By
The Associated Press
WASHINGTON - Imagine a large corporation wants to acquire a small Web company. The corporation sends an e-mail with a price proposal to the target - and includes a few lines of invisible computer code.
As the target's executives pass the message around, the corporation gets a copy each time it's forwarded - with all the supposedly private comments attached.
Yesterday a privacy group started demonstrating this new method to listen in on e-mail that works on the most popular programs.
Called an e-mail wiretap, it could be used to note off-color remarks from governmental officials, by a spamming company to gather e-mail addresses, or by a boss to find out what you're saying about him.
"You really would never know that this is occurring, unless you could view the source code and know what it meant," said Stephen Keating, Executive Director of the Privacy Foundation.
The foundation, associated with the University of Denver, and its chief technology officer Richard Smith, found out about the situation from computer engineer Carl Voth, who discovered it in 1998. Though Voth posted an explanation on his Web site, he kept quiet about it otherwise until contacting the Privacy Foundation recently.
Smith said e-mail wiretaps may become even more common than viruses.
"People like to snoop," he said. "Most people won't send viruses to their friends, because that's over the line. But they might want to see what people say behind their backs."
Keating said that while publicizing the method may lead people to use it, the effort also will educate the public on how to stop it.
"There is an arms race aspect with the Internet and privacy and security. If there weren't really a fix for it, we might be more hesitant in pointing it out," Keating said. "But I don't think there's really anything gained by not acknowledging that it exists."
If an e-mail recipient disables the JavaScript programming language in Microsoft Outlook, Outlook Express or Netscape 6 Mail, the added comments are no longer forwarded to the e-mail originator.
But if a user remembers to disable JavaScript, only he is protected. If he forwards the message, the tap will continue to work if the recipient doesn't also disable JavaScript.
The problem doesn't affect people who use Eudora, America Online's e-mail program or Web-based e-mail, such as Hotmail or Yahoo! Mail.
Microsoft has also made a downloadable software patch available for Outlook - intended for another security issue - that takes care of the wiretap problem as well.
The Privacy Foundation notified both Microsoft and Netscape about the issue before coming forward. Microsoft spokesman Ryan James said the newest downloadable update to Outlook Express, version 5.5, is not affected because JavaScript is off by default.
A Netscape spokesman did not return a call for comment.
Smith suggested that someone may use the wiretap method to change e-mails, too. The ability exists, he said, for an e-mail sender to change its contents each time it's forwarded, causing havoc for each new sender who finds new words put in his mouth.
Last year, Smith brought attention to the use of "Web bugs," invisible images embedded in e-mail or Web sites that can be used to track viewers. While it was thought to be a new discovery, it was later found that a man had used it to see who viewed his online resume, and many companies now use them to surreptitiously monitor Web traffic.
"Once you identify it, then it becomes easier to tell who's using it," Keating said.
