Home » Physical Security » Investigations/Forensics

The Web Bug in HP's Toolbox

Hewlett-Packard borrowed e-mail tracers popular with marketers, cops

The tracer software that Hewlett-Packard investigators used to try to sniff out boardroom leaks sounded like it had been ripped from the pages of a bad science fiction novel. That is, until the company began talking about it at a Congressional hearing.

The technology tool the company used, called a Web bug, is designed to allow e-mail senders to track the path a message takes, including whether a recipient opens the message and forwards it to another party. And it turns out the technology is widely used: in e-mail newsletters to track readers and by law enforcement.

Hewlett-Packard's use of Web bugs is separate from the California charges against five people, including former HP chairwoman Patricia Dunn, on allegations that they used false pretenses to access individuals' phone records. That case is about the practice of pretexting. Dunn denies wrongdoing in the case.

Web bugs involve piggybacking an image or other identifier in an e-mail message, so when an e-mail is opened, it serves up the image from a Web server with a unique website address and sends a message to the tracking system. The image can be hidden from sight or within plain viewin a corporate logo, for example.

Hewlett-Packard's boardroom leak investigation tried to trick a CNet Networks reporter by using a Web bug attached to an e-mail message, according to testimony before Congress by HP Security Investigator Fred Adler. It didn't work. (Adler was not named in the California indictments.)

Web bugs are in widespread use, says Richard Smith, founder of Boston Software Forensics. "Any kind of commercial e-mail is probably going to have them," he says.

HP turned to a small Australian company called ReadNotify.com, which offers tools to track both e-mail and Microsoft Office documents. The tools will tell when the e-mail you sent was read and will guess the recipient's location based on his IP address. The ReadNotify service is popular in law enforcement and also in industrial espionage investigations, says Chris Drake, ReadNotify's chief technology officer.

In an e-mail exchange, Drake says the media informed him of the Hewlett-Packard case, adding, "This is an extremely common and effective use of our technology." While Drake characterizes ReadNotify's e-mail tracking tools as sophisticated, security consultant Smith notes they use the same techniques as other Web bugs. Drake says the tools are legal in Australia and the United States.

Courts looking at Web bugs have focused on whether this technology violates federal wiretapping laws, says Chris Jay Hoofnagle, senior staff attorney with the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley.