Stopping "PattyMail" Email Bugs

An anonymous reader writes, "In the U.S. Congressional Inquiry into the HP spy scandal, it was revealed that HP used Web bugs to track the source of leaks. HP's Fred Adler considers them a useful investigative tool which HP will keep using. Since dubbed PattyMail after HP Chairwoman Patricia Dunn, Web bugs have been around for a while. But it turns out the vulnerability they represent is far worse than first thought. Microsoft Outlook won't have a patch until 2007. The company at the center of the scandal claims they've done nothing wrong. But could repressive governments use them to track down critics? Can anything be done to stop Web bugs?"

So, is it spyware?

[BigDogCH]

Wikipedia explains web bugs. http://en.wikipedia.org/wiki/Web_bugs [wikipedia.org]

So, is this spyware, or not? I would say yes. The website is spyware, as it is tracking where it's user comes from....but then isn't all of the internet spyware?

The ZDnet article asks it best......"Phoning home? Deception? It must be spyware. Right? At least if you're a politician that's not well steeped in technology, it must be. Or is that the case? Maybe it is spyware after all. And maybe all HTML-based e-mail should visibly disclose that the page contains "tracking" elements with links back to more information on what those elements do and what the privacy policy of the sender is. Does PattyMail qualify as spyware and should the senders of HTML-based e-mail disclose their use of trackable graphical elements in the e-mail itself? Feel free to answer below."

Re:Get rid of pics in emails

[eric76]

It doesn't have to be just graphics.

When readnotify was mentioned during the hearings, I signed on for a trial account. In the signup page, when it asked where I heard about them, I answered that I heard about them in the Congressional Hearings on Pretexting. One web bug they used in the test messages I tried was a wav file set to play at zero volume. I didn't look at the wav file itself, so I couldn't tell if there was anything malicious in the wav file.

I did the testing from an OpenBSD machine using Sylpheed. It didn't report that I had read the e-mails unless I copied and pasted a link from the e-mail headers to a web browser.

Re:Huh?

[thrillseeker]

Please explain how your proposal would prevent the sender from detecting the user reading the mail in the following image tag, where the final part of the URL path is a uniquifier

It depends what the bug-sender is trying to do. If he wants to see that a particular person has opened a particular email, and he controls what identifier gets sent to that person, then by tracking when the identifier is loaded he may know that the email has been read. If an ISP fetches and caches the urls of all emails sent through its system in advance of them being opened, something a firm such as Google could do easily, then the sender loses that knowledge - all he knows is that the receiving system fetched his email. However, such a middleman requires an effort on the part of the ISP.

The concern here, I think, is that of email being forwarded when, in the opinion of the originator, it shouldn't. HP (or their hired underlings) is tracking the IP address of the various parties that fetch that url. This gives them a great advantage in trying to determine who has gotten the email. However, if the receiving client used a central caching proxy server, a'la Google Cache, then HP loses that knowledge - all it now knows is that someone somewhere in the world fetched that url once (because it is cached for some amount of time). A million people could fetch that email via Google Cache now and HP would be no wiser.

However, this doesn't obviate finding that email is sent out of an internal system - since the internal system is likely not using the external cache - however, this knowledge was more easily obtained anyway by looking at the internal mail system's logs of what went out.

Google would do the world a service, and also obtain even more valuable (to them) knowledge of what was out there in the interweb tubes by offering such a service for free for any to use, and also implementing it with their own Gmail system of course - adding a bit of code to Thunderbird, etc. to send a "pre-fetch" to a proxy cache would be trivial - if the url had been previously fetched the sender would not know it had been fetched again, and would neither know who fetched it. If the reciever decided to view the images in his email, then they would, because of the proxy-cache setting, now be fetched via the proxy cache.

Re:Get rid of pics in emails

[B'Trey]

If all ISPs or at least a great majority scan all emails for images and download _all_ the images, then the fact that an image is downloaded doesn't give the sender any information anymore.

Not quite true. If your ISP and Bob's ISP and Alice's ISP are all different and they all download the image, then I know that the email which I sent to you has been forwarded to two different mailboxes. I may not know for sure who those mailboxes belong too - you could have forwarded it to your own home account. But I do know the email was forwarded.

Re:Plain Text Only

[Anonymous Coward]

*Don't* read your email /in HTML format/. Problem solved.
  - There is nothing to be said in email that *can't be said in plaintext* and
  - I really could care less to see your smiley face sig and pretty flower background.