-interest charters. And that didn't change until the late 1800s.
> If you want to go absolutely crazy mad with paranoia maybe they could collude with another federal agency to tap that network connection... but that is INCREDIBLY unlikely for this.
Sorry for the undeveloped response, but....hahahaha
>When through the normal course of using a technology you reveal information to the government (in this case the military) they can use that information against you.
That’s not the legal standard for searches and seizures under the 4th amendment.
It’s about the reasonable expectation of privacy, and when a defense attorney emails their client the client has a reasonable expectation of privacy. A reasonable person doesn’t think the prosecutor has embedded tracking into emails sent to their attorney which will relay information back to the prosecutor when shared forwarded to the client by the defense attorney.
>>When through the normal course of using a technology you reveal information to the government (in this case the military) they can use that information against you.
>That’s not the legal standard for searches and seizures under the 4th amendment.
Regardless of the location, a conversation is protected from unreasonable search and seizure under the Fourth Amendment if it is made with a "reasonable expectation of privacy".
The law is not and never was:
>When through the normal course of using a technology you reveal information to the government (in this case the military) they can use that information against you.
I have what I consider to be a reasonable expectation of privacy not to have 3rd party tracking pixels embedded in websites I visit via a secure connection on the internet.
Well I’m not so sure that is a reasonable expectation (certainly visiting a website isn’t the same as an attorney client communication), but either way the 4th amendment only applies to searches and seizures by the government not 3rd party websites.
Well as I previously mentioned the 4th amendment only protects from unreasonable searches and seizures by the government...reasonable belief or not the 4th amendment isn’t going to protect you from data collected by non-government actors (unless the government directed them to collect it for them).
>“He was instructed that the embedded image contained a cyber-tool known as a ‘splunk’ tool,’ which can allow the originator full access to his computer, and all the files on the computer,”
It seems the journalist here believes some tool much more powerful than a tracking pixel may have been used. I've never heard of a "splunk tool" and frankly it seems like BS, but if the journalist believes this then the tone of the article is explained.
From the technical perspective of how emails work and the limited subset of HTML being available inside them. I think this is a case of crying wolf without understanding technical capabilities.
The only way the access described there is even remotely possible is using a vulnerability in a systems image parser or network client stack (using only the URL and server response). Burning an unknown 0-day vulnerability with that level of power wouldn't be wasted on even a high profile military court case.
'It's normal usage' doesn't mean it's okay to a normal person or in any way reasonable. Hence all the privacy debate in recent years. Personally, I'm not okay with tracking pixels and would turn them off if I could.
Gmail will download images and serve them from Google servers to prevent this issue. Perhaps you can setup a similar plugin to automatically upload images to imgur or similar before the client displays them.
An email client fetching images is useful, and shouldn't need to be turned off. If someone sends me an email with a graph embedded, it's a great feature that it will show up where it's supposed to. Using that feature for tracking is an abuse of it, plain and simple. There's no way that was an intended part of the design.
Any reasonable embedding of a graph should be as an attachment that your client receives at the same time as the rest of the email.
> There's no way that was an intended part of the design.
There is certainly a way. And regardless of whether it's intended, it you're dead-set on configuring your system so that it automatically contacts arbitrary 3rd party servers, then you shouldn't be too surprised when that happens. "Bad guys" are known to be opportunistic.
This exact mindset of "here's a feature, I'm sure nobody out there on the Internet would use it maliciously" is what brought us several decades of Microsoft software vulnerabilities.
There are plenty of reasons. Many people use these in their emails to get effectively "read receipts". It's not even clear that this was an official military action or just one officer using a browser extension that embeds these images.
There is very very little information you can get from an individual image being loaded by a user agent.
If they're worried about leaks, it seems much more likely that they're interested in who is talking to who, which they can figure out if the email with the tracking pixel gets forwarded.
For anyone not following what was done here: they added a tracking pixel. This is a single-pixel image with "src=<myserver>". You send it to someone and get the IP address of everyone who opens the email because they download the image. (This is why your email client asks if you want to open images).
