HP may have spied on e-mail, too, but legally

Hewlett-Packard Co., already in hot water for using private investigators to obtain journalists' phone records under false pretenses, may have been spying on their e-mail habits, as well. But it's possible the e-mail snooping was legal.

Computer security experts say there are legitimate ways to track electronic mail exchanges. Indeed, they say the techniques are routinely used by many Internet advertising firms to track which customers have seen their ads.

The New York Times reported yesterday that investigators used by HP to track the source of news leaks about internal corporate matters e-mailed a document to an unidentified reporter for the CNet technology news service. It contained software that would enable the investigators to track whether the message was forwarded to someone else. An HP spokesman did not answer a request for comment.

Internet security expert Richard Smith, founder of Boston Software Forensics of Boston, said the Times account is consistent with the use of a ``Web bug," which causes an e-mail message to notify the sender when the recipient opens the message. A Web bug is a tiny image that must be downloaded from a remote computer. The download occurs automatically when the e-mail is opened.

Investigators reportedly sent an e-mail purporting to be a tip about activity inside HP. If it was downloaded by a recipient, the bug would have transmitted the Internet address of the computer that requested the download. The investigator would have the computer's numerical address, which can be used to identify the recipient's Internet provider, or place of work. If the e-mail was forwarded, it could be tracked each time it was opened. Web bugs are routinely embedded in illicit ``spam" e-mails. But they're also used in legitimate business e-mails and on many Web pages.

``Some companies sprung up to actually offer this as a service," said Chris Wysopal , chief technology officer for the computer security company Veracode Inc., in Burlington. ``Anyone can do this now with no technical expertise at all." Besides, said Wysopal, there's no law against using Web bugs to track your outgoing e-mails. ``Of course it's legal to embed an image in all your e-mail messages."

However, Smith said Web bugs don't work as well as they once did, because many e-mail programs block them automatically. ``About half the time it doesn't work anymore," Smith said. The Times reported that the tactic did not work in the HP leak probe.

As a fallback, e-mailers can embed a link to a Web page, in hopes the recipient will click on the link. This action records the recipient's Internet address. But years of experience with spyware and spam have made Internet users wary of clicking on unfamiliar links.

The same caution prevents many people from opening files attached to e-mails. They can contain dangerous software, including programs that could collect all of a user's e-mail messages and forward them to an investigator. Installing such software on someone's machine is illegal, but a new survey from the data security firm IronPort Systems Inc. estimates that half of all corporate computers worldwide are infected with some form of illicit software, with 7 percent of infections involving spying on the user's actions.

Smith said that Internet users can protect themselves by using e-mail programs that block Web bugs, and by installing the latest security patches for e-mail software, Web browsers, and operating systems. Up-to-date antivirus and antispyware programs will detect the most likely threats.

Internet users can also subscribe to an ``anonymous proxy" service , such as Anonymizer, that conceals the user's address.

Hiawatha Bray can be reached at bray@globe.com.