December 21, 2024

Designed for Spying

A Mark Glassman story at the New York Times discusses the didtheyreadit email-tracking software that I wrote about previously.

The story quotes the head of didtheyreadit as saying that the purpose of the software is to tell whether an email reached its intended recipient. “I won’t deny that it has a potentially stealth purpose,” he adds. He implies pretty strongly that the stealthiness is just a side-effect and not in fact the main goal of the product.

The fact is that spying is built into the didtheyreadit product, by design. For example, it would have been easier for them to report to a message’s original sender only whether a message had ever been read: “Yes, it’s been read” or “No, it hasn’t been read yet”, and nothing more. Instead, they went to the extra trouble to report all kinds of additional information to the sender.

It does seem to be a side-effect of their web-bug-based design that didtheyreadit could gather much more information about where and when a message was read. But nothing forces them to actually collect and store this extra information, and nothing forces them to report it to anybody. They made a design choice, to store and pass on as much private information as they could.

Even the basic stealthiness of the product was a deliberate design choice. They are already adding an image to email messages. Why not make the image some kind of “delivery assured by didtheyreadit” icon? That way the message recipient would know what was happening; and the icon could be used for viral marketing – click it and you’re taken to the didtheyreadit site for a sales pitch. Why did they pass up this valuable marketing opportunity? They made a design choice to hide their product from email recipients.

Sometimes engineering imperatives force us to accept some bad features in order to get good ones. But this is not one of those cases. didtheyreadit is designed as a spying tool, and the vendor ought to admit it.

Word Tracking Bug Demo and Remover

Alex Halderman has created a page about the Word tracking bugs I described yesterday. He offers an example Word tracking bug for you to examine, and a scanner program that can find and remove Word tracking bugs on your computer.

Email Tracking: It Gets Worse

When I wrote Monday about the new didtheyreadit.com privacy-invading email tracking system, I had no idea that an even more invasive system has been on the market for two years or so. This system, called readnotify.com, was pointed out by commenter Brian Parsons.

readnotify.com is an email tracking system that uses Web bugs (like didtheyreadit) and also uses a trick involving IFRAMEs (unlike didtheyreadit). The IFRAME trick cannot be disabled by the standard countermeasure of turning off remote image loading. There may not be an easy way to disable it in today’s email software, short of turning off HTML email entirely.

Worse yet, readnotify offers a service that lets anyone put hidden tracking bugs in Word documents, Excel spreadsheets, and other OLE-compliant document formats. When somebody opens a document containing one of these trackers, the time of the access is reported, along with the accessor’s IP address (which often reveals their geographic location) and some configuration information about their computer.

The vulnerability in Word that readnotify exploits was discovered back in 2000 by Richard M. Smith. It got some press coverage back then, but was mostly ignored because there were no reports (at that time) of anybody exploiting the vulnerability. Now there are commercial products that exploit it. It’s time for Microsoft to fix this vulnerability.

New Email Spying Tool

A company called didtheyreadit.com has launched a new email-spying tool that is generating some controversy, and should generate more. The company claims that its product lets you invisibly track what happens to email messages you send: how many times they are read; when, where (net address and geographic location), and for how long they are read; how many times they are forwarded, and so on.

The company has two sales pitches. They tell privacy-sensitive people that the purpose is to tell a message’s sender whether the message got through to its destination, as implied by their company name. But elsewhere, they tout the pervasiveness and invisibility of their tracking tool (from their home page: “email that you send is invisibly tracked so that recipients will never know you’re using didtheyreadit”).

Alex Halderman and I signed up for the free trial of the service, and sent tracked messages to a few people (with their consent), to figure out how the product works and how it is likely to fail in practice.

The product works by translating every tracked message into HTML format, and inserting a Web bug into the HTML. The Web bug is a one-pixel image file that is served by a web server at didtheyreadit.com. When the message recipient views the message on an HTML-enabled mailer, his viewing software will try to load the web bug image from the didtheyreadit server, thereby telling didtheyreadit.com that the email message is being viewed, and conveying the viewer’s network address, from which his geographic location may be deduced. The server responds to the request by streaming out a file very slowly (about eight bytes per second), apparently for as long as the mail viewer is willing to keep the connection open. When the user stops viewing the email message, his mail viewer gives up on loading the image; this closes the image-download connection, thereby telling didtheyreadit that the user has stopped viewing the message.

This trick of putting Web bugs in email has been used by spammers for several years now. You can do it yourself, if you have a Web site. What’s new here is that this is being offered as a conveniently packaged product for ordinary consumers.

Because this is an existing trick, many users are already protected against it. You can protect yourself too, by telling your email-reading software to block loading of remote images in email messages. Some standard email-filtering or privacy-enhancement tools will also detect and disable Web bugs in email. So users of the didtheyreadit product can’t be assured that the tracking will work.

It’s also possible to detect these web bugs in your incoming email. If you look at the source code for the message, you’ll see an IMG tag, containing a URL at didtheyreadit.com. Here’s an example:

<img src=”http://didtheyreadit.com/index.php/worker?code=e070494e8453d5a233b1a6e19810f” width=”1″ height=”1″ />

The code, “e0704…810f” in my example, will be different in each tracked message. You can generate spurious “viewing” of the tracked message by loading the URL into your browser. Or you can put a copy of the entire web bug (everything that is intended above) into a Web page or paste it into an unrelated email message, to confuse didtheyreadit’s servers about where the message went.

Products like this sow the seeds of their own destruction, by triggering the adoption of technical measures that defeat them, and the creation of social norms that make their use unacceptable.

Thoughts on the Gmail Privacy Flap

I have to admit I’m surprised at the magnitude of the recent controversy about Gmail, Google’s new webmail service. Gmail is a free webmail service, giving you up to one gigabyte of storage for email. The service shows you text ads alongside your messages, and provides various search features for your mail. The service has been surprisingly controversial, triggering angry blog-entries, letters from privacy groups, and even an anti-Gmail bill in the California state senate.

It’s important to separate complaints about what Gmail is doing now, from complaints about what the Gmail user agreement allows them to do later.

The main complaint about Gmail’s present design has to do with the text-based ads that Gmail is said to display alongside your email. To decide which ads to place, Gmail looks at the content of your email. Presumably this is a straightforward application of Google’s AdWords system (which used to appear on this site).

I’m not entirely sure why people are offended by the running of a (presumably memoryless) word-matching algorithm over their email, or the displaying of word-triggered ads. The scanner, by itself, wouldn’t bother me at all, since advertisers don’t find out who saw their ads. Users who click on the ads will be taken to the advertisers’ sites, which might try to identify them, but that’s not a new risk, and it’s controllable by the user. Other kinds of scanners, for instance onces that made summaries of my email for sale to third parties, would bother me a lot; but that’s not what Gmail is doing.

The other complaint about Gmail has been about the terms of its user agreement. There’s no doubt that the terms are egregious; but they don’t seem much worse than the terms imposed by other companies. (Seth Finkelstein makes this point well.) Hotmail’s terms of use are pretty distasteful too. So why the big flap over this particular agreement?

Don’t get me wrong. I’m glad to see people screaming about outrageous user agreements. It’s just that I would like to see some of that same anger directed elsewhere, to bring more balance into user agreements for all kinds of products. I hope the Gmail flap will cause people to look at other agreements in the same light.

I was never a likely customer for Gmail. But I can say for sure that the terms of service are enough to eliminate any remaining chance that I would switch to Gmail as my main email provider.