Date: Mon Feb 5, 2001 4:30 pm
Subject: JavaScript eMail snooper.

A Trick to Snoop on E-Mail February 5, 2001; By AMY HARMON

For those still harboring the illusion that e-mail exchanges are
private, a watchdog group has uncovered a new trick that enables
someone to essentially bug an e-mail message so that the spy would
be privy to any comments that a recipient might add as the message
is forwarded to others or sent back and forth.

The maneuver does not take advantage of any security flaw in
e-mail software. It is simply one feature of a fancier and
increasingly common form of e-mail known as HTML mail, which
enables users to send and receive e-mail messages that look and act
like a Web page.

With the spying technique, a few lines of a programming language
called JavaScript, often used on Web sites to create pop-up windows
and navigational aids, can be embedded in such a message. This
implant, not visible to the recipient, enables the text to be
secretly returned to its original sender every time it is forwarded
to another recipient, as long as the recipients' e-mail programs
are set up to read JavaScript.

Although HTML e-mail often includes images and animations, it can
also be made to look like a plain text e-mail. To figure out
whether a message is HTML or text, a user can right-click on the
message body. If one of the menu choices that appears is "view
source," it is HTML mail. By choosing "view source," a user would
be able to see any JavaScript code embedded in the message. But
whether the code was designed to bug a message would likely still
be difficult to recognize for someone unfamiliar with the computer
language.

"I looked at this and I said, `Whoa,' because it lets you spy on
people, and it's so easy," said Richard M. Smith, chief technology
officer for the Privacy Foundation, an educational and research
organization based in Denver that plans to publicize and
demonstrate the technique today.

"Most of us won't release a computer virus, but this is something
people would use, particularly if a service started offering it,"
Mr. Smith said. "It's just kind of human nature."

Invisible tags sometimes called Web bugs are widely used in HTML
e-mail by marketers and others to detect whether an individual has
opened an e-mail message. The Congressional Privacy Caucus has
announced plans to hold hearings to investigate the use of Web bugs
later this month. Mr. Smith said that it was now clear that
JavaScript could be used to create a more powerful Web bug so that
not only can someone find out when a message is read, but also what
is being said about it.

Because many e-mail users continue to hit "reply" during long
e-mail exchanges rather than initiating new messages, the
JavaScript code could enable an individual to eavesdrop on an
entire conversation between business associates about a proposal he
or she had e-mailed to one of them, for example. It could also be
used to harvest e-mail addresses when a message like a joke was
forwarded over and over to groups of people across the Internet.

The widely used e-mail programs that are vulnerable to the exploit
include Microsoft Outlook, Outlook Express and Netscape Messenger
6. America Online users and users of Web-based e-mail programs like
Hotmail would not be affected.

By going to the "preferences" command under the edit menu in
Netscape Messenger, users can turn off JavaScript in about five
steps. To disable JavaScript in Microsoft Outlook and Outlook
Express takes about 15 steps, which are outlined on the privacy
foundation Web site at www.privacyfoundation.org. The newest
version of Outlook Express comes with JavaScript turned off, as a
result of customer feedback, a Microsoft spokesman said.

"At this point in time, it's really a personal choice everybody
has to make whether they are more concerned about a security risk
or about the advanced functionality you get by having these
features enabled," said Lisa Gurrey, product manager for Microsoft
Office. "We are just doing the best we can to give our customers
different options."

But turning off JavaScript does not necessarily mean that e-mail
cannot be spied on, because a bugged message will still be returned
to its original sender if it is replied to or forwarded to someone
who reads the message with an e-mail program that is vulnerable.

Today, the Privacy Foundation plans to provide public
demonstrations of the process, which the group calls "e-mail
wiretapping" and believes to be illegal. The group is calling for
the major vendors of e-mail programs to provide their software with
JavaScript automatically turned off. The potential for such e-mail
spying was first discovered by Carl Voth, an engineer in British
Columbia, who brought it to the attention of Mr. Smith at the
Privacy Foundation.

"What bothers me is that in this case, my vulnerability is a
function of what you do," Mr. Voth said. "I can be careful, I can
take every precaution, I can turn off JavaScript, and it doesn't
matter. If my neighbor isn't diligent and I send him an e-mail, I'm
still vulnerable."