As a journalist at Computerworld Australia:
It's common practice. A message arrives in your inbox. You read it, realize that it may interest a friend, and pass it on accordingly. But be warned -- that simple, seemingly innocuous push of the forward button could be sending out more information than you think.
Email tracking services have recently surfaced as one of the dubious methods employed by Hewlett-Packard in its boardroom leak investigations. At a congressional hearing on September 28, HP Security Investigator Fred Adler revealed that the company had enlisted the services of Central Coast (NSW) start-up ReadNotify in the hopes of discovering electronic tracks leading from CNet journalist Dawn Kawamoto to her confidential source.
ReadNotify's tracking service is designed to allow email senders to track the path a message takes. The service is based on a similar technology to Web bugs, which are commonly used by marketers and advertisers to track hits on a Web site.
However, while Web bugs are now blocked by most email clients and anti-spam programs, ReadNotify's email tracking service boasts up to 36 different simultaneous tracking techniques, and often goes undetected.
The simplest of these tracking methods involves the inclusion of an image that is also linked to a Web server. When the email is opened, the recipient's computer looks up the image, and in so doing, sends information to the Web server. Senders may choose to use a transparent image so as to not alert the recipient of the tracking device; in such cases, it is very difficult to tell if an email has been sent through ReadNotify, unless the recipient's email client notices a ReadNotify header tag that reads "X-RN".
As the company does not, as a rule, monitor who its users are and what they do, ReadNotify Chief Technical Officer Chris Drake could not confirm details of its role in the HP scandal. However, he speculates that HP is likely to have used ReadNotify's document tracking service, which tracks a Microsoft Word or Adobe Acrobat document regardless of the medium through which it is sent.
It is much harder to tell if a document is being tracked by ReadNotify, Drake said, as it is sent directly from the user's computer and hence will not necessarily display the "X-RN" header. Furthermore, while ReadNotify provides an opt-out service for people who do not want to receive its tracked emails, it does not have any such provision for tracked documents.
However, the company maintains that it operates well within the bounds of the law. While it has received a number of opt-out requests, Drake said that ReadNotify has not yet received a single complaint concerning privacy violation.
"I don't like the word 'bug' because it's a little bit iffy -- bugging is something that you normally do in illegal situations," he said. "We're not doing anything naughty or illegal."
Drake argues that email tracking is a legitimate method of monitoring a copyrighted document, since the Australian Copyright Act, as well as copyright laws in many other countries, grants legal ownership to the author of a document, including emails. Owners of intellectual property should have the right to know what people do with it, he said.
"The law's exactly the same for copyrighted email as music and movies," he said. "Technically, if you forward an email, you've violated the author's copyright."
Still, the clandestine nature of Web bugs raises issues about whether email, document or Web site authors should have the right to secretly track the activities of individuals.
And it doesn't help that privacy laws are often vague on the subject.
"It's [Privacy is] just such a gray area of the law," said Irene Graham, Executive Director, online civil liberties organization Electronic Frontiers Australia (EFA). "EFA's been complaining about this sort of thing in every submission we've put in on privacy amendments and stuff for years, because we think things like web bugs are a serious concern, and there should be laws surrounding their use, or just make them illegal."
The Australian Privacy Act stipulates that it is illegal for an organization to be collecting personal information that is not necessary for one of its functions or activities. Determining the legitimacy of information collection is a task that lies solely with the Privacy Commissioner, who typically assesses complaints on a case by case basis.
According to the Office of the Privacy Commissioner, organizations that collect personal information must comply with the National Privacy Principles contained in the Privacy Act, which include the responsible use of information, keeping the information secure, and providing individuals access to their personal information.
"The Privacy Act makes provision for the operation of other laws and interests, for example by exceptions that permit the collection, use or disclosure of personal information where this is required or authorized by another law," said a spokesperson for the Office of the Privacy Commissioner.
"However," she added, "in most cases, Privacy Act obligations, for example requiring organizations to make sure people are aware personal information is being collected and for what purpose, still apply."
But the EFA is dissatisfied.
"The problem is that, for example, that a company that uses this information for their marketing or profiling purposes could claim that this is a necessary function," Graham said. "But is it necessary? I would argue no!"
"I fear that depending on the circumstances, under the current law, the privacy commissioner may well find that businesses may have the right to do that [obtain personal information no good reason]."
