Archived Weblog Entry - 08/01/2004: "more on email snooping"

[Previous entry: "Email problems"] [Main Index] [Next entry: "CERT says don't use Internet Explorer"]

08/01/2004 Archived Entry: "more on email snooping"

Back in May I reported on DidTheyReadIt, and their use of "web bugs" in HTML-formatted email to let senders know where and when you read your email. Now another company, ReadNotify, has gotten into the business of invading your privacy. These guys use a different trick, the HTML "IFRAME" element, but it works basically the same way.

According to Scott Grannerman's SecurityFocus article, ReadNotify offers

Tracking: find out when email you send gets read, where the reader is located, how long they read it for, if they printed it out, whether they forwarded it to someone else, and much more.
Certify your email: get proof-of-sending and proof-of-opening digitally signed and time-stamped court-admissible receipts.
Self Destructing Email which blocks printing, copy, save, forward, print-screen, can be retracted after sending and deletes itself after being read.
Ensured Receipts guarantee you get a receipt when your email gets opened, and lets you retract your emails after sending.

The good news: if you've followed my advice, and read your email as ASCII text, you're safe. As an alternative, Grannerman recommends KMail as an email program that can block this nonsense. From his description it sounds like KMail is smart and flexible in how it handles HTML email. But both Mozilla and Eudora provide the blunter-but-equally-effective option of disabling HTML entirely. If you must read HTML-formatted email, and you're running Linux, KMail might be worth a look.

Microsoft Outlook, as you might expect, doesn't allow this option and is vulnerable to this privacy invasion. And I strongly suspect that web-based email accounts like Yahoo and Hotmail are also vulnerable. You can't even block this by disabling images in your browser. If you must use web-based email, and you need to block this snooping, I think your only hope is to install an older web browser that doesn't support the IFRAME element. That probably means something like Netscape 3, which is pretty useless for the majority of web pages. (You might also try Proxy Auto Configuration to block access to ReadNotify's server, but I think that might also block you from reading the bugged email. Not necessarily a bad thing -- do you want to accept email from people who would do this to you?)

If anyone can suggest web broswers that can block the IFRAME element, please let me know. And if someone wants to sign up for the free trial of ReadNotify's service, and send me an email through them, I'd be very interested to dissect it.

Update: I've just checked and the Opera 7 web browser allows you to disable IFRAMEs. Go to File/Preferences/Page Style and turn off "Enable inline frames". Kudos again to the folks at Opera Software.

brad