When Spies Hitchhike on an E-Mail
By Jane Black
You receive an unsolicited e-mail from somebody you don't know offering a job at a competing company. You aren't interested. But you have a friend who might be, so you forward the e-mail with a note. Later that day, it's as if the erstwhile headhunter followed your e-mail: He calls your friend regarding the job.
What happened? Although it's not widely known, the e-mail you received could have been "wiretapped." With a few extra lines of hidden code, anybody can remotely instruct Web servers to notify the original sender, once the message is read or is forwarded to others. The code can even capture any text added to the forwarded message -- and send that back to the original sender, as well.
First publicized a few weeks ago by privacy advocate Richard Smith, this technique is only the latest in a number of easy ways to surreptitiously gather information about people using the Internet. Privacy advocates say the technology could be used to do everything from monitoring private e-mail to collecting thousands of e-mail addresses for direct-mail campaigns.
Sound sneaky? It's actually illegal. Using this technique to grab mail would probably break both the Federal Wiretap Act and the Computer Fraud & Abuse Act, says wiretap expert Philip Gordon, a lawyer at Horowitz & Wake in Denver, punishable by up to five years in prison and fines as high as $250,000 for an individual and $500,000 for a corporation. But the power and ease of use of this technique could prove an irresistible lure to unscrupulous direct marketers, more commonly known as spammers.
But even if an e-mail client isn't vulnerable, you still might pass the code along intact if you forward the message to a colleague or friend. The code will activate whenever it can. So even if your computer doesn't get wiretapped, the next person on your forward list might. "The danger with this is that it is pretty stealthy. Unless you know HTML, it's going to be difficult to detect. And even then, it's kind of hidden." says Smith, chief technology officer for the Privacy Foundation, a Denver-based privacy advocacy group.
Most e-mail programs, such as Microsoft Outlook and Netscape Mail, include the sender's and receiver's e-mail address in the forwarded message. So a spammer could use an e-mail wiretap on a message that encourages people to pass it along to friends. Software at their servers could then extract any e-mail addresses that are sent in the wiretapped messages. This trick, privacy advocates say, is particularly insidious because it would likely go to e-mail addresses that people don't want to release publicly. Many people, including myself, use a "side account," a separate e-mail address, to register at Web sites so that their business accounts are not crowded with junk mail.
LIKE THE POST OFFICE?
Already some companies are looking to profit from applications just one step removed from e-mail wiretapping. A U.S. company, ITraceYou, will alert you if your e-mail has been opened by the recipient. All you have to do is send the mail through its Web site or by replacing the "@" sign with a "#" and adding "@itraceyou.com" to the end of the address.
The site, which has been up for only two months and has not spent a dollar on marketing, already has 7,000 users. Andre Lessa, its director of business development, doesn't believe privacy is an issue. "We are just replicating a service that currently exists in the real world," he says. "Most post offices around the world provide delivery-confirmation services, right?" Yes. But the post office confirms only that the mail has been delivered. It doesn't report whether the letter has been opened.
DON'T PASS IT ON.
Be careful, though. This patch will disable some of the functionality in Outlook, so make sure to read the instructions carefully. If you have an earlier version of Outlook, you're not vulnerable since the default doesn't support scripting. If you use Netscape, the best bet is to upgrade to Netscape 6.1, which includes code to outwit the wily wiretap.
Finally, be smart. Remember, friends don't let friends forward HTML e-mail. And if given a choice, don't request to receive them. If you have a feeling that someone knows a bit too much about your private correspondence, be advised.
Black covers privacy issues for BusinessWeek Online in New York
Edited by Alex Salkever