HP's e-mail tracer in widespread use

The tracer software that Hewlett-Packard  investigators used to try to sniff out boardroom leaks sounded like it had been ripped from the pages of a bad science-fiction novel. That is, until the company began talking about it in detail at a congressional probe into the spying scandal.

The technology tool the company used, called a Web bug, is designed to allow e-mail senders to track the path a message takes, including whether a recipient opens the message and forwards it to another party. And it turns out the technology is widely used in e-mail newsletters to track readers and also by law enforcement in investigations, security experts say.

A spokesman for the California attorney general's office said that HP's use of Web bugs is not linked to the Oct. 4 charges for five people, including former HP Chairwoman Patricia Dunn and contractors, on allegations that they used false pretenses to access individuals' phone records. That case is about the practice of so-called pretexting.

Hewlett-Packard's boardroom leak investigation used technology called a Web bug attached to an e-mail message. It was part of an unsuccessful attempt to trick a journalist for CNet Networks into revealing her confidential source on the company's board of directors, HP Security Investigator Fred Adler told a congressional subcommittee at a hearing on Sept. 28. (Adler was not one of those named in the California charges.)

Prior to Adler's testimony, it was not clear what technique HP had used.

Richard Smith, an information security expert who founded Boston Software Forensics, said that most people who use the Internet have been subject to Web bugs. "Any kind of commercial e-mail is probably going to have them in there," he said.

HP turned to a small Australian company called ReadNotify.com to help track the e-mail messages. ReadNotify tracks both e-mail and Microsoft Office documents. It will tell when the e-mail you sent was read, and will guess the location of the recipient, based on the reader's IP address.

The ReadNotify service is popular in law enforcement and also in industrial espionage investigations, said Chris Drake, ReadNotify's chief technology officer.

In an e-mail exchange, Drake said he was informed of the HP case by the media, adding, "This is an extremely common and effective use of our technology." Drake said his company also believes it's legal, in its home country of Australia as well as the United States.

Here's how Web bugs work: The bug's author puts an image on a Web server with a unique website address, or URL, and then sends an e-mail that contains a link to this image. The image can be hidden from sight or within plain view--a corporate logo, for example.

When the e-mail is opened, the subject's computer looks up the image and in doing so sends the information to the Web server. Another way of doing this is for ReadNotify users to add ".readnotify.com" to the end of the recipient's e-mail address.

While Drake characterized ReadNotify's e-mail tracking tools as sophisticated, security consultant Smith noted it uses the same techniques as other Web bugs.