The tracer that Hewlett-Packard planted in an e-mail sent to a San Francisco journalist during an investigation into boardroom leaks technically wasn't spyware, said an analyst Thursday, but the tactic has been used by criminals.

In documents filed Wednesday with the Securities and Exchange Commission (SEC), HP outlined the chronology of its investigation and the techniques it and its hired investigators used to determine who was spilling details of boardroom meetings to the press. Among those techniques, the papers described what HP called a "tracer" that was included in an e-mail message sent to a journalist. Although HP did not name the reporter in the Form 8-K filed with the SEC, the company had previously identified her as Dawn Kawamoto of San Francisco-based CNET News.com.

HP planted the tracer, better known as a "Web bug," in an e-mail message to Kawamoto from a fictitious disgruntled executive.The company wanted to find out if Kawamoto was in contact with a boardroom source; assuming she was, if she forwarded the bogus message to that source, HP hoped to track the destination e-mail address using the tracer.

According to HP's account to the SEC, "the evidence suggests that the investigation team never received any confirmation that the tracer was activated, even though it did receive e-mail messages from the journalist." Friday, HP chief executive Mark Hurd said that he had approved the plan to send the reporter the fake e-mail, but that he had not signed off on any tracer planting.

"Technically, a tracer isn't spyware because it's not software," said Richard Stiennon, principal analyst with IT-Harvest and formerly the director of research at anti-spyware vendor Webroot. "A tracer is usually a 1-by-1-pixel image embedded in an HTML message. The image resides on a server, so that when the recipient views the message, there's an entry in the server log that the image was downloaded. It would tell them who viewed that message, or at least their IP address," he added.

If someone forwards the tracer-infected message, and that recipient views the message in HTML, his or her IP address will also be logged to the server. "They would still have some work to do [to identify the person], but it would clue them in [as to the leaker's identity]," said Stiennon.

"Spyware distributors have used tracers, but they're usually used by the DoubleClicks of the world as an alternative to cookies to track users," Stiennon said. "But they've been used for more nefarious purposes."

The tracer tactic may not be illegal, but it's just one step away from the kind of criminal acts that have put people in jail. The June 2005 arrest in Israel of a ring of private investigators who planted a keylogging Trojan horse on PCs of clients' competitors has been the most notorious. In March, a husband and wife team confessed to creating the Trojan, and struck a plea agreement with Israeli authorities. Stiennon has closely followed the case since its inception.

"I bet that the private investigators [HP hired] and HP's own people thought of using these [Trojans]," said Stiennon. "It won't surprise me if we find out that Trojans were considered. After you step over the line with pretexting, surveillance, and tracers, software is the next logical step."

Digital espionage and spyware-based investigations may still be rare, but they're getting to be in vogue, Stiennon said. "Usually it's used against direct competitors, like in the Israeli case. Or the Chinese, the Chinese are doing it all the time to everyone."