How HP bugged e-mail

(continued from previous page)

A typical recipient will not notice this. The e-mail is crafted in HTML, or Hypertext Markup Language, and the tracer files are not visible. The actual links that retrieve the files will only show when viewing the source of the e-mail, for example through a program like Notepad. A firewall could alert the user of the Web traffic, however.

special coverage
HP's boardroom drama

Complete coverage of HP's
controversial attempts to
root out media leaks.

"ReadNotify uses a combination of up to 36 different simultaneous tracking techniques," Chris Drake, the company's Sydney, Australia-based chief technology officer said in an e-mail interview. "One or more of these usually works in all different e-mail clients and operating systems, making us the most powerful and reliable tracking service on the Internet."

In short, ReadNotify uses more technologies than simple Web bugs, Drake said. "All good e-mail programs have blocked these now and most anti-spam programs reject them too, so we no longer rely on this simplistic tracking idea."

During testimony before Congress on Thursday, the legality of including a bug in e-mail messages was questioned.

"I think the law regarding that is not as clear as it should be," Larry Sonsini, HP's outside lawyer, said in response to questions from Rep. Jay Inslee, a Washington state Democrat. "Depending on how it is used and the methodologies, it could very well implicate federal or state statutes," Sonsini said.

In the terms of use posted on its Web site, ReadNotify stipulates that its services should be used for "lawful purposes only." The company goes on to say that its product should not be used to transmit "intentionally deceptive e-mail messages."

"Occasionally, we're asked about privacy and legal issues," Drake said. Essentially, ReadNotify believes an e-mail author can do whatever he pleases with the message, including tracking it. "It is important to understand firstly that just because an e-mail comes into your inbox, it does not make it yours. When a person puts the effort into thinking up an e-mail and composing it: that e-mail is theirs."

ReadNotify doesn't monitor its clients, but Drake has had praise and questions about the service, he said. "We do know that we are heavily used by law enforcement in combating both online crime, and real-world crime that has online aspects," Drake said. "The most interesting event was about two years ago, when our service helped recover a kidnapped child when a tracked e-mail provided an international location that led to a safe recovery."

Use of the e-mail bug is one of the possibly illegal methods used in HP's investigation into boardroom leaks. The Palo Alto, Calif., company is also facing heat over the use of "pretexting," which refers to the use of fraudulent means to obtain someone else's personal records.

In testimony Thursday, CEO Mark Hurd said it is important for the company to lead, not follow when it comes to consumer privacy. "I am going to go back to that technology and look specifically at every use of that kind of send-receive technology and make sure there is absolute clarity," he said of the use of e-mail tracing.

Adler's testimony was part of a full day of hearings into the HP spying scandal by an oversight and investigations subcommittee of the House of Representatives' Energy and Commerce Committee. Hurd and former Chairman Patricia Dunn also testified, but several other HP employees and contractors invoked their Fifth Amendment rights against self-incrimination.