Have you received any "traceable" PattyMail recently?

Have you received any "traceable" PattyMail recently?

Summary: If you've been following the HP privacy debacle at all, then you'd know that one of the techniques that investigators tried on CNET News.com's Dawn Kawamoto (in order to figure out who her source inside HP was) was to send her a traceable e-mail.

TOPICS: Hewlett-Packard

outlook2003.jpgIf you've been following the HP privacy debacle at all, then you'd know that one of the techniques that investigators tried on CNET News.com's Dawn Kawamoto (in order to figure out who her source inside HP was) was to send her a traceable e-mail. In commemoration of the former HP chairwoman that spearheaded HP's witchhunt (Patricia Dunn), perhaps we should refer to this sort of traceable e-mail as "PattyMail."

The plan was to send Kawamoto a phony tip regarding an as-of-yet unannounced HP product in hopes that she'd pass it on to her insider at HP for verification. If the investigators could successfully trace the email as it was opened by Kawamoto and then forwarded to her source, then HP could have caught the insider red handed. This was one aspect of the investigation that HP CEO Mark Hurd was closely in touch with.  He approved the falsified product information that was included in the e-mail.

The idea that HP or any company for that matter is capable of tracing e-mails as they get passed around the Internet is scary to some. But the truth of the matter is that it's done every day in the course of normal business practice. In fact, during his press conference on the matter last week, Hurd justified HP's usage of the technique on those very grounds -- that other businesses are engaged in the practice as well.  But the fact that businesses (including CNet) can and are legally tracking what happens to the e-mails they send did nothing to assuage those whose alarms start ringing when they hear about such big brother techniques. 

The HP incident raises two questions.  The first of these is, of course, how and why are some of the e-mails sent to you being traced? I have the answer to that.  Second, can you do anything to stop it? The answer? If you're an Outlook 2003 user there's actually a small Catch-22 in the way the software works that could force many users to allow such tracing where they might otherwise have disabled it.

There are a variety of ways to format the contents of an e-mail.  Some e-mails are sent throught Internet with nothing but text.  Others are richer in their presentation, often including embedded graphical elements. It's this second class of e-mails that's particularly susceptible to being traced. In many cases, such e-mails are HTML-based. HTML is the markup language of Web pages and when you attempt to open an HTML-based e-mail that has arrived in your inbox, your e-mail client will attempt to present that e-mail to you in the same way a Web browser would show you the same content.  In the case of most HTML-emails, when an e-mail relies on an image, that image is not attached to the e-mail. Instead, the HTML in the e-mail tells your e-mail client to retrieve that image from a Web server that's out on the Internet.  As is the case with any Web server, once you estabish a connection to a server in order to retrieve that image, that server can figure certain things out about you.  For example, your IP address. 

Such tracing is used for both legitimate and illegitimate reasons. For example, here at ZDNet, if you're subscribed to one of our HTML-based e-mail newsletters, we can tell when you open them and from where.  There's no nefarious intent behind the "tracing" we do (if you can call it that). If today's newsletter only gets opened by 20 percent of the recipients but tomorrow's gets opened by 80 percent of the recipients, then we can improve the utility of our newsletters by trying to figure out what it was about today's newsletter that caused it to perform so bad? Was it a holiday? Was it a boring subject? You get the picture. 

But not all usages of such traceable e-mail are honorable. For example, if a spammer send you an HTML-based email and, in the course of opening it, you retrieve an image from the spammer's Web server, then the spammer is automatically tipped off to the fact that he or she found an active e-mail address. To ward off such malicious acts,  most e-mail clients now offer the option of disabling automatic image retrieval when emails are opened. But, there's a problem in the way that Outlook 2003 and Outlook Express (the most popular e-mail clients in usage today) do this.

outlook7.jpgThe problem arises when the time comes to forward an HTML e-email (something everyone occasionally has the need to do) much the same way HP's investigators had hoped that Dawn Kawamoto would forward the one she received. The current versions of Outlook correctly provide users with the option of disabling automatic image retrieval for HTML-based e-mails. Unfortunately however, when the time comes to forward an HTML-email, Outlook gives you only two choices: retrieve the images (thus activating "tracing") in order to complete the forwarding operation, or don't forward the e-mail. Nowhere in the current versions of Outlook does a third option exist:  the option to forward the e-mail without retrieving the images.  Such a dialog might look like the one that appears to the right. It's a screen shot of what will happen when you try to forward an HTML-based e-mail in Outlook 2007 (currently in beta). 

