The tracer software that Hewlett-Packard investigators used to try to sniff out boardroom leaks sounded like it had been ripped from the pages of a bad science-fiction novel. That is, until the company began talking about it in detail at a congressional probe into the spying scandal.
The technology tool HP used, called a web bug, is designed to allow email senders to track the path a message takes, including whether a recipient opens the message and forwards it to another party. But it turns out, the technology is nothing new and is widely used in email newsletters to track readers and also by law enforcement in investigations, security experts say.
A spokesman for the California attorney general’s office says HP’s use of web bugs is not linked to the October 4 charges of five people, including former HP chairwoman Patricia Dunn and contractors, on allegations that they used false pretences to access individuals’ phone records. That case is about the practice of so-called pretexting.
HP’s boardroom leak investigation used a web bug attached to an email message. It was part of an unsuccessful attempt to trick a journalist for CNet Networks into revealing her confidential source on the company’s board of directors, HP security investigator Fred Adler told a congressional sub-committee at a hearing last month. Adler was not one of those indicted.
Richard Smith, an information security expert who founded Boston Software Forensics, says most people who use the internet have been subject to web bugs. “Any kind of commercial email is probably going to have them in there,” he says.
HP turned to a small Australian company called ReadNotify.com to help track the email messages. ReadNotify tracks both email and Microsoft Office documents. It can tell when an email sent was read and guess the location of the recipient, based on the reader’s IP address.
The ReadNotify service is popular in law enforcement and also in industrial espionage investigations, says Chris Drake, ReadNotify’s chief technology officer.
In an email exchange, Drake says he was informed of the HP case by the media, adding, “This is an extremely common and effective use of our technology.” Drake says his company believes what it does is legal in Australia and in the US.
Here’s how web bugs work: the bug’s author puts an image on a web server with a unique URL and then sends an email that contains a link to this image. The image can be hidden from sight or within plain view — a corporate logo, for example.
When the email is opened, the subject’s computer looks up the image and in doing so sends the information to the web server. Another way of doing this is for ReadNotify users to add “.readnotify.com” to the end of the recipient’s email address.
While Drake characterises ReadNotify’s email tracking tools as sophisticated, security consultant Smith says it uses the same techniques as other web bugs.
When the question of whether web bugs are legal has been tested in the US, courts have tended to focus on whether this type of technology violates federal wiretapping laws, says Chris Jay Hoofnagle, a lawyer at the University of California, Berkeley.
Hoofnagle says state courts could take up the issue of web bugs as anti-hacking laws in some US states prohibit certain uses of computer resources without the permission of the user, and nobody knows for sure whether HP’s actions would violate thses laws. At the hearing before House Energy and Commerce Committee members, HP’s Adler said his company had used them “a dozen to two dozen” times in the three years he had worked there, and he considers them to be a legitimate investigation tool.