BBC Homepage World Service Education
BBC Homepagelow graphics version | feedback | help
BBC News Online
 You are in: Sci/Tech
Front Page 
World 
UK 
UK Politics 
Business 
Sci/Tech 
Health 
Education 
Entertainment 
Talking Point 
In Depth 
AudioVideo 

Tuesday, 6 February, 2001, 17:57 GMT
When sending is spying
Eavesdropping on e-mails BBC
When you tap out an e-mail, someone might be tapping in
By BBC News Online internet reporter Mark Ward

Careful with that e-mail message, someone may be tapping it.

A US privacy watchdog has found a flaw in popular e-mail programs that makes it easy for people to tap any messages you send.

By hiding a small chunk of computer code in an e-mail, the group found it was possible to be sent the text of any comments added by those receiving and forwarding the message.

The campaigners fear the vulnerability could be exploited by businesses keen to spy on rivals or by unscrupulous marketing companies hunting for e-mail addresses they can deluge with junk messages.

Wiretap warning

This week, the US-based Privacy Foundation warned users of the Outlook and Netscape 6 e-mail packages, saying that messages composed and sent with the programs were at risk of being tapped.

Former president Bill Clinton
"So that's what Hillary thinks of me"
The organisation has found that by embedding a piece of computer code into an e-mail, the originator of a message can see copies of any comments made every time the mail forwarded.

Only messages sent and received using e-mail programs that can read the HyperText Markup Language (HTML) and Javascript are at risk. HTML is used to format the elements of a webpage, telling a computer where to put them and what they should look like. Javascript works with HTML and makes it easier for web designers to add basic functions to webpages, such as counters that tally the number of people visiting a site.

Javascript should not be confused with Java - a much more powerful programming language developed by Sun.

But the Privacy Foundation has found that one of the documented functions of Javascript turns it into an almost perfect tapping program.

Wholly holey

"You really would never know that this is occurring, unless you could view the source code and know what it meant," said Stephen Keating, executive director of the Privacy Foundation.

The offending 20 lines of computer code reads the text of any comments added to a message and sends them back to that message's originator every time the mail is forwarded.

Microsoft's Bill Gates
"Holes? I see no holes"
The vulnerability is found in Microsoft's popular Outlook and Outlook Express programs as well as messages composed and sent using Netscape Communicator 6.

The weakness was originally found by computer engineer Carl Voth in 1998. When he discovered the problem, Mr Voth told Microsoft but the company declined to plug the hole.

Posting peril

Users can take steps to protect messages being tapped by disabling Javascript in the vulnerable e-mail programs, but they can only be sure they are completely protected if every person receiving the message has taken the same action.

Both Microsoft and Netscape are working on patches for their respective programs.

The Privacy Foundation fears that the vulnerability could be exploited by a company negotiating with a partner and wants to monitor what is being said about a deal internally, or by marketing companies who want to gather e-mail addresses they can later bombard with junk mail. Some companies are already offering e-mail tracking services.

The perils of making unguarded comments were underscored in 1997 when Norwich Union was forced to pay 450,000 to Western Provident Association after it was judged to libel the rival on its internal e-mail system.

Search BBC News Online

Advanced search options
Launch console
BBC RADIO NEWS
BBC ONE TV NEWS
WORLD NEWS SUMMARY
PROGRAMMES GUIDE
See also:

12 Nov 00 | Rugby Union
Wired-up fans eavesdrop on ref
25 Aug 00 | Sci/Tech
Bug threatens net privacy
26 Jul 00 | Sci/Tech
'Snooping Bill technically inept'
31 Jan 01 | Sci/Tech
Major net security holes identified
Internet links:


The BBC is not responsible for the content of external internet sites

Links to more Sci/Tech stories are at the foot of the page.


E-mail this story to a friend

Links to more Sci/Tech stories