Web Bugs Trained to Track Your E-Mail

March 8, 2008 – 6:37 PM

The tracer software that Hewlett-Packard investigators used to try to sniff out boardroom leaks sounded like it had been ripped from the pages of a bad science-fiction novel. That is, until the company began talking about it in detail at a congressional probe into the spying scandal.The technology tool the company used, called a Web bug, is designed to allow e-mail senders to track the path a message takes, including whether a recipient opens the message and forwards it to another party. And it turns out the technology is widely used in e-mail newsletters to track readers and also by law enforcement in investigations, security experts say.

A spokesperson for the California attorney general’s office said that HP’s use of Web bugs is not linked to the October 4 charges of five people, including former HP chairperson Patricia Dunn and contractors, on allegations that they used false pretenses to access individuals’ phone records. That case is about the practice of so-called pretexting.

However, HP’s boardroom leak investigation did use the Web bug technology as part of an unsuccessful attempt to trick a journalist for CNet Networks into revealing her confidential source on the company’s board of directors, according to HP security investigator Fred Adler, who testified at a U.S. congressional subcommittee hearing on September 28. (Adler was not one of those named in the California charges.)

Prior to Adler’s testimony, it was unclear what technique HP had used.

You’ve Already Been BuggedRichard Smith, an information security expert who founded Boston Software Forensics, says that most people who use the Internet have been subject to Web bugs. “Any kind of commercial e-mail is probably going to have them in there,” he says.

HP turned to a small Australian company called ReadNotify.com to help track the e-mail messages. ReadNotify tracks both e-mail and Microsoft Office documents. It will tell when the e-mail you sent was read, and will guess the location of the recipient, based on the reader’s IP address.

The ReadNotify service is popular in law enforcement and also in industrial espionage investigations, said Chris Drake, ReadNotify’s chief technology officer.

In an e-mail exchange, Drake said that he was informed of the HP case by the media, adding, “This is an extremely common and effective use of our technology.” Drake said his company believes such use is legal in Australia, as well as in the United States.

How They WorkHere’s how Web bugs operate: The bug’s author puts an image on a Web server and assigns the image a unique Web site address, or URL, and then sends an e-mail that contains a link to this image. The image can be hidden from sight or displayed in plain view–a corporate logo, for example.

When the recipient opens the e-mail, that person’s computer looks up the image and in doing so sends that information to the Web server. Another way of implementing the tracking technology is for ReadNotify users to add ‘.readnotify.com’ to the end of the recipient’s e-mail address.

While Drake characterized ReadNotify’s e-mail tracking tools as sophisticated, security consultant Smith noted that the tools use the same techniques as other Web bugs.

Are They Legal?When the question of whether Web bugs are legal has been tested in the United States, courts have tended to focus on whether this type of technology violates federal wiretapping laws, says Chris Jay Hoofnagle, senior staff attorney with the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley.

Hoofnagle says state courts could take up the issue of Web bugs, considering the existence of antihacking laws in states such as California. California law prohibits certain uses of computer resources without the permission of the user, and nobody knows for sure whether HP’s actions would violate this law or similar statutes in other states, Hoofnagle says. At the hearing before House Energy and Commerce Committee members, HP’s Adler said his company had used Web bugs “a dozen to two dozen” times in the three years he had worked there and considers them to be a legitimate investigative tool.

http://www.pcworld.com/article/127444-1/article.html?tk=nl_dnxnws