Use NoSpyMail to combat PattyMail

HP's Patricia DunnIn case you haven’t heard, “PattyMail” is the term coined to describe the sending of email with the intent of spying, the way that HP’s Patricia Dunn allegedly authorized this year. 

The idea is simple.  Say you have someone on your board who is sending confidential email to someone they aren’t supposed to, like a competitor or the press.  Simply add a small HTML image into your confidential e-mail.  Then, in theory, when someone reads the email, the email client will download that image, causing a “ping” to be sent back to your webserver to download the image.  You can then see which domains are fetching your images, and find your leaker.

“But that doesn’t work!” you say.  The answer is maybe.  It is true that most modern e-mail clients suppress HTML fetching by default.  BUT  – if the user clicks “show me the images”, then the images are shown.  So, when emails are coming from a trusted sender, like the chairman of the board, there is a reasonable chance you’ll want to see the graphics too, and open yourself to HTML spying.

“But that still doesn’t identify the leaker!”, you say.  But you are wrong; this is where the difference between HTML mail and “Spy Mail” comes in.  With HTML mail, you may have an image referenced in the email like:

    <img src=””>

In this case, you are right, if you forward this document to 10 people, and then one of them forwards to someone else, you won’t be able to tell which of them did it.  So why not encrypt special data in the image link to identify the leaker?  Instead of the link above, you might send a different email to each person, and the image links might instead look like:

    <img src=””>

This is SpyMail.  Now, when the sender checks their server logs, they’ll know exactly who the leaker is.  Evidently, this is what Patricia Dunn did.

It turns out that embedding information in email in a clandestine way is not too hard.  But generally, you don’t want the recipient to know they are being spied upon.  And this is where NoSpyMail comes in, because it can detect this.  When you read email with Outlook 2003, it won’t show HTML images.  But, if you tell it to, it will.  And if anyone is spying on you, they’ll get you!  NoSpyMail allows you to view those emails *without* getting spied upon.  How does it do this?  Well, it detects images which contain tracking information, and forcibly removes the tracker.  The image is skipped, but other images will still work.  This allows the reader to more safely read email. I wish I could say it were guaranteed 100% to work, but it is not.  But I do think it catches 95+% of the spymail.

Businesses also use this technique for less nefarious schemes.  For instance, if you sign up for newsletters from Costco, you’ll get HTML mail.  You probably want to see the images, because the sale items are all images.  But, as soon as you do, they’re tracking you, and they’ll know that contacting you by email works, and that you read it, where you read it form, what time you read it from, and whether you are a Windows or a Mac user.  Maybe you care, or maybe you don’t.  NoSpyMail offers a middle ground; you can read the newsletter, but not have to tell Costco that you did.

Anyway, NoSpyMail is normally free.  But, if you are a member of the HP board, and you need some protection, let me know.  Pricing starts at $10,000 per copy.  Probably a good investment for you!

2 thoughts on “Use NoSpyMail to combat PattyMail

  • October 26, 2006 at 1:26 am

    Um – pardon me for stating the obvious – but if I send an email to someone, and they decide they want to violate my trust and send it off elsewhere – that’s the *recipient* doing the “spying” – not the **sender**

    I presume you know that removing the protection from copyright material (eg: emails) is a criminal offence (read the DMCA), and people have already done time in jail for publishing this kind of software?

    I hope you don’t live in America…

  • October 26, 2006 at 4:22 pm

    I’m not quite sure what case you are referring to where the recipient doing the spying. The sender surrupticiously has added tracking tags to an email which the recipient did not know about. If the recipient forwards it to someone else, the recpient is not spying – the recipient neither gets notification of this happening nor even knows that it was happening in the first place. Only the sender knows that the SpyMail exists and receives information about the readers.

    As for copyright protection – I know of no instances where this mechanism is used for copyright protection. The only uses I’ve seen (and I’ve analyzed a LOT of email) is for ad-tracking, marketing, and spying purposes. If you’ve got another example, let me know.


Leave a Reply

Your email address will not be published. Required fields are marked *