How HP Tracked Emails
Posted in All Posts, Email Security, Privacy on September 29th, 2006As many folks are aware, Hewlett -Packard is in the middle of a spying scandal. Recently, executives have had to resign and face questioning before congress. Many may wonder just how HP managed to track emails. Actually it is not all that hard to do. Many email providers do it, or at least have the means of doing it, simply by adding linked graphics to HTML based email. Now, whether they take the trouble to do it is another question.
Anyone can make use of similar techniques by employing a commercial service to track emails. This is what HP reportedly did. They are reported to have used http://www.readnotify.com/. Another similar service is http://www.readverify.com/. Yet another is http://www.mailtracking.com/. Actually, we suspect that readnotify and mailtracking are one and the same due to similarity of web sites.
Basically, this services add an invisible, very small graphic to an email. And when the email is opened, the graphic is retrieved from a server that is designed to record the IP address and other information from anyone that opens the email. Spammers often use this technique. These graphics, also called web bugs, can be individually coded. And services like readverify and readnotify use a variety of other sophisticated techniques to track email.
Here is the kicker: These services can be use to track most any document that employs graphics, including PDF documents and Microsoft Word and Excel and Powerpoint documents. To quote from their web site:
MailTracking gives you full email tracking facilities by sending you a return receipt email or an SMS/ICQ instant message the moment that mail you have sent gets opened. Your return-receipt is a live tracking window which self-updates and includes the date and time that your message was first opened and read, how long the message was read for, the approximate physical location of the reader, how many times your email was re-opened and re-read, as well as when and where etc, what kind of e-mail software your reader is using, what kind of computer and operating system your reader uses, what languages your reader can accept or understand, what kinds of email attachments your reader can view (eg: Microsoft documents, or Adobe files, etc), whether or not your email was forwarded to someone else, and, If it was forwarded, where is was forwarded to, sometimes including who subsequently reads it. If your email gets published online, you can find this out too, as well as where (the URL) usually. If you sent any URLs in your email, you can find out which ones were clicked on by your recipient, and when.
No software or downloads are necessary for either the sender or the recipient to install. MailTracking already works with all popular email and webmail programs and services. You just add “.mailtracking.com” onto the end of the email address you are writing to before clicking send.
Defenses:
- Avoid the use of HTML based email.
- Be cautious about any document that can contain web based graphics, such as including PDF documents and Microsoft Word and Excel and Powerpoint documents.
- Set your email reader to not preview messages.
- (or) Set your email reader to not retrieve graphics when email is previewed. This gives you a chance to read the content of an email without downloading any linked graphics.
- Use a firewall or other software that can block web bugs. The free and paid versions of Zone Alarm have an options under PRIVACY > Cookie Control > Custom to block web bugs.
- Certain email services have settings that can block web bugs
- Download email and documents, then disconnect from the Internet and read them offline.
- Note that these services use a variety of techniques and they are not easy to completely defeat, in fact they brag about being able to defeat many defenses.
