|
PRIVACY Forum Archive Document
|
PRIVACY Forum Digest Friday, 28 May 2004 Volume 13 : Issue 03
( http://www.vortex.com/privacy/priv.13.03 )
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
http://www.vortex.com
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by
the ACM (Association for Computing Machinery) Committee
on Computers and Public Policy, and Telos Systems.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
CONTENTS
Privacy and Security Risks in Rampell's E-Mail Surveillance Service
(Lauren Weinstein)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributed and archived without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system. Please follow the instructions above
for getting the list server "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------
VOLUME 13, ISSUE 03
Quote for the day:
"Villainy wears many masks, none so dangerous
as the mask of virtue."
-- Ichabod Crane (Johnny Depp)
"Sleepy Hollow" (Paramount; 1999)
----------------------------------------------------------------------
Date: Thu, 27 May 2004 13:00:00 PDT
From: Lauren Weinstein <lauren@vortex.com>
Subject: Privacy and Security Risks in Rampell's E-Mail Surveillance Service
Greetings. There's been a lot of publicity over the last few days about
Rampell Software's DidTheyReadIt.com service. There have been other software
tracking systems introduced before, but this one, by including features that
attempt to determine how long a message is kept open (as well as whether it
was received, who you forwarded it to, etc.) is worthy of particular disdain
and concern.
There's more than just basic privacy issues involved. Many individuals,
businesses, and particularly government entities may have serious security
issues regarding capabilities that can expose information about when a
particular person has read a message, and perhaps potentially even if they
are still actually sitting there reading the message right now. The
possible dangers are fairly obvious -- knowledge of the hours a person
works, when they tend to be in their office, etc. can be easily abused in
sensitive environments.
Some of these features not only depend upon invisible image "Web bugs" used
in a "conventionally invasive" manner, but also reportedly feed a slow
stream of data to your system during the entire interval you're reading a
message (that's how their "how long were you reading the message" function
apparently operates).
Luckily, there are several ways to protect yourself not only from Rampell
and their customers but also from other mail tracking services:
- Use a text-based e-mail reader, not an html mail reader, for most mail.
Do you really need to see all the fonts and associated frills in most
e-mail? What kind of mail is most likely to be full of such stuff?
Spam of course! When you need to display image or document attachments
they can still be processed externally. Text-based e-mail systems also
can provide essentially complete protection against all virus, worm, and
related attacks that use e-mail as their vectors. I use a text-based
e-mail system for 99.9% of all my mail quite successfully. And I get a
lot of e-mail.
- Turn off image display in your html mail reader. E-mail tracking
systems that claim to work regardless of where mail is sent typically
depend upon the recipient retrieving images (often invisible images)
from central servers. One way to stop that process is of course to read
your e-mail offline, though that isn't practical for most of us. But
various html mail reading systems allow you to turn off image display
(and typically retrieval as well) for e-mail messages (you can turn it
back on when you really need it for particular items). If you don't
retrieve the images or Web bugs, e-mail tracking systems that need them
won't work. And of course, you should never allow javascript in e-mail
messages to be processed, nor allow attachments to be executed.
- Server blocking. System administrators and others may choose
to determine (from viewing e-mail raw source data) the names and/or
IP numbers related to the servers used by Rampell or others to
serve the tracking images. If these servers are blocked at firewalls
or other filters the tracking systems will be rendered impotent.
Until legislation and the legal system recognize the risks in such e-mail
tracking and provide appropriate restrictions and remedies, you need to
protect yourself.
--Lauren--
Lauren Weinstein
lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, Fact Squad - http://www.factsquad.org
Co-Founder, URIICA - Union for Representative International Internet
Cooperation and Analysis - http://www.uriica.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://www.vortex.com/lauren-blog
------------------------------
End of PRIVACY Forum Digest 13.03
************************
Copyright © 2005 Vortex Technology. All Rights Reserved.