Was HP's traceable "PattyMail" spyware? You decide

Was HP's traceable "PattyMail" spyware? You decide

Summary: If you've been following the HP privacy scandal at all, then you'd know that HP resorted to (or considered resorting to) several techniques in hopes of smoking out whoever it was that was leaking information from its boardroom to the press. While pretexting -- fraudulently obtaining phone records by means of impersonation -- was one of those techniques (as well as the focus of yesterday's Congressional hearings in Washington, D.

SHARE:
TOPICS: Hewlett-Packard
13

If you've been following the HP privacy scandal at all, then you'd know that HP resorted to (or considered resorting to) several techniques in hopes of smoking out whoever it was that was leaking information from its boardroom to the press. While pretexting -- fraudulently obtaining phone records by means of impersonation -- was one of those techniques (as well as the focus of yesterday's Congressional hearings in Washington, D.C.), there were others including "dumpster diving" (poring through someone's trash), planting moles at the offices of CNET News.com and the Wall St. Journal (ultimately didn't happen) and sending traceable email containing a falsified but newsworthy tip to key reporters such as News.com's Dawn Kawamoto in hopes that she'd pass it along (intact so it could be traced) to her insider at HP for confirmation.

Earlier this week, I described how the traceability of HTML-based e-mail (what I'm now referring to as "PattyMail" after Patricia "Patty Dunn, the HP chairwoman who was ultimately responsible for the investigation) is often used for both legitimate and illegitimate purposes. I also showed how the versions of Microsoft's Outlook that are currently in circulation -- the ones that can actually block such tracing in the event the e-mail isn't going to get forwarded -- make it impossible to successfully forward an HTML-based e-mail without re-activating its traceability (the problem will be corrected in Outlook 2007, currently in beta).

During yesterday's hearing, significantly more detail than what was previously known about HP's "implementation" of PattyMail emerged. Wrote CNET News.com's Joris Evers:

HP investigators used the services of ReadNotify.com to trace an e-mail sent to reporter Dawn Kawamoto in an attempt to uncover her source in a media link, Fred Adler, an HP security employee, said during testimony before a U.S. House of Representatives subcommittee...Adler's testimony, for the first time since the HP boardroom drama erupted, specified how the company bugged the e-mail it sent to Kawamoto. Moreover, Adler said that it's still company practice to use e-mail bugs in certain cases...."That was and still is current policy," he said. "It still is sanctioned by my management as an investigative tool, we have used it in the past for investigations, for determining the locations of stolen product and what-not, and we have also assisted law enforcement."

Also, during the hearing, at least one US Congressperson referred to HP's PattyMail as an e-mail that contained spyware. For starters, given the classic definition(s) of spyware, I don't believe this to be generally true of PattyMail (aka HTML-based email). If it were, then every Web site might qualify as spyware. But, when you split hairs, it's easy to see how a politician might make the connection. First, because of how the act of opening an email results in the retrieval of graphics from a server across the Internet which in turn enables that server to register certain details about the e-mail recipient's system (eg: IP address), PattyMail appears to have a "phone home" component (common to most spyware). 

Second, in the case of HP's PattyMail, deception was involved. Not only did the e-mail's content include falsified information and conceal the identity of the sender, the usage of invisible graphics (often referred to in the Web business as "clear pixels" or "clear gifs") is designed to make users think their viewing a text-based email (vs. the more risky HTML-based breed). It's a deliberate attempt to cover up the intention of the e-mail or the fact that it will be contacting a server across the Internet in the course of being opened.

Phoning home? Deception? It must be spyware. Right? At least if you're a politician that's not well steeped in technology, it must be. Or is that the case? Maybe it is spyware after all. And maybe all HTML-based e-mail should visibly disclose that the page contains "tracking" elements with links back to more information on what those elements do and what the privacy policy of the sender is. Does PattyMail qualify as spyware and should the senders of HTML-based e-mail disclose their use of trackable graphical elements in the e-mail itself? Feel free to answer below.

