Groups ask FTC to close e-mail loophole

Privacy and consumer groups are asking the US Federal Trade Commission (FTC) to require software makers to close what they say is a security loophole in browsers that leaves people who read unsolicited e-mails vulnerable to the loss of their anonymity as they surf the Web.

A letter and a detailed report about the security hole was sent this week to the FTC by organisations including the Electronic Privacy Information Center (EPIC), the Electronic Frontier Foundation (EFF) and anti-spam group Junkbusters, according to a joint statement by these bodies.

The FTC will give the petition "serious review," an FTC spokesman said. Microsoft and Netscape Communications spokesmen said their companies are also examining the claim.

The petition is the latest in a series of efforts by Internet privacy groups to get the US Government to regulate online privacy. 'Net advertisers and companies that closely monitor Web surfers' habits are resisting regulation in favor of policies that allow them to police themselves. So far, the FTC has adopted a wait-and-see approach.

The problem brought to light by the privacy organisations affects people with e-mail readers formatted in HTML, which includes popular programs such as MS Outlook, MS Outlook Express, Netscape Messenger, Eudora and Hotmail, according to the report, written by Richard Smith, a security consultant.

Many Websites are set up to create a cookie on the PC of the person browsing. The cookie allows their surfing behavior to be traced, but it doesn't identify them. Smith said the latest use of cookies, however, is that they can be created when someone reads an unsolicited e-mail in a Web browser, and that is alarming because it means the user can be identified.

The cookie is created when users read an unsolicited e-mail with graphics in it, such as a banner advertisement off the Web, Smith said. These banner ad companies typically "hide" the recipient's e-mail address in the Web address of the graphic, so that their servers can later match the cookie to the recipient's e-mail address, Smith said.

This information is often sold to spammers, or senders of unsolicited commercial e-mails.

"When you go to a Web site they will not only know your cookie, but also your e-mail address," Smith said. "Bottom line, you lose anonymity when you go to a Website."

Smith said he hasn't discovered any companies that are abusing the information they gather. However, he added that the current cookie situation is disturbing nonetheless because it's difficult for the average consumer to know they are being "slipped a marked bill" that will identify them as they move around the Web.

Jason Catlett, president of Junkbusters, said he was also very disturbed by the new "Orwellian" use of cookies.

"It's intolerable that e-mail can be used to silently zap a name tag onto you that might be scanned by a site you visit later. It's like secretly bar-coding people with invisible ink," Catlett said.

He said the equivalent in the non-electronic world would be a catalog that is sent to a home in an envelope with the ability to send out the recipient's address to other stores the minute the envelope is opened.

"They all find out that you opened the mail and they get an invisible tracking number, so if you go to a store ... that number is reported to them and they can build that information into a database," Catlett said.

Catlett said he expects both Microsoft and Netscape to close the loophole willingly. Nevertheless, he said, the petition was submitted to the FTC in order to make sure that the software companies do so. Catlett also sees the petition as a test of the FTC's willingness to take the lead on the Internet.

"If they don't act on this, it will show that they're asleep at the watch," Catlett said. "This is an opportunity for the FTC to show that they are alert."

Join the newsletter!

Error: Please check your email address.

More about EFFElectronic Privacy Information CenterFederal Trade CommissionFTCMessengerMicrosoftUS Federal Trade Commission

Show Comments