Is your email watching you?

NEWS Watch out -- the spam choking your email inbox may be loaded with software that lets marketers track your moves online, and you may not even be aware that you've been bugged. Web sites have long planted bits of code called "cookies" on consumers' hard drives to tailor Internet pages for returning visitors and better target ads. Now, enhanced messages that share the look and feel of Web pages are being used to deliver the same bits of code through email, in many cases without regard for safeguards that have been developed to protect consumer privacy on the Web. "All of the security and privacy issues on the Web now relate to email," said Adam Shostack, director of technology at Zero-Knowledge Systems, a Montreal-based privacy and security company. "The shame about this behaviour is that it's going on surreptitiously and people are not given an obvious way to opt out." Consumer notice and choice have been at the heart of the Internet privacy debate for years, driving popular Web companies including eBay, Yahoo! and DoubleClick to write tough-sounding Web privacy policies. Civil libertarians and privacy groups for years have stalked Web sites for violations of their stated policies and have kept an eye on secretive tracking tactics. Although many of the same troubles are cutting into email, disclosure of such data-gathering practices has not received anywhere close to the level of scrutiny it has had on the Web. With email, however, the stakes for consumer privacy may be higher. After battling consumer advocates for years over the issue, Web sites now typically cloak visitors' identities and collect data anonymously. By contrast, junk emailers and even some legitimate marketers have begun to use cookies and other techniques to link specific addresses to surfing behaviour, security experts said. In some cases, spammers may be able to link formerly anonymous consumers with their email addresses. For example, a Web site specialising in horoscopes may know a consumer only by birth date. But if that Web site rents a list of email addresses with that consumer's address on it, the company may be able to link the address to the individual's birth date and visits to the site. "In many ways, email tracking is more powerful because they can correlate the email address with online history," said Lance Cottrell, president of Anonymizer, an Internet privacy services company. "There isn't an opportunity to be fully informed when you receive a spam with remotely loaded graphics used to track your computer," he added. "It's a bit of a loophole in the whole process." Slipping in with the mail
The rise of email tracking runs parallel to the adoption of "rich email," or messages that incorporate the programming language most commonly used to display Web pages, known as HTML (Hypertext Markup Language). Such messages may include Web pages, audio and video in addition to ordinary text. According to a recent report from the industry trade group the Direct Marketing Association (DMA), 65 percent of online marketers regularly send HTML email to consumers or prospective customers. By incorporating HTML, the email acts like a Web page, requesting graphics and content from a Web server and counting as a "hit" to the company's Web site. Taking advantage of the technology, marketers can track how and when people respond to email, note where they click, and trace follow-up actions on their Web pages. They do this by embedding cookies or clear GIF images known as Web beacons, an action that isn't possible in a simple text message. On the simplest level, marketers may embed a numeric tracking code in the "from" line. This code is sent back to the Web site's service when the recipient visits the site from the email. More sophisticated tracking can involve cookies so that the Web site can detect whether the consumer visits the site days later. Cookies can also help determine how much revenue was booked on a Web site as a result of an email campaign by following the recipient throughout a visit. The monitoring technology can be planted on consumer hard drives at various stages in the process of delivering and reading an email. In many cases, cookies or Web beacons are set the moment the recipient opens the message or views it in the preview window of the email program. In other cases, cookies are set only when the person clicks on an embedded link that leads to a Web site -- an action some argue is part of the Web experience and is the purview of Web privacy policies. Digital Impact, an email marketing services company, uses a range of tactics to measure the effectiveness of campaigns for its customers, which include Citigroup, Bank of America, Wal-Mart, Target and the Gap. Since its launch in 1998, Digital Impact has sent about three billion commercial emails. Gerardo Capiel, chief technology officer and co-founder of Digital Impact, said that while about 70 percent of the email the company sends for customers is HTML, less than 30 percent of HTML email includes tracking technology. Capiel said the company asks that its customers address email communications in their privacy policies. "We don't set a cookie when you open the email, but you might get one when you click through," he said. "It's really a question of how aggressive the marketer wants to get to track revenue." Capiel said the company only sends messages to consumers who have opted to receive communications from the client. Still, he acknowledges that people can be sensitive to cookies. "You may end up irking some customers," he said. Experian, another email marketing services company, started using cookies this year to better track digital communications for its customers. According to its privacy policy, it uses cookies and Web beacons to monitor when an email was opened, how many times an email recipient forwarded the message, and which Web addresses were clicked on, among other actions. Christine Frye, chief privacy officer of Experian's e-marketing services unit, said the company has started working with customers to educate them on updating