Topic: Hewlett-Packard

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • not a really big fan of regulation myself. is it the government's

    responsibility to protect every individual from the immoral and unscrupulous acts of their neighbor?

    or does the individual need to take responsibility for his own protection when trapsing around the public spaces?

    we don't put big yellow stars on people to protect others from their predisposition to lie and cheat.

    we do put locating beacons on certain persons with a predisposition to violent actions.

    maybe it's enough that hp has been identified as a dishonest and disreputable firm that cannot be trusted to not invade the privacy of others when they think someone somewhere is guilty.

    maybe the public stigma is enough if the public is educated as to how to deal with those kinds of actions. (like women being taught how to discourage attackers)

    official public stigma.
    that's the ticket.
    yeah.

    :)

    .
    wessonjoe
  • PattyMail is spyware

    I have pictures diabled in my email. I very seldom download the pictures, I can always goto the web site. I think any tracking being done should be acknowleged and the purpose disclosed.
    bobcat1939
  • If it looks like a duck, quacks like a duck and defecates like a duck..

    IT'S A DUCK!!

    [b]SPY [/b]

    2 entries found for spy.
    To select an entry, click on it.

    Main Entry: 1spy
    Pronunciation: 'spI
    Function: verb
    Inflected Form(s): spied; spy?ing
    Etymology: Middle English spien, from Anglo-French espier, of Germanic origin; akin to Old High German spehOn to spy; akin to Latin specere to look, look at, Greek skeptesthai & skopein to watch, look at, consider
    transitive verb
    1 : to watch secretly usually for hostile purposes
    2 : to catch sight of : SEE
    3 : to search or look for intensively -- usually used with out <spy out places fit for vending...goods -- S. E. Morison>
    intransitive verb
    1 : to observe or search for something : LOOK
    2 : to watch secretly as a spy

    Mirriam-Webster On-line Dictionary
    Old Timer 8080
  • It isn't yours

    In exactly the same way that you don't own the movie on the last DVD you bought, you also do not own emails in your inbox.

    Correspondingly - the owner (author) of each is entitled (in law) to protect their material.

    If you don't like the law - don't open or use email.
    anon-coward
    • Pattymail spyware

      So HP is the big bad wolf then? It tried to catch an employee who was making money out of secretly undermining the company. WOW can't get badder than that can you?
      bill@...
    • My rules

      are that if you send it to me, it belongs to me (same rule exists in USPS).

      Don't like it, don't send me e-mail.
      rpmyers1
    • It may be mine

      When you send me a snail mail, the content may be yours but the physical mail is mine under US law. I believe that a court would agree that the same rule should exist if it does not for email. To have your content effectively send information on me to you without my explicit authorization constitutes breaking and entering IMO.
      mcmcp@...
      • Breaking and Entering?!

        > To have your content effectively send information on me to you without my explicit
        > authorization constitutes breaking and entering IMO.

        Perhaps it should be illegal, but it definitely is not breaking and entering.
        Swashbuckler2
    • idiot!

      What are you, some kind of idiot? On what grounds do you claim that I don't own the email in my inbox? That's one of the stupidest statements I've ever heard in my life.
      ken@...
      • Perhaps You're the Idiot

        According to U.S. law copyright attaches when something is created. Thus, the person who sent you the email owns the content.
        Swashbuckler2
  • Big Bad Wolf

    When they used pretexting to violate the privacy of suspects with no proof the were.
    mcmcp@...
  • Way to Defeat This

    Set a firewall rule to prevent any contact with ReadNotify.com.
    Swashbuckler2
  • spyware

    If HP is prepared to stick spyware onto BOARD members PCs, the probability they stick rootkits/spyware onto pre-installed Windows PCs can't be discounted....obviously with such a long time to analayze the systems they ship, the rootkits would be almost undetectable...well except when HP 'leaps ahead' in printer technology etc...

    I seem to remember Lexmark stating they had some new tech they developed but HP managed to leapfrog them by a couple of weeks "somehow"!!!
    geldo