This "gap" in protection, which leaves users to cumbersome workarounds and third-party products to solve the PattyMail problem opens up the question of whether users of Outlook deserve a fix from Microsoft now or must they upgrade to Outook 2007 when it comes out? I spoke with a Microsoft spokesperson earlier today and she's looking into the matter. If anything comes of it, I'll let you know.

Topic: Hewlett-Packard

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not nefarious?

    There's more than one disturbing fact in your blog - that CNet is tracing the newsletter. The reason you gave is specious. You can't figure out why a newletter is or isn't opened, based on just the stats for opening it. All you can do is make guesses.

    This makes me suspect there is another reason for tracing the newsletters and I hope it's not nefarious.

    Time to cancel my newsletter I think.

    • Guessing

      You're right that the best we can do is make educated guesses. But patterns do emerge. For example, we can see how stories about mobile technologies are of more interest to people than stories about storage. Based on those patterns, we can try to do a better job in sastifying our audience's information needs.

      But your wrong about the nefarious part. We have a great privacy policy that you can read at any time. We're an honorable company that works hard to meet our audience's needs and it would be suicide to abuse their trust.

      • Not so fast, Mr Berlind

        I know ZDNet is a honorable company, but so was HP!

        Being a webmaster myself I do not really see the need to put special "tracer" in newsletter to actually trace and deduce the information you wanted. your webserver is and already do the job already.

        I have some thoughts on the HP tracer. I do not think HP investigator is using this technique. If so, Linux would not have saved the journalist in question. I got a feeling is is a word document or something like it with a macro embedded. The macro will log each and every computer and userid the document is openned on.

        But yes, this technique will work. If you setup the webserver such that nobody except you and your target knows about it, and then someone access it, you got your leak.

        Which bring me to another question: if this is indeed the method, why did they bother to tail the journalist to Disneyland. May be they were hoping to catch a glimpse of the Guantanamo efigy there on business expense?
        • The "click through" rate for emails is valuable information for ZDNet, and

          there is nothing nefarious about it as long as they do not record he IP address and try to figure out who you are and sell you name and email address.

          And, I am sure that ZDNet would be more than willing to stop this practice if needed to help prevent the nefarious uses.
      • Here's my question...

        "Such tracing is used for both legitimate and illegitimate reasons. For example, here at ZDNet, if you?re subscribed to one of our HTML-based e-mail newsletters, we can tell when you open them and from where."

        It's the "and from where" that bothers me. Why does that matter? If ZDNet wants to know if I read something they sent, fine, I can understand that. But why would they want or need to know where I read it?
        • Traceability

          I think that you folks are geting a bit paranoid. "Tracing" does not mean that they know who you are, the only thing we see is an IP address, I know who your provider is and maybe a geographic reference.

          It is impossible for any ISP, Enterprise or other service provider to get your email unless you give it to us or publish it in a place like a forum that someone can phish it from.

          I need to defend ZDnet or Cnet or whatever they call themselves these days, their is no evil corporate empire trying to track your movements.

          It's just like people that think that a handheld GPS can track them, they are one way devices.

          So be scared of the real thing.

          Cell/PCS phones with GPS's that know where you are at every moment and will send you SMS messages with pointed advertising based on what aisle in the store you are standing in, hey looking for some anti-itch cream here is a digital coupon for gold bond. You get the idea, that is scary.

          Scary is the virus/worm/spyware/malware authors that use their creative energy in destructive ways.

          Hey you choose to connect to the net, take some personal liability. Discard that toy firewall you have and buy a Juniper/Netscreen 5GT that is capable of deep packet inspection, now go out and buy a VPN connection from an ISP 5 states away! I am thinking about running a Linux box as a load balnacer at home and distributing my traffic across two or three tunnels.

          Solutions exist, be proactive.

      • Dave, tell us about the 36 tracking methods they say they use.