It's not malware, really, and it can't harm a local computer that opens it.
But it is a sign that the prosecutors in this case believed the reporter would forward the email on to their source, giving the prosecutors the IP address of that person. And there is some question of whether that's ethical or not.
It was a visible logo apparently, not just a pixel.
> The tracking software appears to be “an unusual logo of an American flag with a bald eagle perched on the scales of justice” included in an email from the lead prosecutor, Navy Commander Christopher Czaplak. Images in email are routinely used for tracking purposes, though the image files are typically transparent. Navy technology, it seems, is less subtle.
It's worth noting that some email services automatically add such tracking pixels (usually marketed as "email open notification"). The user normally has the option to turn it off, but might not be fully aware that they are in effect violating the privacy of the email recipient and any places the email is forwarded.
It is pretty normal in the advertising world to use these features. Some mail clients (for example gmail) load these images without prompt by default (although they do so via an anonymizing proxy).
I'm really surprised that the recipients aren't following basic email security protocols here: don't allow HTML rendering of emails, don't allow linked images to be referenced and used, and don't open attachments that you weren't expecting to receive.
I am, although I know that I shouldn't be. I just would like to think that people in professions that are more likely to attract attackers take more care about these things than the average person.
Technically speaking, you don’t add a tracking pixel. You add a link to something the client loads. The server on the other side can send whatever he wants, even different things to different clients. And given that there have been vulnerabilities in image parsers more than I wish to remember, that may quite well be malware.
You just defined a tracking pixel. Ok, technically it is larger than a pixel, but if the server with the image is harvesting information about the client to learn something about the user, then it's tracking the user.
There's no question, really. It's not ethical by any means. If it wasn't a military court the judge would spank them, hard. But the defense could still report the prosecuting attorneys to the state bar.
Right. It's just like how we consider lawyers sending certified mail totally unethical because it allows the sender to know that the receiver received it. Shame on them.
I think it's ethical. Why do you think otherwise? What is your hypothetical basis for reporting it to the state bar? What Model Rule do you have in mind that it could possibly violate?
This is clearly an attempt to gather evidence about the defense and the journalists involved. It is also likely that they are attempting to identify the source for the Navy Time's reporting.
Here's an analogy from the civilian world: An employee reports an OSHA violation. Their employer is fined and forced to spend money on fixing the violation. Angered by this, the employers management tries to find who reported them to OSHA.
They were caught doing something wrong, and now they are trying to identify who caught them doing it. The ethical response is to admit wrong doing and make it right, not intimidate your opponents. If you don't understand that I'm not sure there's much debate to be had.
I don’t think they meant “ethics rules of just lawyers.”
It’s unethical because the only reason they are trying to unsurface the leaker is so that they can potentially punish them to discourage that behavior which revealed bad behavior in the first place.
The comment discussed reporting them to the state bar. The state bar only enforces ethics rules of the type I'm discussing.
If the original comment far upthread was contemplating reporting someone to the state bar for something that didn't violate state bar ethics rules, then that's even more egregiously inflammatory.
That is true, but I think those were two unrelated points. That is “... is unethical” and also “they should report to the state bar.” I believe that was the original intent of the commenter, since the sentences did not directly follow each other in his paragraph.
Everybody has already made great arguments. I wasn't attacking him, just pointing out that there are personal factors that probably prevent him from seeing the other side. That's incredibly important and shouldn't be dismissed. It wasn't meant in any kind of accusatory or inflammatory way.
It's really unnecessary and unproductive for my comment to be flagged. There's something very wrong with this place if nobody is ever allowed without any exception to engage with each other on a more personal level. Sometimes no logical well-thought out reasoned argument will ever convince somebody else, at which point it really helps to try to understand why a person believes the things he does. We're human, not robots. Our beliefs aren't just factual, they're based in our experience, our environment, and who we are.
