December 6, 2024

Designed for Spying

A Mark Glassman story at the New York Times discusses the didtheyreadit email-tracking software that I wrote about previously.

The story quotes the head of didtheyreadit as saying that the purpose of the software is to tell whether an email reached its intended recipient. “I won’t deny that it has a potentially stealth purpose,” he adds. He implies pretty strongly that the stealthiness is just a side-effect and not in fact the main goal of the product.

The fact is that spying is built into the didtheyreadit product, by design. For example, it would have been easier for them to report to a message’s original sender only whether a message had ever been read: “Yes, it’s been read” or “No, it hasn’t been read yet”, and nothing more. Instead, they went to the extra trouble to report all kinds of additional information to the sender.

It does seem to be a side-effect of their web-bug-based design that didtheyreadit could gather much more information about where and when a message was read. But nothing forces them to actually collect and store this extra information, and nothing forces them to report it to anybody. They made a design choice, to store and pass on as much private information as they could.

Even the basic stealthiness of the product was a deliberate design choice. They are already adding an image to email messages. Why not make the image some kind of “delivery assured by didtheyreadit” icon? That way the message recipient would know what was happening; and the icon could be used for viral marketing – click it and you’re taken to the didtheyreadit site for a sales pitch. Why did they pass up this valuable marketing opportunity? They made a design choice to hide their product from email recipients.

Sometimes engineering imperatives force us to accept some bad features in order to get good ones. But this is not one of those cases. didtheyreadit is designed as a spying tool, and the vendor ought to admit it.

Comments

  1. If you are concerned with this problem, Wizard-Industries has a didtheyreadit.com blocker.
    Its a small one time run utility that blocks these bugs.

  2. David: Cypherpunk is right.

    BTW, I would be skeptical of anyone that claims to be able to produce a browser or email client that displays HTML mail and is resilient to web bugs. From experience, I can tell you that it is very, very, very difficult to build a browser/email client that will not be susceptible to some snooping flaw if it is re-using general purpose HTML or HTTP engines.

    If the browser or email client claims to display HTML mail and be resilient to web bugs, then it isn’t a HTML mail viewer. It’s displaying some subset of HTML that is “mail safe”. When I worked on this full time, I considered this solution and rejected it because, in the long term, it creates two programming models — one for bulk emailers and one for everyone else. I thought I had better ideas about how to solve the problem than using a subset of HTML.

  3. David, see Ed Felten’s earlier article on this topic, http://www.freedom-to-tinker.com/archives/000610.html , and the comments, which describe dozens of ways other than embedded images that HTML email can cause external URLs to be referenced. Whether Apple’s mail program blocks all of these, I don’t know. But by the name of the feature, “[don’t] display images and embedded objects”, it sounds like some of these other tricks would sneak past the blocks.

  4. Steve: Not to argue, but how “no”? My understanding was that my mailer simply ignores all the embedded objects in the mail unless I tell it to load them. That would seem to allow reading of web-bugged mail w/o triggering the bug.

  5. aNonMooseCowherd says

    I wouldn’t be surprised to see the company announce (possibly under a different company name) a (non-free) product that defeats the actions of their main product, and then a third product that defeats the second one and restores the original functionality, and so on. That way they could keep milking customers for more and more money.

  6. David Chase, the answer to your question is “No”. The only way to stop web spying like web bugs is by completely disallowing HTML in email messages. More specifically, any HTML or scripting operation that might reference a URL.

  7. Isn’t the web bug defeated by mail readers like Apple’s Mail.app that provide an option not to display images and embedded objects in HTML messages?

    I also expect to find things like adblocking and web-bug blocking appearing as options in home firewalls any day now. I have a shiny new BEFSX41 that claims to have this ability, if I am willing to tinker with the configuration. It’s certainly something that I want, and I can easily imagine remapping requests to either 204 (no content) or 403 (forbidden) — whatever makes the browsers give up quickly.

    I have, in days past, actually tried to devise countermeasures to web bugs (programs that bang on the bug address with random and not-so-random junk filled into the obvious information-carrying parts of the URL), but of course there is no way of knowing if it has the desired effect (poisoning the database, crashing the servers, etc).

  8. Chris Tunnell says

    Sorry if I was unclear.

    The do not call registry could never work though since the company is so small. The solution here is rather simple, but also impossible: have people change their default settings. However, it appears as if one of our axioms is that people do not change default settings, and this is what the company is taking advantage of.

    Another partial solution would be to add a logo or marker to emails to notify the user that is being tracked. Even though this works after privacy has been invaded, it would at least stop future invasions.

    One of my points in my previous post was that adding a logo would be a bad buisness move for didtheyreadit.com. My logic behind it was that companies like yahoo.com add their logo to people who use their service for free. Premium customers of yahoo.com pay to have the logo removed to give the email a more professional look. Simplified, if didtheyreadit.com added a logo people would be paying to have a logo added to their messages when it doesn’t need to be there.

