Have you received any "traceable" PattyMail recently?
Summary: If you've been following the HP privacy debacle at all, then you'd know that one of the techniques that investigators tried on CNET News.com's Dawn Kawamoto (in order to figure out who her source inside HP was) was to send her a traceable e-mail.
If you've been following the HP privacy debacle at all, then you'd know that one of the techniques that investigators tried on CNET News.com's Dawn Kawamoto (in order to figure out who her source inside HP was) was to send her a traceable e-mail. In commemoration of the former HP chairwoman that spearheaded HP's witchhunt (Patricia Dunn), perhaps we should refer to this sort of traceable e-mail as "PattyMail."
The plan was to send Kawamoto a phony tip regarding an as-of-yet unannounced HP product in hopes that she'd pass it on to her insider at HP for verification. If the investigators could successfully trace the email as it was opened by Kawamoto and then forwarded to her source, then HP could have caught the insider red handed. This was one aspect of the investigation that HP CEO Mark Hurd was closely in touch with. He approved the falsified product information that was included in the e-mail.
The idea that HP or any company for that matter is capable of tracing e-mails as they get passed around the Internet is scary to some. But the truth of the matter is that it's done every day in the course of normal business practice. In fact, during his press conference on the matter last week, Hurd justified HP's usage of the technique on those very grounds -- that other businesses are engaged in the practice as well. But the fact that businesses (including CNet) can and are legally tracking what happens to the e-mails they send did nothing to assuage those whose alarms start ringing when they hear about such big brother techniques.
The HP incident raises two questions. The first of these is, of course, how and why are some of the e-mails sent to you being traced? I have the answer to that. Second, can you do anything to stop it? The answer? If you're an Outlook 2003 user there's actually a small Catch-22 in the way the software works that could force many users to allow such tracing where they might otherwise have disabled it.
There are a variety of ways to format the contents of an e-mail. Some e-mails are sent throught Internet with nothing but text. Others are richer in their presentation, often including embedded graphical elements. It's this second class of e-mails that's particularly susceptible to being traced. In many cases, such e-mails are HTML-based. HTML is the markup language of Web pages and when you attempt to open an HTML-based e-mail that has arrived in your inbox, your e-mail client will attempt to present that e-mail to you in the same way a Web browser would show you the same content. In the case of most HTML-emails, when an e-mail relies on an image, that image is not attached to the e-mail. Instead, the HTML in the e-mail tells your e-mail client to retrieve that image from a Web server that's out on the Internet. As is the case with any Web server, once you estabish a connection to a server in order to retrieve that image, that server can figure certain things out about you. For example, your IP address.
Such tracing is used for both legitimate and illegitimate reasons. For example, here at ZDNet, if you're subscribed to one of our HTML-based e-mail newsletters, we can tell when you open them and from where. There's no nefarious intent behind the "tracing" we do (if you can call it that). If today's newsletter only gets opened by 20 percent of the recipients but tomorrow's gets opened by 80 percent of the recipients, then we can improve the utility of our newsletters by trying to figure out what it was about today's newsletter that caused it to perform so bad? Was it a holiday? Was it a boring subject? You get the picture.
But not all usages of such traceable e-mail are honorable. For example, if a spammer send you an HTML-based email and, in the course of opening it, you retrieve an image from the spammer's Web server, then the spammer is automatically tipped off to the fact that he or she found an active e-mail address. To ward off such malicious acts, most e-mail clients now offer the option of disabling automatic image retrieval when emails are opened. But, there's a problem in the way that Outlook 2003 and Outlook Express (the most popular e-mail clients in usage today) do this.
The problem arises when the time comes to forward an HTML e-email (something everyone occasionally has the need to do) much the same way HP's investigators had hoped that Dawn Kawamoto would forward the one she received. The current versions of Outlook correctly provide users with the option of disabling automatic image retrieval for HTML-based e-mails. Unfortunately however, when the time comes to forward an HTML-email, Outlook gives you only two choices: retrieve the images (thus activating "tracing") in order to complete the forwarding operation, or don't forward the e-mail. Nowhere in the current versions of Outlook does a third option exist: the option to forward the e-mail without retrieving the images. Such a dialog might look like the one that appears to the right. It's a screen shot of what will happen when you try to forward an HTML-based e-mail in Outlook 2007 (currently in beta).
This "gap" in protection, which leaves users to cumbersome workarounds and third-party products to solve the PattyMail problem opens up the question of whether users of Outlook deserve a fix from Microsoft now or must they upgrade to Outook 2007 when it comes out? I spoke with a Microsoft spokesperson earlier today and she's looking into the matter. If anything comes of it, I'll let you know.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Not nefarious?
This makes me suspect there is another reason for tracing the newsletters and I hope it's not nefarious.