The first sentence, though personal, arguably managed to stay on the ok side of the line. But when you cross into "you're being so defensive", "it's time you distanced yourself emotionally from the issue", and so on, that's invasive personal commentary which does count as attack/accusatory/inflammatory (to put it in the terms you used). Nobody wants to be psychologized and patronized in this way. Even if your perceptions are accurate, it's the worst way to share them with the other person.
I get that that wasn't your intention, but keep in mind that these things come across as much stronger and less innocuous to the reader than they do to the writer. Multiply that by 10x at least when you're the person being targeted. When users make arguments in this way, it nearly always leads to angrier, flamier, discussion, so I do think the flags on the comment are correct.
Where there's plenty of cases out there but I'd ask you why you think that opposing counsel attempting to violate attorney/client privilege is ethical?
Perhaps if this is a courtroom in a trial, but he is under no obligation, legal or otherwise, to do research for you. All information he provides is free and under no warranty to be correct. Think of it as a pro-bono donation of the truth (from his perspective of course).
It is up to you, or the reader, to choose to believe him or not and the information he provided is already more than he is obligated to give to enrich your life with. It is, as you put it, a “good place to start” if you wish to google more yourself.
If you don't like him just say so and move on. Trying to rationalize and then justify non-substantiation in an argument by playing this burden of proof shifting metagame wastes everyone's time. Just because you dressed up your assessment in this snide court language doesn't make it any better.
There is no oxygen in space (any area reasonably far from a planet). My lack of citation does not make it any less true. And if I were to try to convince you of that fact it would be simply for your benefit.
Think of any comment by anyone here as someone graciously providing you with free counsel out of the time of their day, with the big disclaimer that they are not your client, and that the information is under no warranty. This disclaimer is implicit on all internet comments. It is up to you to consider their claims, and verify them. If you’re not willing to research their claims yourself then it’s pretty clear that
1) you’re just here to argue for one side to the public (aka propaganda)
2) pursuit of the truth is not actually your goal
Given that your profile states that you are both part of the military and also a government lawyer may indicate that both 1) and 2) are true.
I think you’ll be hard pressed to convince people they are wrong simply by accusing them that they are wrong due to lack of evidence. There is no court here, no jury to decide you win or lose. You can contribute more to this discussion by offering your unique perspective given your background.
The leaks were not a protected communication about prosecutorial misconduct. Talk of reprisal is inapposite.
The leaks were a violation of a protective order, concerning which the judge specifically told the prosecution that the government had "all the power to investigate."
An IP address is not privileged information. I do not see any ethical violation here, and literally nobody except wgj has even attempted to square this discussion with the ethics rules.
If the Defense team doesn't want to be investigated for violating a court order, they should stop violating court orders.
I agree with you that many people in this thread are talking out of their asses, but as a thought experiment, would it be unethical for an Prosecutor to plant a tracking device on the car of a Defense attorney? Is there a legal difference between that and attempting to track the behavior of the Defense attorney online?
Not only are tracking pixels an invasion of privacy, they've held up in court as proof of receipt.
I helped build a product that blocks them at the enterprise level without affecting the presentation of the message or requiring end user effort: https://messagecontrol.com
They do say it's for the enterprise, and unfortunately "contact us" pricing is par for the course. It is very annoying though - if I'm interested, I'll need to email/phone. And if I email, nobody will tell me pricing until I speak to a sales bod, at least once, until they figure out how much money they can likely extract from us.
Folk selling B2B complain about the long time it takes to convert a lead to a sale, to a PO, to a payment - but these slimey sales tactics are just as much to blame.
I've always been a fan of upfront pricing, but I don't work there anymore. As near as I can tell not having publicly available pricing seems pretty common for enterprise software.
I'm interested in how this works at a technical level - is it implemented as plugins for Exchange and other servers, or is it some kind of proxy that clients connect to instead of directly to their email server?
I'm still bound by various paperwork that (probably) prevents me from disclosing that, but if you root around on the company site you can find a few relevant patents with details.