their privacy policies to include email tracking. So far, "they've been very receptive to that," she said. She would not name any Experian customers. Such techniques have become pervasive enough to attract the attention of browser and email software makers. Some email programs already include settings allowing consumers to block cookies. Microsoft's Internet Explorer 6.0, for example, offers controls for cookies on the Web and via the company's Outlook and Outlook Express email programs. Turning on the "prompt for cookies" setting can reveal the stunning extent of the problem, unmasking unsolicited HTML email messages that try to lay down cookies on a hard drive. According to Microsoft, IE 6, Outlook and Outlook Express block cookies by default in HTML mail and place such mail automatically in a secure "restricted" zone. The settings have not always proven effective, however -- well-known security expert Richard Smith has reported at least one bug that allows cookies to be planted through Outlook despite the default settings. Rajeev Dujari, development manager on IE 6 for Microsoft, countered that Outlook is designed to let consumers read email in different security zones and control cookies through privacy settings. But he admitted that consumers need to better educate themselves to set a defence against increasingly invasive marketing tactics. "Our default is around cookies being part of a Web experience rather than an email experience," Dujari said. "When consumers get email, people don't usually expect a cookie." Spreading the word
There's a fine line between spam and commercial pitches from an online retailer that ask for permission to send a message. In both cases, the message may plant a cookie on the receiver's hard drive, but the spammer, by definition, has done so without any pre-established relationship. Still, consumers at the receiving end of both kinds of messages are often not notified of monitoring -- either in the mail or in Web privacy policies -- nor given the option to block cookies in the future, privacy experts said. Direct marketers are just starting to pay attention to this area. Pat Faley, vice president of ethics and consumer affairs for the DMA, a 5,000-member organisation of retailers, said the group urges members to include in all email a link to their privacy policies. She added that members should "definitely disclose email tracking practices in their Web site privacy policy." Email marketing also raises sticky questions for marketing services companies, which deliver ads into rich email. Although these companies typically guarantee anonymous data collection, it theoretically would be easy to tie that data back to an email address in an email-based marketing campaign, according to privacy experts. DoubleClick, a heavyweight in Web ad delivery and email marketing, offers a service called DartMail that lets companies manage, deliver and track email marketing campaigns. The technology allows customers to add software such as cookies or Web beacons to a campaign and track the effectiveness of a promotion. DoubleClick said that data it collects online is kept separate from data collected through email. J.Crew is a customer of DoubleClick's DartMail, but the retailer does not specifically address email monitoring practices in the privacy policy published in its Web site. The policy says only that "in some instances, we may use third-party companies to help us serve you better. These companies may be given access to some or all of the information you provide to us and may use cookies on our behalf." J.Crew did not immediately respond to requests for comment. To be sure, some retailers are starting to refer to email monitoring in privacy policies. Amazon.com, for example, mentions that it may use tracking methods via email to determine preferences for future communications. Still, privacy advocates said email privacy practices are largely under-disclosed compared with other media such as the Web. "Email privacy hasn't been on the radar until recently," said Larry Ponemon, chief executive of the Dallas-based Privacy Council, a knowledge management and technology company. He added that most companies still don't fully understand how email plays a role in privacy and security. One problem with the disclosure of email privacy stems from the large percentage of email marketing campaigns that are conducted at arm's length through third-party providers. As a result, companies that retain email marketing services may not always be fully aware of the practices employed on their behalf. Although many major companies outsource their email marketing to companies that openly admit to using cookies and other tracking techniques, the privacy policies published online by these companies do not always address the issue of email monitoring. "There's a lot less transparency around what's happening in email marketing than with Web content," said Alex Fowler, senior director of policy and advocacy at Zero-Knowledge Systems. Walmart.com, for example, delivers opt-in email marketing through third-party providers. It does not mention email monitoring in its privacy policy, however, which was last updated 8 December, 2000, according to its Web site. In an interview, Walmart.com spokeswoman Cynthia Lin confirmed that the company tracks customers through email using "software technology." Still, she said, the company's privacy policy is adequate. For one thing, the company does not use cookies, she said. In addition, she said that any data gathering that occurs after consumers leave the email client is not technically part of the email experience, even if the original Web link is embedded in an email. Once consumers are whisked to the Web, all of the company's practices are covered by its Web policy, which clearly states that the company never sells or rents customer information. "When customers do get those emails and click on links within them, we are able to track that information," she said. "We have made every effort to make our security and privacy policy as clear as possible to our customers."

---