When Spies Hitchhike on an E-Mail

A bit of JavaScript can let anybody track messages, wherever they go. That can be illegal, but unscrupulous snoopers don't care

By Jane Black

You receive an unsolicited e-mail from somebody you don't know offering a job at a competing company. You aren't interested. But you have a friend who might be, so you forward the e-mail with a note. Later that day, it's as if the erstwhile headhunter followed your e-mail: He calls your friend regarding the job.

What happened? Although it's not widely known, the e-mail you received could have been "wiretapped." With a few extra lines of hidden code, anybody can remotely instruct Web servers to notify the original sender, once the message is read or is forwarded to others. The code can even capture any text added to the forwarded message -- and send that back to the original sender, as well.

First publicized a few weeks ago by privacy advocate Richard Smith, this technique is only the latest in a number of easy ways to surreptitiously gather information about people using the Internet. Privacy advocates say the technology could be used to do everything from monitoring private e-mail to collecting thousands of e-mail addresses for direct-mail campaigns.


 Sound sneaky? It's actually illegal. Using this technique to grab mail would probably break both the Federal Wiretap Act and the Computer Fraud & Abuse Act, says wiretap expert Philip Gordon, a lawyer at Horowitz & Wake in Denver, punishable by up to five years in prison and fines as high as $250,000 for an individual and $500,000 for a corporation. But the power and ease of use of this technique could prove an irresistible lure to unscrupulous direct marketers, more commonly known as spammers.

Here's how it works. A snoop can embed a few lines of JavaScript code into a JavaScript/HTML-enabled message. JavaScript is a programming language that lets Web authors spice up their pages with dynamic content. And HTML (hypertext markup language) is the primary code used to Web pages and e-mails that look like Web pages.

When one of these e-mails is opened, the hidden JavaScript sends a message back, alerting the snoop that it has been opened. If the message is forwarded, the code silently captures any text that has been added and sends that back to the snoop as well.


  The most popular e-mail clients, Microsoft's Outlook and Outlook Express, are vulnerable to wiretapping code in their default configurations. Netscape's latest e-mail client, Netscape 6 Mail, is also vulnerable. But Qualcomm's Eudora e-mail client and AOL 6.0 are not affected because JavaScript is turned off by default. It's also safe to use Hotmail, Yahoo!, and other Web-based mail programs that won't allow the code to work.

But even if an e-mail client isn't vulnerable, you still might pass the code along intact if you forward the message to a colleague or friend. The code will activate whenever it can. So even if your computer doesn't get wiretapped, the next person on your forward list might. "The danger with this is that it is pretty stealthy. Unless you know HTML, it's going to be difficult to detect. And even then, it's kind of hidden." says Smith, chief technology officer for the Privacy Foundation, a Denver-based privacy advocacy group.

Most e-mail programs, such as Microsoft Outlook and Netscape Mail, include the sender's and receiver's e-mail address in the forwarded message. So a spammer could use an e-mail wiretap on a message that encourages people to pass it along to friends. Software at their servers could then extract any e-mail addresses that are sent in the wiretapped messages. This trick, privacy advocates say, is particularly insidious because it would likely go to e-mail addresses that people don't want to release publicly. Many people, including myself, use a "side account," a separate e-mail address, to register at Web sites so that their business accounts are not crowded with junk mail.


  Already some companies are looking to profit from applications just one step removed from e-mail wiretapping. A U.S. company, ITraceYou, will alert you if your e-mail has been opened by the recipient. All you have to do is send the mail through its Web site or by replacing the "@" sign with a "#" and adding "@itraceyou.com" to the end of the address.

The site, which has been up for only two months and has not spent a dollar on marketing, already has 7,000 users. Andre Lessa, its director of business development, doesn't believe privacy is an issue. "We are just replicating a service that currently exists in the real world," he says. "Most post offices around the world provide delivery-confirmation services, right?" Yes. But the post office confirms only that the mail has been delivered. It doesn't report whether the letter has been opened.

So what can you do? While there's no way to totally protect yourself from an e-mail wiretap, you can take a few precautions. The easiest is to turn off the JavaScript capability in your e-mail reader. (You can find the Privacy Foundation's instructions here.) Another method is to download a patch, a bit of code that plugs security holes. If you use Outlook or Outlook Express 98 or 2000, you can download it here. The patch disables JavaScript in e-mail and also provides protection against viruses commonly found in attachments.


  Be careful, though. This patch will disable some of the functionality in Outlook, so make sure to read the instructions carefully. If you have an earlier version of Outlook, you're not vulnerable since the default doesn't support scripting. If you use Netscape, the best bet is to upgrade to Netscape 6.1, which includes code to outwit the wily wiretap.

Finally, be smart. Remember, friends don't let friends forward HTML e-mail. And if given a choice, don't request to receive them. If you have a feeling that someone knows a bit too much about your private correspondence, be advised.

Black covers privacy issues for BusinessWeek Online in New York

Edited by Alex Salkever

Before it's here, it's on the Bloomberg Terminal.