It's probably straight-forward to do. Parse image links from the email, send those links to imgur, and replace the original image links with the imgur ones.
That's about 1% of the work. Email is old, arcane at times, and has a ton of interoperability and vendor-specific nonsense. Add in the fact that it _cannot_ go down for enterprise and that you have to do all of this at huge scale and it turns in to a pretty tough problem to solve.
I also used to work at message control. The architecture to support all of the legacy and new technology for email was very hard. Also architecting a system to ensure that it would never go down completely was a large challenge.
You also have to understand how providers deal with email to make sure delivery is never affected. We had to ensure 100% delivery and never fail.
The issue here isn't about knowing whether the the recipient read the email, which is not an interesting thing to spy on.
It's about the sender seeing whoever the recipient forwards the email to, and about the sender seeing the recipient's network information (although that's a hard sell because the recipient already advertised their network presence by using email), and the use of non-HTTPS servers that could be compromised to intercept traffic.
“He was instructed that the embedded image contained a cyber-tool known as a ‘splunk’ tool,’ which can allow the originator full access to his computer, and all the files on the computer,” according to a Portier defense motion filed Tuesday.
Are they... referring to a... Splunk logging agent? I doubt it, but maybe the JPEG packed a binary appended to the end of the image file?
Either way, if such were the case, this payload would need to rely on the presence of, and thus exploit, some sort of vulnerability in whichever host cached it. Not impossible, but not exactly a trivial maneuver.
If they had suspects in mind, and had an awareness of OS version and patch level, it might be within the realm of possibility to land a working payload.
Furthermore, if they were targeting Navy personel, there might even be a level of control to selectively enable a backdoor that permits a more advanced outcome than would ordinarily be possible in the wild against random individuals around the world.
Maybe the plan was to hit internal personnel with a specialized payload that only affects Navy assets...
In order for it to violate your privacy, it needs to take some kind of data from you that is considered private. What data is a tracking pixel taking from you?
The only thing a tracking pixel "takes" is the address of the computer that downloaded it and the time it was downloaded. None of that is your private information.
In addition to the above, many tracking services log your location and some even measure how long you read the message for. They can also make a good guess at whether you forwarded the message to someone else.
Even if you turn off images it's not always good enough: some trackers try to load any external resource they can, like sounds and fonts.
More to the point IMO, it takes that data from anybody else you happen to forward the email to. If the journalist forwarded an email with the tracking pixel to their source, it wouldn't have to get any of that fine-grained information; even just the IP address could be enough to de-anonymize the source.
Ah yes, this is a good reason to use text-based MUAs. Though it's not the reason I use text-based MUAs. Another good reason is that HTML for e-mail is horrible.
My credit card company has done this too. They sent a letter (via snail mail) saying that my email address on file wasn't being read so they would rescind my online account unless I verify the email address.
Why was the military not forcing all traffic through a locked down and monitored VPN? Red vs Black not a thing in military crypto any more? When did this change?
Especially when it’s a gov prosecutor sending it to the opposing defence attorneys, when the organization sending it has a known capability to exploit those computers for intelligence gathering.
The privacy rights between attorneys and clients is particularly sensitive. Not to mention a government agent sending it to journalists with the freedom of the press rights.
The prosecutors embedded a tracking image in an email that they sent to journalists and the defense. It's not just for tracking to see if the recipients have opened the email, but it could help them identify who the email is forwarded to.
In this case, the journalists have confidential sources, they may forward that email to them, which would leak the source's IP, which could reveal the identity of the source.
A free and strong press is how we keep powerful institutions in check. It is not an inflammatory statement to say that a reprisal by a government institution that has been accused of doing something unethical is unethical. It's just common sense.
They did answer the question, and did so in good faith. This comment however is fairly confusing. There's a reason that our government institutions can't perform espionage on anyone they feel like without at least passing through some check(warrant). The same seems valid here, people have a fundamental right to privacy, and this seems aimed at violating that right, not only of the first recipient, but of another person as well. Given that this is being done without some sort of additional check, or through channels that our branches of government have approved, that certainly doesn't seem ethical to me.
