[Infowarrior] - How HP bugged e-mail

Thu Sep 28 23:18:56 EDT 2006

How HP bugged e-mail

By Joris Evers
http://news.com.com/How+HP+bugged+e-mail/2100-1029_3-6121048.html

Story last modified Thu Sep 28 18:39:56 PDT 2006

Hewlett-Packard employed a commercial service that tracks e-mail paths to
bug a file sent to a CNET News.com reporter, an HP investigator said
Thursday.

HP investigators used the services of ReadNotify.com to trace an e-mail sent
to reporter Dawn Kawamoto in an attempt to uncover her source in a media
link, Fred Adler, an HP security employee, said during testimony before a
U.S. House of Representatives subcommittee.

Adler's testimony, for the first time since the HP boardroom drama erupted,
specified how the company bugged the e-mail it sent to Kawamoto. Moreover,
Adler said that it's still company practice to use e-mail bugs in certain
cases.

"That was and still is current policy," he said. "It still is sanctioned by
my management as an investigative tool, we have used it in the past for
investigations, for determining the locations of stolen product and
what-not, and we have also assisted law enforcement."

The tracking mechanism provided by ReadNotify would allow investigators to
see who opened the file attached to the e-mail, Adler said. The objective
was to determine whether the journalist would forward the e-mail to her
source, and to then determine the source of the leaks of HP confidential
information.

Through ReadNotify, investigators would see when the e-mail attachment was
opened and the Internet Protocol, or IP, address of the computer it was
opened on, Adler said. An IP address can disclose the geographic location of
a user, as well as the Internet service provider used to connect to the
Internet.

"We suspected it would be Mr. Keyworth that would be the recipient," Adler
said, referring to George Keyworth, the HP board member who has admitted he
leaked information to the media.

During a press conference at HP headquarters last week, Michael J. Holston,
a lawyer hired by HP, said that bugging e-mail did not yield results in this
case.

ReadNotify, which operates as an online service, provides a free trial that
lets anyone send 25 bugged e-mails, according to its Web site. Subscriptions
are offered starting at $24 per year. A premium $36-a-year subscription is
required to bug files such as Office and PDF documents. A similar service
operates as MailTracking.com.

ReadNotify's service makes bugging e-mail a matter of pointing and clicking.
The ReadNotify Web page will generate a document with an image. This image,
a green check mark, can simply be dragged and dropped into the document that
needs to be traced. The check mark becomes transparent after being dropped.

Users of the service register their e-mail addresses with ReadNotify, then
simply append ".readnotify.com" to any e-mail address they send mail to if
they want the message to be tracked. Recipients won't see this suffix, but
could tell from the e-mail headers that the message was relayed.
ReadNotify

In the default ReadNotify setting, an e-mail recipient could discover
something is awry because a return receipt message may pop up, but the
service also has an "invisible tracking" setting, according to the Web site.

ReadNotify offers a range of tracking options. Users can see the IP
addresses of those who opened bugged e-mails or documents, including details
on when the mail or file was opened. The service also shows some data on the
PC and e-mail program. If the mail or file was forwarded, it shows the same
data on that person.

The ReadNotify service appears to use what's known as a Web bug, a technique
also employed by some e-mail marketers. An e-mail or a document sent through
ReadNotify includes hidden links to one or more files hosted by the service.
When the message or the file is opened, the program retrieves the files and
by doing so checks in with ReadNotify. A typical recipient will not notice
this. The e-mail is crafted in HTML, or Hypertext Markup Language, and the
tracer files are not visible. The actual links that retrieve the files will
only show when viewing the source of the e-mail, for example through a
program like Notepad. A firewall could alert the user of the Web traffic,
however.

A spokesman for ReadNotify, Chris Drake, reached via e-mail could not
immediately comment for this story.

During testimony before Congress on Thursday, the legality of including a
bug in e-mail messages was questioned.

"I think the law regarding that is not as clear as it should be," Larry
Sonsini, HP's outside lawyer, said in response to questions from Rep. Jay
Inslee, a Washington Democrat. "Depending on how it is used and the
methodologies, it could very well implicate federal or state statutes,"
Sonsini said.
In the terms of use posted on its Web site, ReadNotify stipulates that its
services should be used for "lawful purposes only." The company goes on to
say that its product should not be used to transmit "intentionally deceptive
e-mail messages."

Use of the e-mail bug is one of the possibly illegal methods used in HP's
investigation into boardroom leaks. The Palo Alto, Calif., company is also
facing heat over the use of "pretexting," which refers to the use of
fraudulent means to obtain someone else's personal records.

In testimony Thursday, CEO Mark Hurd said it is important for the company to
lead, not follow when it comes to consumer privacy. "I am going to go back
to that technology and look specifically at every use of that kind of
send-receive technology and make sure there is absolute clarity," he said of
the use of e-mail tracing.

Adler's testimony was part of a full day of hearings into the HP spying
scandal by an oversight and investigations subcommittee of the House of
Representatives' Energy and Commerce Committee. Hurd and former Chairman
Patricia Dunn also testified, but several other HP employees and contractors
invoked their Fifth Amendment rights against self-incrimination.