DonkBoy Internet
Emails Can Betray Personal Info
------------------------------------------------------------
Privacy groups are petitioning the FTC to address what they call a
major privacy concern involving email software.
They took action after software analyst Richard Smith reported a
loophole that enables unsolicited emails to retrieve personal
information using anonymous Web cookies.
"Web browser cookies and email messages don't mix," said
Smith, who
frequently analyzes software for security and privacy problems.
Cookies are anonymous identifiers collected by Web sites from a
user's browser to identify return visitors.
"Web surfing is supposed to be anonymous, but with the cookie
leak
security hole, companies can easily match our email addresses to
the Web sites we visit."
Smith said that the data tracking is set up by sending a Web page
in email. The messages' HTML code contains enhanced cookie
information that includes the recipient's email address. Anyone
using Netscape Communicator, Qualcomm Eudora, and Microsoft Outlook
is vulnerable, since those programs can view messages as HTML pages
and store cookies without the recipient's knowledge.
Using code that embeds graphics into the email message, the sender
can easily cause the recipient's email address to be sent along
with a cookie to Web sites they visit, Smith said.
Smith sent a report of his finding to the FTC earlier this week.
The Consumer Project on Technology, the Electronic Frontier
Foundation, the Electronic Privacy Information Center, and the
Center for Media Education joined Smith in calling for the loophole
to be closed.
Privacy Advocates Condemn Tracking Device
------------------------------------------------------------
KALPANA SRINIVASAN, Nando Times
Consumer and privacy advocates asked regulators Friday to force
software makers to seal an e-mail feature they claim enables
companies to track World Wide Web sites people visit.
The groups fear that companies could exploit the technology to
match up people's e-mail addresses and possibly other personal
information with their Internet surfing habits. That could open the
door for intensive marketing of services and products to people who
have visited certain sites, they said.
"This feature is so subtle and difficult to understand that
the
average consumer can't be expected to avoid the invasion of privacy
it causes," said Jason Catlett, president of Junkbusters Corp., a
New Jersey-based company that specializes in Internet privacy
matters.
Junkbusters, along with the Electronic Privacy Information Center,
Center for Media Education, Electronic Frontier Foundation and
others filed a petition Friday with the Federal Trade Commission.
It asked that Microsoft, Netscape and other software makers change
the situation that makes such tracking possible.
"It's really incumbent on the FTC to protect consumers from
the
risks," Catlett said.
The groups and security expert Richard Smith describe the problem
as follows: Because some e-mail messages contain graphics that must
be retrieved from the Web, a technical factor makes it possible for
the person receiving the e-mail to be assigned an identification
number, or "cookie." That cookie can then be silently transmitted
as the person surfs the Web, according to the groups.
What's more, they say, the cookie could then be traced back to the
person's e-mail address in certain cases.
"My concern here is where the Internet marketing business is
heading," Smith said. He fears the feature will allow for more one-
to-one tracking and direct marketing.
The groups said they feel confident the software makers will work
on the problem.
Richard Purcell, Microsoft's chief privacy officer, said the
company's engineers are investigating it.
"We are trying to determine if there is a true technology flaw
involved, or if this is good technology being exploited for
purposes that our unwanted by consumers," Purcell said. "It is too
early, unfortunately, to know what remedies could be put in place."
Purcell also said safeguards exist for consumers to ensure that
when they get e-mails displaying Web pages, they come from sites
they trust.
The advocates said they brought the matter to the FTC so that
smaller companies also would be required to act on the issue.
"We will give it serious review," said FTC spokeswoman
Vicki
Streitfeld.