Email wiretaps made easy

Privacy group demonstrates a simple way of 'listening in' on email conversations - but the real problem may be fancy email programs

Another reminder that your private email is not so private came Monday, with the revelation by a privacy group that it is relatively easy to put a "bug" on other people's emails and read their private conversations.

US privacy organisation the Privacy Foundation (www.privacyfoundation.org) said Monday it has uncovered a vulnerability in email software that displays HTML content in messages -- programs such as Microsoft Outlook, Outlook Express, Eudora and Netscape Messenger 6 -- that allows secret copies of outgoing messages to be sent to another user.

When a few lines of JavaScript are attached to an HTML email, every copy of the email in the form of a forwarded message or a reply would be also be sent to the original sender. Since many people simply reply to each other's messages, entire conversations could be copied to someone else. The exploit would also affect messages, such as jokes, that are forwarded to many different users.

Experts said the exploit underscores the importance of taking measures to protect your email security, though some questioned whether this particular trick is as easy to carry out as it seems. The JavaScript attack is basically "a wiretap", in the words of Richard M Smith, chief technology officer of the Privacy Foundation. "It's very illegal, but it's also very easy to do," he said Monday on the company's Web site.

Smith feels such email wiretaps are so easy that it could become common practice to snoop on co-workers, friends or anyone else. He notes that even if JavaScript is turned off on your computer, you could still be a carrier -- the code will affect the next person you send the message to who has not taken precautions.

That idea is terrifying to Simon Davies, director of UK-based Privacy International. "It all comes down to the... idea of a transparent society, where everybody can watch everybody else," he says. "I find that an appalling idea. There are some very manipulative people who would like that, but those people tend to be the most secretive of all."

Davies notes that while users are becoming more educated about email privacy, there is still "an element of the population that believes they're of no interest to anybody", and leaves itself open to intrusion. "With the automation of surveillance, it becomes irrelevant whether they're of interest or not," he says.

Internet security group Sophos recommends organisations turn off all "active content" such as HTML and JavaScript on workers' email software to avoid pitfalls such as the email wiretap. Sophos senior technology consultant Graham Cluley says incidences of such exploits are growing: "There are so many viruses and attacks that use Outlook, maybe it should be renamed Look Out."

Cluley points out several factors that could prevent email wiretapping from becoming common. For one, the secret outgoing emails would probably show up in a user's ou-box, which would both expose what was going on and identify who had implanted the mischievous code in the first place.

To wiretap an email without fear of being caught, one would have to have the messages sent to an anonymous email account -- and if someone is determined enough to set up such a system, there are better, easier ways to tap what's going on in someone else's computer network, Cluley says. "You could use the exploit that was used against Microsoft last year, sending a program to one employee that creates a backdoor into the organisation and allows you to control their systems," Cluley says. "That would be much more powerful than this exploit."

The Privacy Foundation is campaigning for software companies such as Microsoft to sell email programs with active content disabled by default.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.