In case you haven’t heard, “PattyMail” is the term coined to describe the sending of email with the intent of spying, the way that HP’s Patricia Dunn allegedly authorized this year.
The idea is simple. Say you have someone on your board who is sending confidential email to someone they aren’t supposed to, like a competitor or the press. Simply add a small HTML image into your confidential e-mail. Then, in theory, when someone reads the email, the email client will download that image, causing a “ping” to be sent back to your webserver to download the image. You can then see which domains are fetching your images, and find your leaker.
“But that doesn’t work!” you say. The answer is maybe. It is true that most modern e-mail clients suppress HTML fetching by default. BUT – if the user clicks “show me the images”, then the images are shown. So, when emails are coming from a trusted sender, like the chairman of the board, there is a reasonable chance you’ll want to see the graphics too, and open yourself to HTML spying.
“But that still doesn’t identify the leaker!”, you say. But you are wrong; this is where the difference between HTML mail and “Spy Mail” comes in. With HTML mail, you may have an image referenced in the email like:
<img src=”http://www.senderisspying.com/images/logo.jpg”>
In this case, you are right, if you forward this document to 10 people, and then one of them forwards to someone else, you won’t be able to tell which of them did it. So why not encrypt special data in the image link to identify the leaker? Instead of the link above, you might send a different email to each person, and the image links might instead look like:
<img src=”http://www.senderisspying.com/potentialleaker#1/logo.jpg”>
This is SpyMail. Now, when the sender checks their server logs, they’ll know exactly who the leaker is. Evidently, this is what Patricia Dunn did.
It turns out that embedding information in email in a clandestine way is not too hard. But generally, you don’t want the recipient to know they are being spied upon. And this is where NoSpyMail comes in, because it can detect this. When you read email with Outlook 2003, it won’t show HTML images. But, if you tell it to, it will. And if anyone is spying on you, they’ll get you! NoSpyMail allows you to view those emails *without* getting spied upon. How does it do this? Well, it detects images which contain tracking information, and forcibly removes the tracker. The image is skipped, but other images will still work. This allows the reader to more safely read email. I wish I could say it were guaranteed 100% to work, but it is not. But I do think it catches 95+% of the spymail.
Businesses also use this technique for less nefarious schemes. For instance, if you sign up for newsletters from Costco, you’ll get HTML mail. You probably want to see the images, because the sale items are all images. But, as soon as you do, they’re tracking you, and they’ll know that contacting you by email works, and that you read it, where you read it form, what time you read it from, and whether you are a Windows or a Mac user. Maybe you care, or maybe you don’t. NoSpyMail offers a middle ground; you can read the newsletter, but not have to tell Costco that you did.
Anyway, NoSpyMail is normally free. But, if you are a member of the HP board, and you need some protection, let me know. Pricing starts at $10,000 per copy. Probably a good investment for you!
