HP's E-Mail Tracer Plan Pushes Ethical, Legal Envelope

To gain intelligence about the media leak on its board of directors, Hewlett-Packard used a technology normally employed mainly by spammers and hackers--an e-mail tracer. It's actually such an illicit tool that government investigators get court approval to use one.

"We see it a lot from spammers," says Alex Shipp of MessageLabs, an e-mail security company based in New York. "Especially from the bad guys, yes, we see it. You don't generally see the good guys using it."

What HP executives have referred to as an e-mail tracer is generally known as a Web bug. It's a way to find out if someone has opened his or her e-mail or if that person has forwarded the message on to someone else who has opened it. It works several different ways. One way is to hide a link in the body of the e-mail message or in an attachment. The user doesn't need to click on the link. It will fire up and connect to a Web page, for instance, all on its own. If the link is hidden in an attachment, the user needs to open the attachment, but doesn't need to go the extra step of clicking on the link.

Few people have access to the Web page that the link goes to. When it gets a hit, it's easy to see when the hit came in and what IP address it came from. "If Fred Smith [logs a] hit, you know there's only one e-mail in the entire world to cause that action, so Fred Smith must have seen that e-mail and read it," explains Shipp. "You know how many people read it, and you know the IP address that touched the Web server."

It's "pretty trivial" to create the e-mail tracer or Web bug by adding active scripting or an attachment to the e-mail, according to Ken Dunham, director of the rapid response team at VeriSign iDefense Intelligence based in Mountain View, Calif. "You get it to phone home essentially," he adds.

And that's exactly what HP investigators were hoping their e-mail tracer would do.

On Friday, Sept. 22, both HP CEO Mark Hurd and attorney Mike Holston admitted that the company's investigators created the fictitious persona of a disgruntled HP senior manager, along with an e-mail address for this nonexistent person, all in an attempt to con a reporter into revealing the identity of her secret source. As part of their sting, they sent the reporter an e-mail with a tracer in an attachment. Investigators hoped the reporter would forward the message on to her contact on the board, and that the tracer would send that person's IP address back to HP, pinning down the identity of the leak.

The ruse might not have even worked, though. Holston, who is an attorney with Morgan Lewis, a law firm retained by HP to look into the media leak investigation, says there was no confirmation that the tracer was ever activated.

Ken van Wyk, principal consultant for KRvW Associates, says there are a lot of reasons the tracer might have failed. First off, it's possible the reporter never opened the attachment. It's also possible that if she forwarded the message on, she left off the attachment. And the reporter and her source might have been using a browser that disables script from connecting to the Internet without the user's permission.

1 of 2