HP E-Mail Tracer Commonly Used (UPDATED)

Since this story was originally posted, it has been updated to correct the description of the legal filings against Patricia Dunn, HP employees and contractors.

The tracer software that Hewlett-Packard (HP) investigators used to try to sniff out boardroom leaks sounded like it had been ripped from the pages of a bad science-fiction novel. That is, until the company began talking about it in detail at a congressional probe into the spying scandal.

The technology tool the company used, called a Web bug, is designed to allow e-mail senders to track the path a message takes, including whether a recipient opens the message and forwards it to another party. And it turns out the technology is widely used in e-mail newsletters to track readers and also by law enforcement in investigations, security experts say.

A spokesman for the California attorney general’s office said that HP’s use of Web bugs is not linked to the Oct. 4 charges of five people, including former HP Chairwoman Patricia Dunn and contractors, on allegations that they used false pretenses to access individuals’ phone records. That case is about the practice of so-called pretexting.

Hewlett-Packard’s boardroom leak investigation used technology called a Web bug attached to an e-mail message. It was part of an unsuccessful attempt to trick a journalist for CNet Networks into revealing her confidential source on the company’s board of directors, HP Security Investigator Fred Adler told a congressional subcommittee at a hearing on Sept. 28. (Adler was not one of those named in the California charges.)

Prior to Adler’s testimony, it was not clear what technique HP had used.

Richard Smith, an information security expert who founded Boston Software Forensics, said that most people who use the Internet have been subject to Web bugs. “Any kind of commercial e-mail is probably going to have them in there,” he said.

HP turned to a small Australian company called ReadNotify.com to help track the e-mail messages. ReadNotify tracks both e-mail and Microsoft Office documents. It will tell when the e-mail you sent was read, and will guess the location of the recipient, based on the reader’s IP address.

The ReadNotify service is popular in law enforcement and also in industrial espionage investigations, said Chris Drake, ReadNotify’s chief technology officer.

In an e-mail exchange, Drake said he was informed of the HP case by the media, adding, “This is an extremely common and effective use of our technology.” Drake said his company also believes it’s legal, in its home country of Australia as well as the United States.

Here’s how Web bugs work: The bug’s author puts an image on a Web server with a unique website address, or URL, and then sends an e-mail that contains a link to this image. The image can be hidden from sight or within plain view—a corporate logo, for example.

When the e-mail is opened, the subject’s computer looks up the image and in doing so sends the information to the Web server. Another way of doing this is for ReadNotify users to add “.readnotify.com” to the end of the recipient’s e-mail address.

While Drake characterized ReadNotify’s e-mail tracking tools as sophisticated, security consultant Smith noted it uses the same techniques as other Web bugs.

When the question of whether Web bugs are legal has been tested in the United States, courts have tended to focus on whether this type of technology violates federal wiretapping laws, said Chris Jay Hoofnagle, senior staff attorney with the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley.

Hoofnagle said state courts could take up the issue of Web bugs, considering antihacking laws in states like California. California law prohibits certain use of computer resources without the permission of the user, and nobody knows for sure whether HP’s actions would violate this law or similar statutes in other states, Hoofnagle said. At the hearing before House Energy and Commerce Committee members, HP’s Adler said his company had used them “a dozen to two dozen” times in the three years he had worked there and considers them to be a legitimate investigation tool.

-Robert McMillan, IDG News Service (San Francisco Bureau)