Time to cancel my newsletter I think.
;-)
Guessing
But your wrong about the nefarious part. We have a great privacy policy that you can read at any time. We're an honorable company that works hard to meet our audience's needs and it would be suicide to abuse their trust.
David
Not so fast, Mr Berlind
Being a webmaster myself I do not really see the need to put special "tracer" in newsletter to actually trace and deduce the information you wanted. your webserver is and already do the job already.
I have some thoughts on the HP tracer. I do not think HP investigator is using this technique. If so, Linux would not have saved the journalist in question. I got a feeling is is a word document or something like it with a macro embedded. The macro will log each and every computer and userid the document is openned on.
But yes, this technique will work. If you setup the webserver such that nobody except you and your target knows about it, and then someone access it, you got your leak.
Which bring me to another question: if this is indeed the method, why did they bother to tail the journalist to Disneyland. May be they were hoping to catch a glimpse of the Guantanamo efigy there on business expense?
The "click through" rate for emails is valuable information for ZDNet, and
And, I am sure that ZDNet would be more than willing to stop this practice if needed to help prevent the nefarious uses.
Here's my question...
It's the "and from where" that bothers me. Why does that matter? If ZDNet wants to know if I read something they sent, fine, I can understand that. But why would they want or need to know where I read it?
Traceability
It is impossible for any ISP, Enterprise or other service provider to get your email unless you give it to us or publish it in a place like a forum that someone can phish it from.
I need to defend ZDnet or Cnet or whatever they call themselves these days, their is no evil corporate empire trying to track your movements.
It's just like people that think that a handheld GPS can track them, they are one way devices.
So be scared of the real thing.
Cell/PCS phones with GPS's that know where you are at every moment and will send you SMS messages with pointed advertising based on what aisle in the store you are standing in, hey looking for some anti-itch cream here is a digital coupon for gold bond. You get the idea, that is scary.
Scary is the virus/worm/spyware/malware authors that use their creative energy in destructive ways.
Hey you choose to connect to the net, take some personal liability. Discard that toy firewall you have and buy a Juniper/Netscreen 5GT that is capable of deep packet inspection, now go out and buy a VPN connection from an ISP 5 states away! I am thinking about running a Linux box as a load balnacer at home and distributing my traffic across two or three tunnels.
Solutions exist, be proactive.
Me
Dave, tell us about the 36 tracking methods they say they use.
Unplug network cable
Scarey stuff
http://opendomain.blogspot.com/
Even if you disable it on your end...
You can forward email as straight text, even if recieved in html. That
From now on, cut-n-paste!
I might be...
For some reason sometimes I try to cut and paste images in emails. Sometimes it works, sometimes it doesn't.
forward as plain text
Every webmaster is tracing its user
Initially, I figure that with only Apache Server, I have virtually 99.9% of the tools I need to track users and some work is needed to pinpoint individual users.
However, this illusion shattered when I realized that I actually do not need to do anything to trace my users. Worse, I figure that I can pinpoint 99% of the visitors through the standard apache log file. And this is without me lifting a finger to do any setup at all. All it takes is one day in the future, I decided to track them down, and that I kept my apache log files to permit me to parse them to extract the information i need.
Tracking users is something every webmaster do, eventhough most, like me, did not realize we are doing it.
Yahoo uses web beacons (planted in discussion groups) to track people
http://privacy.yahoo.com/privacy/us/beacons/details.html
# When conducting research Yahoo!'s practice is to require our partners to disclose the presence of these web beacons on their pages in their privacy policies and state what choices are available to users regarding the collection and use of this information. You may choose to opt-out of Yahoo! using this information for this research. Please click here to opt-out.
bummer
------------
more windows tips: thatdamnpc.com
What Privacy
A message popped up to tell me that there are privacy matters involved and invited me to have a look at this.
I ignored it.
Not because I am happy about what is going on.
But I am realistic enough to know that privacy is a thing of the past.
There is Doctor-Patient privacy; I go to the Pharmacy and they put my prescriptions in a clear plastic bag so that everybody can see that I need Viagra.
What annoys me but is the attempt to whitewash the invasion of my privacy such as in the article ' we use it to improve our standards'.
Ever tried to use an opinion poll on what people like or don't like?
So what..
If I have to download the pictures to forward the email, that means the person I forward it too does not. So if the original recipient had to download the pictures, they would not be able to trace anything.
Solutions to outlook vulnerabilities....
http://seattletimes.nwsource.com/html/personaltechnology/2003209737_ptinbo19.html
easy, don't use outlook.
Also turn off the "Accept requests to 'confirm reading'" or similar option in your email client, as that can also be used for tracing.
If your email client has any form of JavaScript or other scripting language, turn that off as well - not only is it another means of tracing, it's also a way of getting viruses and trojans.