    My other, and main, point was that if the company is trying to give the customer the most “bang for their buck,” while being as transparent as possible, then this buisness model of their’s makes sense. This small “bug” is unnoticeable, while also delivering a lot of information.

    I am restating my point for clearification, so tell me if I lost you or if you disagree with me.

    On a final note, I think the first step for didtheyreadit.com should be the limitation of the information provided to the sender to only the time (or times) in which the email was read. This seems like a reasonable compromise until we can figure out how to protect the recipient more.

  9. Chris: My response was more aimed towards the comment in the article itself concerning the use of spammers and the didtheyreadit “software”. Of course there are other side effects, such as online stalking, etc. Yes, there are other privacy issues as well, but I can understand the desire for such things so that the sender can have some information about who read what. Read receipts don’t give enough information because for the most part, they are optional. These give too much information.

    You give a happy medium, but your logic doesn’t make sense so much (at least to me):

    Yes, people pay to keep ads out of their email. But if you have an ad in your email telling them that they are being tracked, then they won’t like it and then you will have a problem between yourself and your friend. How do we remedy this? By not using an ad. But then they don’t know they are being tracked, and have a problem with you again. Of course, the bigger problem is with didtheyreadit, but we nitpick.

    It seems like it would be better (by your standards) for didtheyreadit to do something like the national do not call registry and, but instead of restricting who can be webbugged, instead give varying levels of bugability. Of course, then, we get into problems with what the default setting is, but these are problems that need be discussed.

  10. Chris Tunnell says

    jvance: That doesn’t address the security intrusion though. The problem with the system doesn’t change or worsen depending on the amount of emails you send.

    “Instead, they went to the extra trouble to report all kinds of additional information to the sender.”

    How much of an extra trouble is this though? From a corporate standpoint, why not share this information with the sender (if they are blind to the privacy implications). It costs the corporation very little and gives the customer a lot more data for their dollar. From a ethical standpoint, they shouldn’t give out the IP address and other locational information, but if I were a user on this system, I would want to know when and how many times people read the e-mail. Otherwise, the service wouldn’t be worth much at all. I think the issue here is that Didtheyreadit.com should refine the information they give in the best interest of both communicating parties.

    Also, why would they have a giant logo advertising their product? Most consumers might find this as a downside since most consumers pay Yahoo monthly so they do not have Yahoo advertising on their emails. It is intrusive to the user experience to add a logo.

    Despite all of this, I still strongly disagree with his quote:

    “If you’re upset that your friend sent you an e-mail using DidTheyReadIt, then that’s a problem between you and your friend.”

    because there clearly are privacy/security issues, I just think they actually are more of a side-effect than a desired feature.

  11. So my site is offline because I’ve graduated and have no way to put it online at the moment, but what I wanted to say was this:

    The thing that would fix most of the problems would be to run their subscription service as they do their free service: by number of messages using the service rather than by the length of the contract. For instance, if you put the cost at 1 penny per email containing the webbug, the cost would be astronomical for spammers (1 email to 1 million people would cost oh, $10,000), but probably small enough that your normal alice, bob, and charlie would use the service if they wanted to. At a cost of 1 cent per webbug, alice would have to send out 5000 tracked emails per year to keep up with subscription costs. For businesses, I just don’t see this being used as much. If they wanted to, they could set up this system themselves.

  12. “So there’s some kind of didtheyreadit logo or icon added to the mail?”

    No. Felten says that the company could have accomplished the goal of tracking readership by using a visible logo, but instead chose to use an invisible tracking image. (The implication is that they value nondisclosure higher than marketing or name recognition.)

    “As far as making the image say ‘delivery assured by didtheyreadit,’ I don’t think any such language would be informative to recipients about what is going on.”

    If the company had chosen to include a visible logo for marketing purposes, I assume it would be linked to their web site, which includes a description of their services.

  13. I don’t understand the comments about the image. So there’s some kind of didtheyreadit logo or icon added to the mail? Is this image loaded from the remote server, and is this the mechanism by which they detect that the mail was read? Or is it the case that the image is loaded locally (from an attachment within the email) and there is a separate “web bug” invisible image that is loaded remotely? I don’t see any privacy or operational difference between these two choices, but the first seems simpler.

    As far as making the image say “delivery assured by didtheyreadit”, I don’t think any such language would be informative to recipients about what is going on. They would have to say, “every time you read this message our web servers get notified, and we will keep a database of this usage information and supply it to the recipient, for a fee.” Only explicit language like this would really let people know what was going on.

  14. I suppose that “the head of deadtheyreadit” has a bit of Dr. Suess quality about it, but I think the company still calls itself “didtheyreadit”.

    [Oops. That was a typo. It’s fixed now. — EWF]