The dirt on Web bugs

A small Australian company’s role in the HP spying scandal

It's common practice. A message arrives in your inbox. You read it, realize that it may interest a friend, and pass it on accordingly. But be warned -- that simple, seemingly innocuous push of the forward button could be sending out more information than you think.

Email tracking services have recently surfaced as one of the dubious methods employed by Hewlett-Packard in its boardroom leak investigations. At a congressional hearing on September 28, HP Security Investigator Fred Adler revealed that the company had enlisted the services of Central Coast (NSW) start-up ReadNotify in the hopes of discovering electronic tracks leading from CNet journalist Dawn Kawamoto to her confidential source.

ReadNotify's tracking service is designed to allow email senders to track the path a message takes. The service is based on a similar technology to Web bugs, which are commonly used by marketers and advertisers to track hits on a Web site.

However, while Web bugs are now blocked by most email clients and anti-spam programs, ReadNotify's email tracking service boasts up to 36 different simultaneous tracking techniques, and often goes undetected.

The simplest of these tracking methods involves the inclusion of an image that is also linked to a Web server. When the email is opened, the recipient's computer looks up the image, and in so doing, sends information to the Web server. Senders may choose to use a transparent image so as to not alert the recipient of the tracking device; in such cases, it is very difficult to tell if an email has been sent through ReadNotify, unless the recipient's email client notices a ReadNotify header tag that reads "X-RN".

As the company does not, as a rule, monitor who its users are and what they do, ReadNotify Chief Technical Officer Chris Drake could not confirm details of its role in the HP scandal. However, he speculates that HP is likely to have used ReadNotify's document tracking service, which tracks a Microsoft Word or Adobe Acrobat document regardless of the medium through which it is sent.

It is much harder to tell if a document is being tracked by ReadNotify, Drake said, as it is sent directly from the user's computer and hence will not necessarily display the "X-RN" header. Furthermore, while ReadNotify provides an opt-out service for people who do not want to receive its tracked emails, it does not have any such provision for tracked documents.

However, the company maintains that it operates well within the bounds of the law. While it has received a number of opt-out requests, Drake said that ReadNotify has not yet received a single complaint concerning privacy violation.

"I don't like the word 'bug' because it's a little bit iffy -- bugging is something that you normally do in illegal situations," he said. "We're not doing anything naughty or illegal."

Drake argues that email tracking is a legitimate method of monitoring a copyrighted document, since the Australian Copyright Act, as well as copyright laws in many other countries, grants legal ownership to the author of a document, including emails. Owners of intellectual property should have the right to know what people do with it, he said.

"The law's exactly the same for copyrighted email as music and movies," he said. "Technically, if you forward an email, you've violated the author's copyright."

Join the newsletter!

Error: Please check your email address.

More about ACTAdobe SystemsCNET NetworksDrakeEFAElectronic Frontiers AustraliaFredHewlett-Packard AustraliaHPMicrosoftProvision

Show Comments