September 28, 2006 6:18 PM PDT

How HP bugged e-mail

Related Stories

HP's boardroom drama

May 8, 2007

Dunn grilled by Congress

September 28, 2006

Out of the shadows, a pretexter's tale

September 26, 2006

Telecoms feel the pretexting heat

September 26, 2006

(continued from previous page)

A typical recipient will not notice this. The e-mail is crafted in HTML, or Hypertext Markup Language, and the tracer files are not visible. The actual links that retrieve the files will only show when viewing the source of the e-mail, for example through a program like Notepad. A firewall could alert the user of the Web traffic, however.

special coverage
HP's boardroom drama
Complete coverage of HP's
controversial attempts to
root out media leaks.

"ReadNotify uses a combination of up to 36 different simultaneous tracking techniques," Chris Drake, the company's Sydney, Australia-based chief technology officer said in an e-mail interview. "One or more of these usually works in all different e-mail clients and operating systems, making us the most powerful and reliable tracking service on the Internet."

In short, ReadNotify uses more technologies than simple Web bugs, Drake said. "All good e-mail programs have blocked these now and most anti-spam programs reject them too, so we no longer rely on this simplistic tracking idea."

During testimony before Congress on Thursday, the legality of including a bug in e-mail messages was questioned.

"I think the law regarding that is not as clear as it should be," Larry Sonsini, HP's outside lawyer, said in response to questions from Rep. Jay Inslee, a Washington state Democrat. "Depending on how it is used and the methodologies, it could very well implicate federal or state statutes," Sonsini said.

In the terms of use posted on its Web site, ReadNotify stipulates that its services should be used for "lawful purposes only." The company goes on to say that its product should not be used to transmit "intentionally deceptive e-mail messages."

"Occasionally, we're asked about privacy and legal issues," Drake said. Essentially, ReadNotify believes an e-mail author can do whatever he pleases with the message, including tracking it. "It is important to understand firstly that just because an e-mail comes into your inbox, it does not make it yours. When a person puts the effort into thinking up an e-mail and composing it: that e-mail is theirs."

ReadNotify doesn't monitor its clients, but Drake has had praise and questions about the service, he said. "We do know that we are heavily used by law enforcement in combating both online crime, and real-world crime that has online aspects," Drake said. "The most interesting event was about two years ago, when our service helped recover a kidnapped child when a tracked e-mail provided an international location that led to a safe recovery."

Use of the e-mail bug is one of the possibly illegal methods used in HP's investigation into boardroom leaks. The Palo Alto, Calif., company is also facing heat over the use of "pretexting," which refers to the use of fraudulent means to obtain someone else's personal records.

In testimony Thursday, CEO Mark Hurd said it is important for the company to lead, not follow when it comes to consumer privacy. "I am going to go back to that technology and look specifically at every use of that kind of send-receive technology and make sure there is absolute clarity," he said of the use of e-mail tracing.

Adler's testimony was part of a full day of hearings into the HP spying scandal by an oversight and investigations subcommittee of the House of Representatives' Energy and Commerce Committee. Hurd and former Chairman Patricia Dunn also testified, but several other HP employees and contractors invoked their Fifth Amendment rights against self-incrimination.

Previous page
Page 1 | 2

See more CNET content tagged:
Dawn Kawamoto, reporter, e-mail, HP, IP

19 comments

Join the conversation!
Add your comment
Pretexting?
Am I the only person that has been a little
confused by this new term? To me, pretexting
would be something akin to something like
"wmd: a pretext to war", rather than misrepresenting
yourself in order to gain knowledge. Granted, "wmd"
or other pretexts are generally mis-representations,
but they are different in context. The proper
terminology is "social engineering". Commonly
used in the malicious hacker/cracker context
of which this clearly falls under.
Posted by Johnny Mnemonic (374 comments )
Reply Link Flag
I'm with you...
I see this more as social engineering. Also, in all honesty, I do not think HP is totally in the wrong here. If someone is leaking trade secrets and whatnot, I think they have a right to determine the leak and follow all necessary trails.

It's funny how the government does this kind of thing all the time... but as soon as a big name company does it, it's the most horrendous invasion of privacy the world has ever seen. Surely people aren't that naive that they believe they have some ulitmate ammount of privacy in this day and age. Is it really that big of a deal that someone got your phone records? The method used is really no different than dumpster diving... chances are you throw away old phone bills. Besides you probably throw away more private information than you realize, so the point it leaves your house and into your garbage can, anyone willing can find out anything about you.
Posted by SeizeCTRL (1333 comments )
Link Flag
From Dictionary.com
"the misleading appearance or behavior assumed with this intention"
the 'intention' being "to conceal a true purpose or object"

So Social Engineering is just a form of Pretexting. The WMD argument was itself a form of Social Engineering, intending to get people to do somthing based on artifically generated fear.
Posted by catch23 (436 comments )
Link Flag
Another reason to avoid HTML mail
readnotify's use of web bugs and iframes in html email is bad enough, but I understand they also exploit bugs in MS Word docs (and perhaps other documents) to track those attachments.

ASAIK, I would be safe from these methods since my email client mail.app (Mac) is set to display plain text only and OpenOffice doesn't allow these "phone home" tricks.

Unfortunately most of my users have Outlook and MS Office so they have yet another reason to wish MS would put some "features" in their software that are really needed, rather than just ribbon menus.
Posted by rcrusoe (1305 comments )
Reply Link Flag
Try reading the article
They use the same trick with PDF's, so your Mac and defaults mean nothing.
Unless your running a good 2 way firewall (which neither the Mac or PC ships with) your as hosed as the us.
Of course, at least we have ribbon menus.
Posted by catch23 (436 comments )
Link Flag
Another solution....
you could also encrypt the email attachments or email messages in HTML with email anti-theft software, converting documents into .ecc's. This unfortunately will not stop them from tracking the email, but it prevents them from being able to access its contents.
Posted by mveronica (40 comments )
Link Flag
A good firewall...
Another friendly reminder to have a good software firewall like ZoneAlarm installed to prevent this from working and to disable HTML in Outlook.
Posted by ballssalty (219 comments )
Reply Link Flag
Firewall?
A firewall doesn't stop web-bugs if it doesn't stop other outgoing http requsts.

