Was HP's traceable "PattyMail" spyware? You decide

If you've been following the HP privacy scandal at all, then you'd know that HP resorted to (or considered resorting to) several techniques in hopes of smoking out whoever it was that was leaking information from its boardroom to the press. While pretexting -- fraudulently obtaining phone records by means of impersonation -- was one of those techniques (as well as the focus of yesterday's Congressional hearings in Washington, D.C.), there were others including "dumpster diving" (poring through someone's trash), planting moles at the offices of CNET News.com and the Wall St. Journal (ultimately didn't happen) and sending traceable email containing a falsified but newsworthy tip to key reporters such as News.com's Dawn Kawamoto in hopes that she'd pass it along (intact so it could be traced) to her insider at HP for confirmation.

Earlier this week, I described how the traceability of HTML-based e-mail (what I'm now referring to as "PattyMail" after Patricia "Patty Dunn, the HP chairwoman who was ultimately responsible for the investigation) is often used for both legitimate and illegitimate purposes. I also showed how the versions of Microsoft's Outlook that are currently in circulation -- the ones that can actually block such tracing in the event the e-mail isn't going to get forwarded -- make it impossible to successfully forward an HTML-based e-mail without re-activating its traceability (the problem will be corrected in Outlook 2007, currently in beta).

During yesterday's hearing, significantly more detail than what was previously known about HP's "implementation" of PattyMail emerged. Wrote CNET News.com's Joris Evers:

HP investigators used the services of ReadNotify.com to trace an e-mail sent to reporter Dawn Kawamoto in an attempt to uncover her source in a media link, Fred Adler, an HP security employee, said during testimony before a U.S. House of Representatives subcommittee...Adler's testimony, for the first time since the HP boardroom drama erupted, specified how the company bugged the e-mail it sent to Kawamoto. Moreover, Adler said that it's still company practice to use e-mail bugs in certain cases...."That was and still is current policy," he said. "It still is sanctioned by my management as an investigative tool, we have used it in the past for investigations, for determining the locations of stolen product and what-not, and we have also assisted law enforcement."

Also, during the hearing, at least one US Congressperson referred to HP's PattyMail as an e-mail that contained spyware. For starters, given the classic definition(s) of spyware, I don't believe this to be generally true of PattyMail (aka HTML-based email). If it were, then every Web site might qualify as spyware. But, when you split hairs, it's easy to see how a politician might make the connection. First, because of how the act of opening an email results in the retrieval of graphics from a server across the Internet which in turn enables that server to register certain details about the e-mail recipient's system (eg: IP address), PattyMail appears to have a "phone home" component (common to most spyware). 

Second, in the case of HP's PattyMail, deception was involved. Not only did the e-mail's content include falsified information and conceal the identity of the sender, the usage of invisible graphics (often referred to in the Web business as "clear pixels" or "clear gifs") is designed to make users think their viewing a text-based email (vs. the more risky HTML-based breed). It's a deliberate attempt to cover up the intention of the e-mail or the fact that it will be contacting a server across the Internet in the course of being opened.

Phoning home? Deception? It must be spyware. Right? At least if you're a politician that's not well steeped in technology, it must be. Or is that the case? Maybe it is spyware after all. And maybe all HTML-based e-mail should visibly disclose that the page contains "tracking" elements with links back to more information on what those elements do and what the privacy policy of the sender is. Does PattyMail qualify as spyware and should the senders of HTML-based e-mail disclose their use of trackable graphical elements in the e-mail itself? Feel free to answer below.