To gain intelligence about the media leak on its board of directors, Hewlett-Packard used a technology normally employed mainly by spammers and hackers--an e-mail tracer. It's actually such an illicit tool that government investigators get court approval to use one.
"We see it a lot from spammers," says Alex Shipp of MessageLabs, an e-mail security company based in New York. "Especially from the bad guys, yes, we see it. You don't generally see the good guys using it."
What HP executives have referred to as an e-mail tracer is generally known as a Web bug. It's a way to find out if someone has opened his or her e-mail or if that person has forwarded the message on to someone else who has opened it. It works several different ways. One way is to hide a link in the body of the e-mail message or in an attachment. The user doesn't need to click on the link. It will fire up and connect to a Web page, for instance, all on its own. If the link is hidden in an attachment, the user needs to open the attachment, but doesn't need to go the extra step of clicking on the link.
Few people have access to the Web page that the link goes to. When it gets a hit, it's easy to see when the hit came in and what IP address it came from. "If Fred Smith [logs a] hit, you know there's only one e-mail in the entire world to cause that action, so Fred Smith must have seen that e-mail and read it," explains Shipp. "You know how many people read it, and you know the IP address that touched the Web server."
It's "pretty trivial" to create the e-mail tracer or Web bug by adding active scripting or an attachment to the e-mail, according to Ken Dunham, director of the rapid response team at VeriSign iDefense Intelligence based in Mountain View, Calif. "You get it to phone home essentially," he adds.
And that's exactly what HP investigators were hoping their e-mail tracer would do.
On Friday, Sept. 22, both HP CEO Mark Hurd and attorney Mike Holston admitted that the company's investigators created the fictitious persona of a disgruntled HP senior manager, along with an e-mail address for this nonexistent person, all in an attempt to con a reporter into revealing the identity of her secret source. As part of their sting, they sent the reporter an e-mail with a tracer in an attachment. Investigators hoped the reporter would forward the message on to her contact on the board, and that the tracer would send that person's IP address back to HP, pinning down the identity of the leak.
The ruse might not have even worked, though. Holston, who is an attorney with Morgan Lewis, a law firm retained by HP to look into the media leak investigation, says there was no confirmation that the tracer was ever activated.
Ken van Wyk, principal consultant for KRvW Associates, says there are a lot of reasons the tracer might have failed. First off, it's possible the reporter never opened the attachment. It's also possible that if she forwarded the message on, she left off the attachment. And the reporter and her source might have been using a browser that disables script from connecting to the Internet without the user's permission.
Hurd has said he knew about the plan to send false e-mails to a journalist, and he approved of it. However, he says he doesn't recall seeing or approving the use of tracer technology.
Trolling Some Murky Waters
While it's not clear why the ruse didn't work, it is clear that HP was treading in some ethical and legal gray areas.
"If this kind of thing happens without the user's knowledge...it's a sneaky thing," says Shipp. "Legally, it's a very gray area. Ethically, the reason you're doing it is to get information, and you haven't gotten the person's permission to do that. Nowadays people accept it's not a good thing to do."
Scott Christie, who formerly headed up the computer hacking and intellectual property section of the U.S. Attorney's Office in Newark, N.J., says using an e-mail tracer or Web bug is serious enough for government investigators to seek court approval before they head down that road.
"Arguably, you are conducting a remote search of the user's computer by virtue of causing an involuntary transfer of information back to you," says Christie, who now heads up the information technology practice group at McCarter & English, a New Jersey-based law firm. But Christie says some in the government argue that since actual e-mail content isn't being intercepted, a lesser court order would suffice. Regardless of whether it calls for a full-blown search warrant or a court order, Christie says the feds seek court approval before unleashing a Web bug.
"The Web bug does a search on the recipient's computer," says Christie. "Is it a search because it divulges the IP address? Some might argue yes. You are invading the computer to gather information about the user of the computer and the computer itself."
Investigators outside the government aren't bound by the Fourth Amendment, which calls for obtaining search warrants. But the fact that federal investigators seek court approval testifies to the seriousness of the tool, says Christie.
Using e-mail tracers isn't something he says he ever saw in a corporate setting.
"To hear that in a corporate context these were used without court oversight or approval is troubling" says Christie. "It's a rather aggressive technique."
But does it break any laws?
Christie says it comes close to being an unlawful intercept of electronic communications, which would be a violation of the wiretap act. It also skirts around breaching privacy laws. But he says he doesn't think there are any federal laws specifically targeting tracers or Web bugs.
California law, though, could be a whole other ball game.
The state of California, where much of the HP investigation took place, has tougher privacy and computer fraud laws than most other states, according to Christie. That would fall under the purview of the state Attorney General's Office, which is investigating the HP media leak scandal. Tom Dresslar, spokesman for California Attorney General Bill Lockyer, said in an interview last week that he couldn't say if they were looking into HP's use of e-mail tracers.
"It certainly is a shade of gray," says van Wyk. "If they sent something to a reporter and an attachment runs without the reporter's knowledge or permission, then I think the gray just got a hell of a lot darker."