Here's more info on web bugs and how they can be used to track emails.
First article:
news.cnet.com
Privacy experts said Monday that they have discovered a security glitch that allows an e-mail author to read private comments attached to the original message as it gets forwarded to new recipients.
Second Article:
MSNBC.com Mobile
E-mail 'wiretaps' must be stopped Alarming 'snooping' tool, which tracks e-mails after they've been sent, could open up a nefarious business opportunity Feb. 5 — I recently learned about a new snooping technology for e-mail that made me fall out of my chair. It allows someone who sends you an e-mail to see what you wrote when you forward the e-mail with a comment to a third party. In other words, the snooper has a wiretap.
THIS IS very illegal, but it's also very easy to do. I tested out the e-mail wiretap with a dozen friends and for the most part it worked flawlessly. This tool also underscores the systematic privacy vulnerabilities of the Internet. The possibility of e-mail wiretapping is one the most egregious violations imaginable — and therefore opens up a nefarious business
opportunity that should be watched closely.
STALKING WEB BUGS
The story begins with research I have done on Web "bugs." A Web bug is an invisible image embedded in a Web page or e-mail message that silently transmits information to a remote computer when the page is viewed.
Last month, I received an e-mail out of the blue from Carl Voth, of British Columbia. Expanding on my research, Voth discovered an interesting feature in certain popular brands of e-mail readers. Using a little bit of JavaScript code embedded in an e-mail message, he found that not only could the sender of a message be notified when an e-mail is opened, but the sender could capture the text of messages when the e-mail is forwarded.
He nicknamed this flaw the "reaper exploit." It could also be called a "Web bug wiretap," or more simply, an e-mail wiretap. Whatever it is called it has flown under the radar. Until now. How likely is it that the e-mail wiretap will be used? My crystal ball tells me: a lot. People like to snoop. A front- page story in The New York Times last fall described how a man was sending Web-bugged resumes to companies to discover whether his e-mails were being opened. Now, conceivably, a sender could discover the internal company conversations as the e-mail and resume are forwarded for
review, perhaps with comments like, "This guy's unqualified" or something more inflammatory.
This wiretapping trick could prove particularly enticing in a negotiation to learn what the other side is really thinking. It could conceivably be used to harvest thousands of e-mail addresses as a message is forwarded around the world. I even tested an e-mail wiretap with a friend who is a congressional staffer. You can imagine the possibilities. Philip Gordon, a fellow of the Privacy Foundation and an expert in wiretap law, tells me that in the United States, deploying a surreptitious e-mail wiretap could land you in jail.
REAPING THE REWARDS
I am surprised that such a fundamental flaw in e-mail hasn't received more notice. The problem was introduced in 1997 with the release of Internet Explorer 4. Voth's reaper exploit discovery initially occurred in late 1998. However, we were unable to locate much discussion about the problem in either the press or on the Web.
One solution to the wiretapping possibility is to turn off JavaScript in your e-mail reader. Our Privacy Advisory provides detailed steps on how to make this change. However, for an organization to be protected it would require everyone in the organization to turn off JavaScript in e-mail. |