        We want to know how else we can be tracked.
  • Unplug network cable

    The lowtech approach of unplugging the network (cable) during while you process the forwarding works as expected (in Outlook Express 6), i e the recipient gets the the same email with embedded links as you got. Or, you may configure Outlook Express to reply in unformatted text only, works as expected (you lose everything except the text).
    XP user
  • Scarey stuff

    The HP debacle is getting really scarey.

  • Even if you disable it on your end...

    Wouldn't they be abe to tell it was opened by your contact at the media organization if they didn't have Outlook 2003 or later or allowed the images to be downloaded? And if they could tell it was opened by the Media organization they also know it was forwarded by the source.
    • You can forward email as straight text, even if recieved in html. That

      is what I do. I have my email set to NOT download images. Also, I open all MS Office documents with OpenOffice to eliminate the huge risks there.
  • From now on, cut-n-paste!

    Cut-n-paste can't be traced. Or can it?
    • I might be...

      I'm guessing, if you cut the image also, and you paste it into the new email, it may be able to still be traced.
      For some reason sometimes I try to cut and paste images in emails. Sometimes it works, sometimes it doesn't.
    • forward as plain text

      or delete the graphics or any links
  • Every webmaster is tracing its user

    The first time I realize I can track user using HTML images is about a year ago when a ZDNet article says that spammers are doing so. I thought about it a bit, after 3 minutes I deduced how it is done (exactly like Berlind described).

    Initially, I figure that with only Apache Server, I have virtually 99.9% of the tools I need to track users and some work is needed to pinpoint individual users.

    However, this illusion shattered when I realized that I actually do not need to do anything to trace my users. Worse, I figure that I can pinpoint 99% of the visitors through the standard apache log file. And this is without me lifting a finger to do any setup at all. All it takes is one day in the future, I decided to track them down, and that I kept my apache log files to permit me to parse them to extract the information i need.

    Tracking users is something every webmaster do, eventhough most, like me, did not realize we are doing it.
  • Yahoo uses web beacons (planted in discussion groups) to track people

    If you use Yahoo Groups, Yahoo may have beacons planted so your web visits are tracked:

    # When conducting research Yahoo!'s practice is to require our partners to disclose the presence of these web beacons on their pages in their privacy policies and state what choices are available to users regarding the collection and use of this information. You may choose to opt-out of Yahoo! using this information for this research. Please click here to opt-out.

    more windows tips: thatdamnpc.com
  • What Privacy

    When I configured Firefox I allowed it to send information to Mozilla.

    A message popped up to tell me that there are privacy matters involved and invited me to have a look at this.

    I ignored it.

    Not because I am happy about what is going on.

    But I am realistic enough to know that privacy is a thing of the past.

    There is Doctor-Patient privacy; I go to the Pharmacy and they put my prescriptions in a clear plastic bag so that everybody can see that I need Viagra.

    What annoys me but is the attempt to whitewash the invasion of my privacy such as in the article ' we use it to improve our standards'.

    Ever tried to use an opinion poll on what people like or don't like?
  • So what..

    Welcome to about 10 years ago. The practice of tracing downloading pictures has been around for a very long time. Spammers have been using it with an "invisible" GIF file since HTML was added to email readers.

    If I have to download the pictures to forward the email, that means the person I forward it too does not. So if the original recipient had to download the pictures, they would not be able to trace anything.
    Patrick Jones
  • Solutions to outlook vulnerabilities....

    There's actually an outlook toolbar you can download that allows you to encrypt email and have it remain encrypted through it's travels and even AFTER it reaches it's intended inbox. Images, docs, spreadsheets can all be converted and therefore cannot be traced, hacked, accessed by a worm/virus, or stolen....check it out here....
  • easy, don't use outlook.

    Simple. Don't use lookout, er, outlook. I've been using Pegasus Mail, and Thunderbird is also a good option. I have images set to disabled unless I specifically say otherwise (which can be done on a per-email basis, or using a whitelist in pmail).

    Also turn off the "Accept requests to 'confirm reading'" or similar option in your email client, as that can also be used for tracing.

    If your email client has any form of JavaScript or other scripting language, turn that off as well - not only is it another means of tracing, it's also a way of getting viruses and trojans.