News of an email-based privacy hole may represent yet another frontier for electronic privacy invasion: email messages that interact with Web servers.
As usual, the discovery was accidental, catching software companies off-guard.
"What I got was 'Hmm, interesting,'" said Richard Smith of Netscape's and Microsoft's response when he notified the companies Wednesday that he found their software was affected by his finding. Smith, a software consultant, has discovered many other privacy problems involving Internet software.
Smith pulled the vulnerability from a tangle of conflicting functions among email programs, Web software, and Internet-based servers. As has been the case with previous e-privacy problems, few had considered the issue until a software expert decided to take a look.
Alerted by Smith, Microsoft and Netscape deployed engineers to analyze the vulnerability and determine whether their software should be altered.
"We're taking a hard look at what's going on here," Microsoft spokesman Adam Sohn said Friday. The company drew no immediate conclusions from Smith's findings.
The software may present potential methods of misuse, but software cannot be expected to eliminate vulnerabilities altogether. If a new exploit turns up that raises the possibility of useful software being used in negative ways, that's inherent in any technology.
"Our job is to limit those opportunities," Sohn said. "Bad people can sometimes do bad things with good technology."
The possibility of interaction between Web sites and the messages in users' email once again demonstrates that an increasingly networked world brings an increasingly dense thicket of problems.
That's partly why privacy groups requested that the Federal Trade Commission oversee the resolution of the new email software problem. Smith sent a report of his finding to the FTC earlier this week. The Consumer Project on Technology, the Electronic Frontier Foundation, the Electronic Privacy Information Center, and the Center for Media Education joined Smith's demand that the loophole be closed.
Privacy advocates viewed the latest example of user vulnerability on the Internet as a test of whether the FTC can effect changes that minimize such surprises.
The privacy loophole enables unsolicited emails to retrieve personal information using anonymous Web cookies. Cookies are anonymous identifiers Web sites collect from a user's browser to identify return visitors. But when the cookies are produced by way of an emailed Web page, marketers can much more easily match cookies with personally identifiable information on users' subsequent visits to their Web sites.
The functions may not be exploited by marketers today, but would inevitably be utilized as the online marketing industry matures, Smith said.
"There are email marketing companies that send out messages to people [on mailing lists], then there are banner ad companies that maintain anonymous profiles for serving up banner ads," he said.
As the companies begin to merge or partner with each other -- a trend Smith said has already begun -- the uses of their combined, collected data becomes exponentially more potent.
"When they combine forces ... you can start combining those two databases."
John Levine, a board member of the Coalition Against Unsolicited Email, and author of Internet for Dummies, said he suspects email-enabled cookies may already be coursing the Web.
"It's so technically straightforward I would be astonished if it didn't [happen]. It's just a matter of time before some clever marketer decides to," Levine said.
FTC spokeswoman Vicky Stretfeld said the agency will give the issue serious attention.
"Privacy issues are of utmost concern to the commission, and we will give it a serious review." FTC lawyers will evaluate the request, she said.
Smith hopes the agency will begin to evaluate more than this single incident.
"The key point to look out for here is the technical progress in the banner ad business," he warned in his report to the commission. "If banner ad companies enter the email servicing business, they'll be putting themselves in a very good position to also know the identity of people who are surfing to Web sites."
Concluded Smith: "This 'progress' represents yet another step in the erosion of privacy on the Internet."
