Patty Mail spies on recipients

The US congressional committee investigating how HP manager Patricia Dunn spied on the email of her employees has done more than just provide a name in her 'honour' for the practice – Patty Mail – but also shed some light on the techniques it uses. The email tracking service employed by HP, readnotify.com, is by its own definition an email tracking, certification and security service. It offers its customers the option to track emails and certain Office documents in mail attachments in ways invisible to the recipient. The sender receives a message by email or SMS as soon as the recipient has opened the marked mail or the file attached to it. According to the provider, this provides information about when and at which IP address the recipient opened the mail, how long it was opened for reading, which URL was clicked from within the mail, and to whom the message was potentially forwarded. Questioned about the use of his service by HP, Readnotify CEO Chris Drake explained that this was a completely normal and effective use of the available technology.

While the use of what are known as web bugs for observing emails is old hat and has long been something against which one can guard, Readnotify is boasting about the use of more than 30 different tricks for peeking through the mail slot of even security-minded mail recipients. The integration of specific Iframe tags allows indiscrete code to be planted in stylesheets during the reproduction of HTML content. The code can be executed even if someone views the mail in text mode without HTML rendering, provided they then answer using software like Outlook 2003.

(ehe)