Disabling HTML in Outlook would not work for serious email users because they don't use Outlook... A good email client would render HTML but not the webbugs within it, and othor kinds of nasty things embedded within HTML. FastMail.FM's webmail client have been blocking images and defanging various HTML elements and still showing HTML email for years now (with whiltelisting of trusted sources). Many other email clients, web-based and PC-based do the same.
Posted by hadaso (468 comments )
Link Flag
Firstly, I don't give a darn. Secondly, thanks for the additional regs.
"Occasionally, we're asked about privacy and legal issues," Drake said. Essentially, ReadNotify believes an e-mail author can do whatever he pleases with the message, including tracking it. "It is important to understand firstly that just because an e-mail comes into your inbox, it does not make it yours. When a person puts the effort into thinking up an e-mail and composing it: that e-mail is theirs."

So, following this argument, every piece of junk mail and catalogue that appears in my mailbox or is couriered to me is not my property? I wonder if they could fine a recipient if/when the recipient destroys or throws that property away?

Mr Drake, if you do not have a law degree and international legal experience, your opinion in this matter is no more helpful than my 5 year-old's.

Sounds like more legislation is on the way....
Posted by jtpickering (8 comments )
Reply Link Flag
sherlock holmes would found a clue
There are many many things you cannot do with that catalogue - you cannot copy the pictures and put them on your website or your own catalogue - you cannot use the text in the same manner for instance - and neither can your 5 year old. Although he might get away with using them in a school project. Even better, if he does, then he furthers the advertiser's message - at no additional cost to him.
Posted by gggg sssss (2285 comments )
Link Flag
How CNet bugs e-mail
CNet's newletters are bugged. To be fair, the practice is disclosed in CNet's privacy policy, but the bugging is nonetheless as reprehensible and unethical as HP's actions.

It's time that CNet end the use of web bugs in its e-mail. While CNet's disclosure applies to those who subscribe to its newsletters, the web bugs also track forwarded e-mail. There's little difference between HP and CNet bugged e-mail.

Here's a typical CNet web bug. This type of bug is defeated by not loading images from e-mail.
<img src="http://dw.cbsi.com/clear/OutboundNewsletter.gif?ts=0609290919&edId=3&ptId=5100&OBID=64912919&eIssue=20060929&onId=6665&eCode=e703&sId=12&hId=1&dwpubsysid=1&locclc=1&locuid=ZQB1Mi3JWzmXjkG6" height="1" width="1">
Posted by Mark Donovan (29 comments )
Reply Link Flag
Potential for abuse???
Well, this is interesting from a privacy perspective. What is remedy the when someone sends something unlawful or unethical and you didn't ask for it?????

Steve
Computerlegalexperts.com
<a class="jive-link-external" href="http://www.computerlegalexperts.com" target="_newWindow">http://www.computerlegalexperts.com</a>
Posted by computerlegalexperts.com (23 comments )
Reply Link Flag
Re: Potential for Abuse
I agree with what you appear to be saying - that this may have some potential for abuse.

I mean it sounds like at least some of their use of it was warranted; searching for stolen products, etc., but this does seem to have quite a bit of potential to be misused.

Charles R. Whealton
Charles Whealton @ pleasedontspam.com
Posted by chuck_whealton (521 comments )
Link Flag
web-bugs and the DMCA
Like any other written material, email messages are automatically subject to copyright laws in all countries that have joined the Berne Convention Copyright Treaty, and nothing may be done with them without explicit permission from the author. If the author wishes to control the use of her work using any kind of security scheme, including tracking the distribution of the copyrighted work by use of various tracking techniques including but not restricted to the use of the standard tracking technique often refered to by the name "web-bugs", then it is illegal to circumvent this kind of copyright protection device and doing so violates the anti-circuvention clause of the DMCA!
Posted by hadaso (468 comments )
Reply Link Flag
what about illegal use of a computer ?
Where does neutering web bugs stop being violating "... the anti-
circuvention clause of the DMCA!" and become a legitimate
technique to protect your own computer from misuse by others
who are attempting to have your computer executing something (a
file download) without your knowledge or permission ?

I guess the answer is to follow the money - the DMCA is approved
of by the big money so it trumps other laws. I just wish the US
would keep that policy to itself and stop exporting it to the UK !
Posted by SimonHobson (3 comments )
Link Flag
Disclaimer
I found this in ReadyNotify's Terms of Service:

"You agree that You will not..."

"...(vi) transmit, or otherwise facilitate the transmission by anyone, of unsolicited, erroneously labeled and/or intentionally deceptive e-mail messages..."

Considering the nature of their "service," that's a fairly potent disclaimer!
Posted by ambigous (58 comments )
Reply Link Flag
Well now we need to create a way to patch this "BUG" before it is exploited by Spammers, and the like.

There are legitimate uses for this possibly but the staggering possibility that this will be abuse by illicit users and that TRUMPS any legitimate use that this "service" may have.

First it starts out with tracking and then it moves on to hidden downloads that contain key logging software and zombie bots.

All that would need to happen is a few email server get attacked and taken over start adding these codes and every unsuspecting person that receives an email would become a target. With all these zombies being created to go an attack at will. DDOS problems would be ram-pent.
Posted by cowen80194 (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.