E-mail tracker firm sparks fears over internet security

The days of pretending you just didn't get that e-mail you ignored could be over. Today, a company called DidTheyReadIt.com offers customers the chance to track every e-mail they send.

By signing up, you'll be able to see when an e-mail was opened, how long it was looked at, if it was read more than once, and if it was forwarded to anyone else.

Inevitably, the service has already attracted the accusation that it is compromising the privacy of internet users. Rampell Software, the Massachusetts firm behind the website, admits there are "legitimate uses and stealth uses" for its product, but insists its intentions are good.

---snip----


DidTheyReadIt is invisible to recipients, hence the concern from privacy experts. Next time you pass over an old friend, annoying relative or tedious business contact, be aware that they might know for sure you've ignored them.

http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2004/05/24/cnnet24.xml&sSheet=/money/2004/05/24/ixcity.html

Only really, really desperate and strange people are going to be interested in having this as an option--and with people like that, it's only a matter of time before they stalk anyway.

Seriously, I agree that it's a violation of privacy to put this out there for public consumption.

but there will be "open source" blocker software developed to thwart this...and then it will be a back-and-forth war, much like pop-up ads and blockers, spam and filters, hackers and security, etc.

no big deal.

This is almost trivially easy to block. If you have security conscious email reader, or if you've set up your firewall correctly, the email tracking won't work.

For more information, see Slashdot's discussion of this:
http://yro.slashdot.org/article.pl?sid=04/05/23/2146200&mode=nested

most people aren't very savvy, which is why data mining remains big business and why people still complain about pop-ups and other annoying ads.

on the second try, and then did a search at news.google.com for information about didtheyreadit.com and found a thread at slashdot where all kinds of approaches were used to defeat it.

here's my experience (last half hour):

i signed up for the service and then immediately emailed myself a test email using the service, and indeed, i couldn't readily tell that it was tracking whether i was viewing it. it looked totally normal. i checked the website on my account there and, voila, it said the exact time i had opened the email, and how long i looked at it. scary.

so after thinking about how it must work, i sent myself another email using the service, and defeated it.

how did i defeat it?

i downloaded my emails without reading them. i turned off my airport connection (you could simply disconnect a dialup or ethernet connection.) i then opened all of my emails, threw away the ones i wasn't happy with (including the one i'd sent myself using the service), and re-connected to the internet. when i checked with the website to see if i'd opened the email, it said NO. and the email is now in the trash, so it will never know that i opened it.

HOW DOES IT WORK?

that's easy. the slashdot people figured it out by looking at the source code of the received emails. it sends an image that was created just for the sender which is located on a remote website. when the email is opened, that image is opened (it's a blank image so there's nothing to see) and the email client has to contact the website to download it. because the image is assigned to that particular email, the service knows exactly which email was opened and when.

another solution is to use an email client that is text-only. there are many that have this feature. if your email client refuses to accept images, the tracking image will never appear, and no contact will be made with the tracking company. voila.

so no need to put on a foil hat over this one, folks... if you are nervous about someone tracking you down with this service, just wait to open you emails until you are off-line, and then move them to the garbage or an archival mailbox so you won't accidentally open any suspicious ones AGAIN later while you are on-line. it's that simple.

Really.
Besides, you should never open and read your emails while online. Better yet is to use web-mail and receive only those emails that you want. Delete the rest of that spam with a few clicks.

I don't know about any of you, but if I'm calling someone, I either (a) need to talk to them right then about something, and/or (b) might not feel like talking on the phone later on if I had just called them for a casual conversation.

So, this new option, to me, is sort of like the caller i.d. dilemma. It used to be one could just hang up if the person didn't answer the phone, or refuse to leave a message if the answering machine picked up. Then came caller i.d., so we were all stuck with the fact that they would know we had called whether we wanted them to or not.

Then came *69 which you could press in before you dialed the number so that it would keep their caller i.d. from knowing you had called. Then came the block the phone companies offer that won't let calls come through unless they identify the numbers. Some people, in an effort to avoid telemarketers, got that option.

The problem is, it also lets someone know you've called and they will invariably return the calls they see on their caller i.d. boxes--even if it was 5 hours ago when you called because you then wanted to go for a drink, but you're now settled in the tub with a good book and a glass of wine.

We just keep one-upping each other.

This is nothing new. Most of these things are done by embedding an invisible tracking image in the e-mail. If you don't choose to view HTML mail, or even if you just turn off remote images, your mail won't be tracked. I view all e-mail in plain text by default and then view HTML only if I decide I want to. Spammers have been using techniques like this for ages to see if their e-mail is going to a live account.