HP used a commercial service that tracks email paths to bug a file sent to a CNET News.com reporter, an HP investigator said on Thursday.
HP investigators used the services of ReadNotify.com to trace an email sent to reporter Dawn Kawamoto in an attempt to uncover her source in a media leak, Fred Adler, an HP security employee, said during testimony before a US House of Representatives subcommittee.
Adler's testimony, for the first time since the HP boardroom drama erupted, specified how the company bugged the email it sent to Kawamoto. Moreover, Adler said that it's still company practice to use email bugs in certain cases.
"That was and still is current policy," he said. "It still is sanctioned by my management as an investigative tool, we have used it in the past for investigations, for determining the locations of stolen products and what-not, and we have also assisted law enforcement."
The tracking mechanism provided by ReadNotify would allow investigators to see who opened the file attached to the email, Adler said. The objective was to determine whether the journalist would forward the email to her source, and to then determine the source of the leaks of HP confidential information.
Through ReadNotify, investigators would see when the email attachment was opened and the Internet Protocol, or IP, address of the computer it was opened on, Adler said. An IP address can disclose the geographic location of a user, as well as the Internet service provider used to connect to the Internet.
"We suspected it would be Mr Keyworth who would be the recipient," Adler said, referring to George Keyworth, the HP board member who has admitted he leaked information to the media.
During a press conference at HP headquarters last week, Michael J Holston, a lawyer hired by HP, said that bugging email did not yield results in this case.
ReadNotify, which operates as an online service, provides a free trial that lets anyone send 25 bugged emails, according to its Web site. Subscriptions are offered starting at $24 (£12.85) per year. A premium $36 (£19.29)-a-year subscription is required to bug files such as Office and PDF documents. A similar service operates as MailTracking.com.
ReadNotify's service makes bugging email a matter of pointing and clicking. The ReadNotify Web page will generate a document with an image. This image, a green check mark, can simply be dragged and dropped into the document that needs to be traced. The check mark becomes transparent after being dropped.
Users of the service register their email addresses with ReadNotify, then simply append ".readnotify.com" to any email address they send mail to if they want the message to be tracked. Recipients won't see this suffix, but could tell from the email headers that the message was relayed.
In the default ReadNotify setting, an email recipient could discover something is awry because a return receipt message may pop up, but the service also has an "invisible tracking" setting, according to the Web site.
ReadNotify offers a range of tracking options. Users can see the IP addresses of those who opened bugged emails or documents, including details on when the mail or file was opened. The service also shows some data on the PC and email program. If the mail or file was forwarded, it shows the same data on that person.
The ReadNotify service appears to use what's known as a Web bug, a technique also employed by some email marketers. An email or a document sent through ReadNotify includes hidden links to one or more files hosted by the service. When the message or the file is opened, the program retrieves the files and by doing so checks in with ReadNotify.
A typical recipient will not notice this. The email is crafted in HTML, or Hypertext Markup Language, and the tracer files are not visible. The actual links that retrieve the files will only show…
…when viewing the source of the email, for example through a program such as Notepad. A firewall could alert the user of the Web traffic, however.
"ReadNotify uses a combination of up to 36 different simultaneous tracking techniques," Chris Drake, the company's Sydney, Australia-based chief technology officer said in an email interview. "One or more of these usually works in all different email clients and operating systems, making us the most powerful and reliable tracking service on the Internet."
In short, ReadNotify uses more technologies than simple Web bugs, Drake said. "All good email programs have blocked these now and most anti-spam programs reject them too, so we no longer rely on this simplistic tracking idea."
During testimony before Congress on Thursday, the legality of including a bug in email messages was questioned.
"I think the law regarding that is not as clear as it should be," Larry Sonsini, HP's outside lawyer, said in response to questions from Representative Jay Inslee, a Washington state Democrat. "Depending on how it is used and the methodologies, it could very well implicate federal or state statutes," Sonsini said.
In the terms of use posted on its Web site, ReadNotify stipulates that its services should be used for "lawful purposes only". The company goes on to say that its product should not be used to transmit "intentionally deceptive email messages".
"Occasionally, we're asked about privacy and legal issues," Drake said. Essentially, ReadNotify believes an email author can do whatever he pleases with the message, including tracking it. "It is important to understand firstly that just because an email comes into your inbox, it does not make it yours. When a person puts the effort into thinking up an email and composing it: that email is theirs."
ReadNotify doesn't monitor its clients, but Drake has had praise and questions about the service, he said. "We do know that we are heavily used by law enforcement in combating both online crime, and real-world crime that has online aspects," Drake said. "The most interesting event was about two years ago, when our service helped recover a kidnapped child when a tracked email provided an international location that led to a safe recovery."
Use of the email bug is one of the possibly illegal methods used in HP's investigation into boardroom leaks. The company is also facing heat over the use of "pretexting", which refers to the use of fraudulent means to obtain someone else's personal records.
In testimony on Thursday, chief executive Mark Hurd said it is important for the company to lead, not follow when it comes to consumer privacy. "I am going to go back to that technology and look specifically at every use of that kind of send-receive technology and make sure there is absolute clarity," he said of the use of email tracing.
Adler's testimony was part of a full day of hearings into the HP spying scandal by an oversight and investigations subcommittee of the House of Representatives' Energy and Commerce Committee. Hurd and former chairman Patricia Dunn also testified, but several other HP employees and contractors invoked their Fifth Amendment rights against self-incrimination.
Story URL: http://news.zdnet.co.uk/itmanagement/0,1000000308,39283735,00.htmCopyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.