March 28, 2024

New Email Spying Tool

A company called didtheyreadit.com has launched a new email-spying tool that is generating some controversy, and should generate more. The company claims that its product lets you invisibly track what happens to email messages you send: how many times they are read; when, where (net address and geographic location), and for how long they are read; how many times they are forwarded, and so on.

The company has two sales pitches. They tell privacy-sensitive people that the purpose is to tell a message’s sender whether the message got through to its destination, as implied by their company name. But elsewhere, they tout the pervasiveness and invisibility of their tracking tool (from their home page: “email that you send is invisibly tracked so that recipients will never know you’re using didtheyreadit”).

Alex Halderman and I signed up for the free trial of the service, and sent tracked messages to a few people (with their consent), to figure out how the product works and how it is likely to fail in practice.

The product works by translating every tracked message into HTML format, and inserting a Web bug into the HTML. The Web bug is a one-pixel image file that is served by a web server at didtheyreadit.com. When the message recipient views the message on an HTML-enabled mailer, his viewing software will try to load the web bug image from the didtheyreadit server, thereby telling didtheyreadit.com that the email message is being viewed, and conveying the viewer’s network address, from which his geographic location may be deduced. The server responds to the request by streaming out a file very slowly (about eight bytes per second), apparently for as long as the mail viewer is willing to keep the connection open. When the user stops viewing the email message, his mail viewer gives up on loading the image; this closes the image-download connection, thereby telling didtheyreadit that the user has stopped viewing the message.

This trick of putting Web bugs in email has been used by spammers for several years now. You can do it yourself, if you have a Web site. What’s new here is that this is being offered as a conveniently packaged product for ordinary consumers.

Because this is an existing trick, many users are already protected against it. You can protect yourself too, by telling your email-reading software to block loading of remote images in email messages. Some standard email-filtering or privacy-enhancement tools will also detect and disable Web bugs in email. So users of the didtheyreadit product can’t be assured that the tracking will work.

It’s also possible to detect these web bugs in your incoming email. If you look at the source code for the message, you’ll see an IMG tag, containing a URL at didtheyreadit.com. Here’s an example:

<img src=”http://didtheyreadit.com/index.php/worker?code=e070494e8453d5a233b1a6e19810f” width=”1″ height=”1″ />

The code, “e0704…810f” in my example, will be different in each tracked message. You can generate spurious “viewing” of the tracked message by loading the URL into your browser. Or you can put a copy of the entire web bug (everything that is intended above) into a Web page or paste it into an unrelated email message, to confuse didtheyreadit’s servers about where the message went.

Products like this sow the seeds of their own destruction, by triggering the adoption of technical measures that defeat them, and the creation of social norms that make their use unacceptable.

Comments

  1. Privacy invasion for fun or profit

    Two different problems related to this topic were mentioned recently: Edward Felten about tracking emails with web bugs and a CSS “exploit” to leak information about the sites you visit….

  2. Privacy invasion for fun or profit

    Two different problems related to this topic were mentioned recently: Edward Felten about tracking emails with web bugs and a CSS “exploit” to leak information about the sites you visit….

  3. Designed for Spying

    A Mark Glassman story at the New York Times discusses the didtheyreadit email-tracking software that I wrote about previously. The story quotes the head of deadtheyreadit as saying that the purpose of the software is to tell whether an email reached it…

  4. DidTheyReadIt and SureType

    Not only does DidTheyReadIt embed a transparent image to the message sent to your addressee, but if that person forwards the tagged message, then that recipient also appears on your “background tracking” software, right down to the IP address …

  5. This tool:
    http://www.impsec.org/email-tools/procmail-security.html
    can strip out both web-bugs and will quarantine word documents with embedded references to external files.

  6. Web browsers may have changed behavior in the past 3 years, but in 2000, not returning a result from the link would have been the smart thing to do.

    The web server should just record the request in its log files and not respond. If it responds, then IE and other browsers will cache the response and be less likely to try to fetch the page again. Since Outlook uses IE’s rendering engine, it usually abides by these cache rules (which are implementated in both Urlmon and the web browser object consumed by Outlook).

  7. I tried loading the address you listed, http://didtheyreadit.com/index.php/worker?code=e070494e8453d5a233b1a6e19810f, into my web browser, and it finished right away. In fact, “view source” shows an empty page, so I guess there was nothing there. I expected to see some kind of slow image loading at 8 bytes per second based on your description. What went wrong?

  8. Most of the “smarter” versions of this technique will also embed HTML which causes a HTTP ping to a server with a unique identifier. So just disabling images isn’t always enough. Disabling HTML is also required to stop the smart people.

    If you want a primer on the really crazy stuff one can do in this area, check out my patent on related technology for managing state.

  9. Most of the “smarter” versions of this technique will also embed HTML which causes a HTTP ping to a server with a unique identifier. So just disabling images isn’t always enough. Disabling HTML is also required to stop the smart people.

    If you want a primer on the really crazy stuff one can do in this area, check out my patent on related technology for managing state.

  10. Thanks for the analysis. I think you hit it on the head.

    If your mail reader converts everything to text, the HTML bug won’t work.

    If your local DNS blackholes didtheyreadit.com (which I will do in the next 30 minutes), the HTML bug won’t work.

    As Mr. Felten already noted – Products like this sow the seeds of their own destruction…

  11. It has been pointed out that the way didtheyreadit.com forwards mail messages makes them an instant open relay. They do not seem to do any authentication of emails’ origins.

    Given that, unless they’ll come up with an authentication mechanism really really soon, they’ll die under a deluge of spam (not to mention that they’ll find themselves on all spam blacklists).

  12. Worried about email tracking? Just download your email and don’t open it until you have disconnected from the internet. Done.

  13. I read about this new service and was sort of wondering how it worked. I considered whether they might use web bugs and thought, “Nah, that is too weak … what a pathetic system. Also, that is sooo 2000.” I actually thought they would have some sort of contract with various email providers. Guess I was wrong.

  14. Brian Parsons says

    There is another service, readnotify.com that has been around at least 2 years. They also offer a tracking service for Word and Excel documents.

    I had a friend who quit replying to messages I sent using the tracker. He told me there was no need for him to respond since I know he got the message. So I stopped using it.

    I have found it very useful in tracking down people when I pay them for something on ebay and they fail to respond or ship the item.

    Many email clients allow you to block image loading when rendering emails now. Soon this option will be on by default.