DonkBoy Internet
Home of the famous
Information Archives.
"For the curious"
Best viewed @ 1024 x 768
For your security, Turn off cookies.
Email Privacy Hole: Who Knew?
------------------------------------------------------------
Chris Oakes, Wired News
News of an email-based privacy hole may represent yet another
frontier for electronic privacy invasion: email messages that
interact with Web servers.
As usual, the discovery was accidental, catching software companies
off-guard.
"What I got was 'Hmm, interesting,'" said Richard Smith of
Netscape's and Microsoft's response when he notified the companies
Wednesday that he found their software was affected by his finding.
Smith, a software consultant, has discovered many other privacy
problems involving Internet software.
Smith pulled the vulnerability from a tangle of conflicting
functions among email programs, Web software, and Internet-based
servers. As has been the case with previous e-privacy problems, few
had considered the issue until a software expert decided to take a
look.
Alerted by Smith, Microsoft and Netscape deployed engineers to
analyze the vulnerability and determine whether their software
should be altered.
"We're taking a hard look at what's going on here," Microsoft
spokesman Adam Sohn said Friday. The company drew no immediate
conclusions from Smith's findings.
The software may present potential methods of misuse, but software
cannot be expected to eliminate vulnerabilities altogether. If a
new exploit turns up that raises the possibility of useful software
being used in negative ways, that's inherent in any technology.
"Our job is to limit those opportunities," Sohn said. "Bad people
can sometimes do bad things with good technology."
The possibility of interaction between Web sites and the messages
in users' email once again demonstrates that an increasingly
networked world brings an increasingly dense thicket of problems.
That's partly why privacy groups requested that the Federal Trade
Commission oversee the resolution of the new email software
problem. Smith sent a report of his finding to the FTC earlier this
week.
The Consumer Project on Technology, the Electronic Frontier
Foundation, the Electronic Privacy Information Center, and the
Center for Media Education joined Smith's demand that the loophole
be closed.
Privacy advocates viewed the latest example of user vulnerability
on the Internet as a test of whether the FTC can effect changes
that minimize such surprises.
The privacy loophole enables unsolicited emails to retrieve
personal information using anonymous Web cookies. Cookies are
anonymous identifiers Web sites collect from a user's browser to
identify return visitors. But when the cookies are produced by way
of an emailed Web page, marketers can much more easily match
cookies with personally identifiable information on users'
subsequent visits to their Web sites.
The functions may not be exploited by marketers today, but would
inevitably be utilized as the online marketing industry matures,
Smith said.
"There are email marketing companies that send out messages to
people [on mailing lists], then there are banner ad companies that
maintain anonymous profiles for serving up banner ads," he said.
As the companies begin to merge or partner with each other -- a
trend Smith said has already begun -- the uses of their combined,
collected data becomes exponentially more potent.
"When they combine forces ... you can start combining those two
databases."
John Levine, a board member of the Coalition Against Unsolicited
Email, and author of Internet for Dummies, said he suspects email-
enabled cookies may already be coursing the Web.
"It's so technically straightforward I would be astonished if it
didn't [happen]. It's just a matter of time before some clever
marketer decides to," Levine said.
FTC spokeswoman Vicky Stretfeld said the agency will give the issue
serious attention.
"Privacy issues are of utmost concern to the commission, and we
will give it a serious review." FTC lawyers will evaluate the
request, she said.
Smith hopes the agency will begin to evaluate more than this single
incident.
"The key point to look out for here is the technical progress in
the banner ad business," he warned in his report to the commission.
"If banner ad companies enter the email servicing business, they'll
be putting themselves in a very good position to also know the
identity of people who are surfing to Web sites."
Concluded Smith: "This 'progress' represents yet another step in
the erosion of privacy on the Internet."