Simply not liking someone's argument doesn't mean they didn't answer your question or are arguing in bad faith. To automatically assume that would imply that you are the one arguing in bad faith.
Wow, it's always funny when articles written for laymen dance around simple technical terms with fluffy language ("device", really?).
I'm really curious if this would have been considered an issue if it was just a visible header image like a logo. Does making it a single pixel make it more illegal than a image in plain sight? Both perform exactly the same function and both must be explicitly loaded by most email clients.
Someone who did understand probably explained it IN lawyers terms to them; it may have been a tech-law focused lawyer they consulted on the ramifications, or the journalist covering navy laws in question.
Could you please stop posting unsubstantive comments to Hacker News? That bit of the title is the least interesting and least important thing to post about.
"The Navy email to Navy Times contained hidden computer coding designed to extract the IP address of the Navy Times computer network and to send that information back to a server located in San Diego. Under U.S. criminal law, authorities normally have to obtain a subpoena or court order to acquire IP addresses or other metadata. Not using one could be a violation of existing privacy laws, including the Electronic Communications Privacy Act."
"“It is illegal for the government to use [the emails] in the way they did without a warrant,” he said. “What this constitutes is a warrantless surveillance of private citizens, including the media, by the military."
"Hicks would not state for the record whether the Navy obtained a search warrant or subpoena in connection with the emails with tracking devices."
> “I am writing regarding your emails from yesterday, which contained an embedded image that was not contained in any of your previous emails,” Parlatore wrote. “At the risk of sounding paranoid, this image is not an attachment, but rather a link to an unsecured server which, if downloaded, can be used to track emails, including forwards. I would hope that you aren’t looking to track emails of defense counsel, so I wanted to make sure there wasn’t a security breach on your end. Given the leaks in this case, I am sure you can understand.”
The government is rightfully held to a higher standard when it comes to information collection. Particularly when it comes to collection of information from defense attorneys on an active case.
The tracking pixel doesn't provide any material information, it just tells you that a certain computer downloaded the image at a certain time.
It doesn't tell you WHO downloaded the image (but you could deduce that if you had other information, such as who was using the computer at the time it was downloaded) and it doesn't tell you WHY that image was downloaded (was it because an email was opened? Or was it because the email was scanned for viruses?).
Email addresses are considered Personally-Identifiable Information even in the United States (and certainly in the EU too).
Deduction of who downloaded the image is obscene and a violation of that person's privacy.
Any correlation of email address information with any other information at all could be considered a violation of that person's privacy: the IP address and user-agent information alone is sufficient enough to point in the direction of a malicious attack. And there are people who have some serious safety concerns: people who've been abused by significant others and are prone to being victim to stalking or hacking is just one example.
Do you know of any anything more recent on that? It cites the German privacy working group which has no direct influence on the actual laws, and predates GDPR/DSGVO (local German version).
The working group expressed an opinion considering the draft of the GDPR ("In its current prevailing form, we expect email tracking to be categorically prohibited under the GDPR without express user consent.").
I'm not aware of any major change in article 7 since that moment, so I'm fairly confident that opinion is still relevant. If you're asking if it's been tested/challenged in court or in a DP measure, I don't know.
When through the normal course of using a technology you reveal information to the government (in this case the military) they can use that information against you.
Having an embedded image from a third party server in an email is well within normal usage of email. Logging IP addresses of machines that access content on a web server is also well within the normal usage of that server.
I'm also not sure what the journalist is afraid of in this case. Your IP address reveals almost nothing about you beyond a rough physical location on its own. Considering the Navy sent this email they already know WHO the recipient is. From an editor or authors name I could most likely find what city they live in with no extra help beyond Google.
There absolutely isn't anything illegal or even suspicious about this. If you want to go absolutely crazy mad with paranoia maybe they could collude with another federal agency to tap that network connection... but that is INCREDIBLY unlikely for this.