Bugging' Someone's E-mail Is Quickly Catching On
By Jeffrey Beard
American Lawyer Media
March 15, 2001
Privacy hounds, take note. It just got harder to keep your e-mail
confidential. With certain e-mail programs, composers of messages can now get
copies of replies and forwarded messages secretly bounced back to them. Let's
say opposing counsel sends you a confidential settlement proposal. You
forward it to your client. If your opponent is sufficiently fluent in a basic
programming language called JavaScript, he might be able to program his
e-mail so that a copy of your forwarded e-mail gets delivered to him as soon
as you send it. He or she will know to whom you forwarded the proposal within
the company and your comments about it. This devious trick has earned the
nickname "e-mail wiretapping" by the Denver-based Privacy Foundation. And
like most hacker-like activities, it's quickly gaining prevalence. The
exploit only works in certain instances. The e-mail must be written in HTML,
the Web language that allows formatting like bold, italicized and centered
text. The recipient must also be using an e-mail program with JavaScript
enabled. If these conditions are met, it's easy to bug an e-mail with a few
lines of relatively simple JavaScript coding. Portions of the code have now
been published, albeit in a primitive form. The e-mail programs most likely
to be affected are Microsoft Outlook and Outlook Express, Netscape 6 Mail,
America Online 6.0 and newer versions of Eudora. Other e-mail programs that
use the Internet Explorer Web browser to generate HTML coding also might be
vulnerable. The Microsoft and Netscape e-mail readers are most at risk. They
generally have JavaScript enabled by default. If you have any of these e-mail
programs installed, it would be prudent to double-check your JavaScript
setting. The Privacy Foundation has posted the instructions for disabling
JavaScript in selected programs at
www.privacyfoundation.org/advisories/advEmailWiretap.html. In response to
this alert, Microsoft stated that the newest version of Outlook Express comes
with JavaScript disabled by default, and already has issued an Outlook patch
that provides additional levels of protection against malicious e-mail
messages. But this also means that there are probably millions of copies of
Outlook and Outlook Express already installed and in use. And unless the user
has disabled the JavaScript feature, he or she is vulnerable to this exploit.
The Privacy Foundation says that Hotmail and other Web-based e-mail providers
automatically remove the JavaScript elements from incoming messages, and
therefore are not vulnerable to this particular snag. But here's the real
catch: Security is very much a process-not a product or a simple JavaScript
on/off checkbox. A security system is only as strong as its weakest link.
Even if recipients turn off JavaScript in their own e-mail program, their
e-mail is still at risk of being disclosed to the original sender. This
happens when they send the bugged e-mail to another person who also uses a
JavaScript-enabled e-mail program such as Outlook. As soon as their reply is
read, it sends off e-mail to the original sender, including the added
comments the sender presumably thought safe. The immense (and disturbing)
problem is that one's e-mail security depends entirely on the JavaScript
setting of every single person in the overall chain of e-mails. Education is
a primary means of defense here. Attorneys and their clients, co-counsel and
others that they deal with need to know that all parties have JavaScript
disabled in their e-mail programs. They should probably also simply send
their e-mail out as text, rather than in the fancier HTML-formatted version.
This solution has the added benefit of ensuring that the e-mail is compatible
with older e-mail systems that may not support HTML formatting. In case you
are thinking that you yourself may want to create and send bugged e-mails,
don't: The activity likely is against the law. Courts haven't yet explored
the issue at any length. But Philip Gordon, an attorney with Horowitz & Wake
in Denver, is a fellow of the Privacy Foundation and an expert in wiretap
law. Gordon notes that "Any lawyer (or their client) considering using the
e-mail wiretap in their practice is at risk of violating the federal wiretap
law." In a posting on the Privacy Foundation's Web site, Gordon states that
in addition to the federal wiretapping laws, sending such a message could
also violate the Computer Fraud and Abuse Act. The sender could also face
liability under state civil and criminal laws. With simple programming tools
such as JavaScript, expensive wiretapping hardware isn't necessary to track
and view the responses to one's e-mail. This should be enough to make all of
us a bit more cautious as we click the send button.
