Technology: May 2012 Archives

There's something creepy going on with email in the race to be Oklahoma's next Republican National Committeeman.

If you're a delegate to the 2012 Oklahoma Republican State Convention, you've been getting a barrage of emails from Richard Engle, candidate for Republican National Committeeman, announcing endorsements from a surprising mixture of people, including disgraced former Speaker Lance Cargill.

What's especially odd about these Engle emails is that they have no substantive text. If you have automatic loading of remote images turned off in your email program -- and you should, for your own Internet safety -- you won't see anything in these Engle emails but a blank space where the image would be and a link labeled, "Is this email not displaying correctly? View it in your browser."

Now, it's not unusual for a mailing list to include a remotely hosted image -- a logo perhaps, or a large photo. A link uses less disk space and bandwidth than embedding the image into the message. But good email etiquette and politeness to the blind demand that you put in an alternative text for the image -- e.g., the name of the company in text form as an alternative to the logo. Typically in these cases, the bulk of the message is plain text, readable even if you choose not to load the remote image.

In Soviet Russia, email reads you!But Richard Engle's emails are different. He's embedded the text of the message in a big image which is located on a remote server. The image is not attached to the email. You can't read it unless you allow remotely hosted images to load, or unless you click the "View it in your browser" link. Among other things, this means you can't cut and paste the text of the message, you can't make the text bigger, and you can't use text-to-voice software to read it to you aloud (more disadvantage for those with limited vision).

And when you load remote images or click the "view it in your browser" link, the server that hosts the endorsement image logs your Internet Protocol (IP address) with a URL that looks like gibberish but actually is a unique identifier tied to your email address. Engle will be able to know which of the endorsement messages you have looked at and which messages you've ignored. More importantly, he will have the IP address of the computer from which you opened his email, and it would be possible to match it with other internet activity.

For most residential users, your IP address, which changes from time to time, only reveals, for example, that you're a Cox or AT&T customer. This email-based data-gathering system makes it possible for someone to pinpoint that a given address is likely to be yours. With multiple emails, you might open some at home, some at work, some at your favorite coffeehouse. Engle would be able to tie your email address to each of these IP addresses and might have enough information to establish a pattern of internet usage. The internet server logs would also let him know what operating system you're running on each of those computers and what web browser or email client you're using.

As Yakov Smirnoff might say, "In Soviet Russia, email reads you!"

Engle could use this feature to build a database of thousands of Oklahoma Republican activists, matching name to email address to one or more IP addresses. Win or lose the RNC position, Engle would have an asset with economic and political value.

Why would someone want to do this? The person sending the email could use this setup to determine who is posting unfavorable anonymous comments on a message board or sending unfavorable anonymous emails. The mailer could sell the database to website owners, who might use it to track an activist's internet activity for commercial or political advantage.

With this database, one could set up a trap: send an email to the same list from a fake "From" address, advertising some illicit website. The database may be able to pinpoint which individuals clicked that nasty link, and suddenly, "You've got blackmail!"

This odd way of sending email has absolutely no advantages to those receiving the email, but it could be very advantageous to the sender.

Is it possible that Engle is doing this innocently? Sure. But this is such an unnatural way to send an email, I have to believe it was done deliberately by someone (perhaps Engle, perhaps someone else). You have to take some time and care to arrange a huge block of text in an image file, rather than just typing the message into an email. That turtle didn't get on that fencepost all by itself.

For the rest of us: Set your email client not to load remote images automatically. Look at carefully at any link in an email before you click it. If there's a lot of incomprehensible code at the end of a URL, it's likely that the sender's email system can track your click to your email address to your IP address and report that information to the sender.

MORE:

How Thunderbird (Mozilla's email program) protects your privacy by not automatically loading remote images

About.com: How Reading an Email Can Compromise Your Privacy: How this privacy attack works and what countermeasures can be used.

About this Archive

This page is a archive of entries in the Technology category from May 2012.

Technology: January 2012 is the previous archive.

Technology: December 2012 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Contact

Feeds

Subscribe to feed Subscribe to this blog's feed:
Atom
RSS
[What is this?]