A simple JavaScript embedded into an e-mail message can make messages vulnerable to what privacy advocates equate to "e-mail wire-tapping".

e-Bugs

A simple JavaScript code embedded in an e-mail message can make it possible for information about the recipient to be sent back to the sender when an e-mail is opened, forwarded, or trashed prior to reading.

This can occur when e-mail messages are written in HTML
format (the web language that allows basic formatting like
bold and italics) and uses JavaScript programming codes.
In these situations, it is relatively easy to "bug" an e-mail by
inserting a few lines of JavaScript coding. However, for the
bug to be activated, the recipient's e-mail reader must also
be HTML formatted and be able to read JavaScript.


When a bugged e-mail is read by the recipient, it sends off an undetected reply to the original sender, which includes any comments the recipient may have unwittingly sent in a forwarded message. This can have potentially dire consequences in a legal or commercial environment where an e-mail containing sensitive or confidential information is sent around an organisation for comment.

In the United States, the practice is already commonplace among some e-marketers, who use a tool to obtain mass e-mail addresses for advertising purposes, or to monitor the success of a campaign by recording who actually opened and read a message.

E-mail systems such as Microsoft Outlook, Outlook Express, and Netscape 6 are the most at risk of being bugged, as they use HTML format with JavaScript enabled by default. Web based e-mail systems such as Yahoo and Hotmail do not appear to be affected by the bug, as they automatically strip JavaScript and HTML from incoming e-mail messages.

Although, the latest version of Microsoft Express comes with JavaScript disabled, there are still thousands of systems operating earlier versions of Outlook and Outlook Express, where the enabled JavaScript is still a feature. And while security measures can be taken to protect e-mails, if a bugged message is received by a recipient with Javascript disabled, any messages that are sent to a system where the program is still enabled, can still be read by the original sender.

Disabling Bugs

An American organisation called The Privacy Foundation
(an organisation set up to monitor communication technology and services that may threaten personal privacy), and which first detected the bug, has
posted detailed instructions on its website on how to disable
JavaScript functions in both Netscape and Microsoft e-mail readers.

Copyright Infringement

Although privacy advocates say that information obtained about the recipient without their knowledge or consent is an invasion of privacy, on the other hand, the ability to track e-mail may be a very useful tool in protecting and enforcing valuable intellectual property rights, especially in an age where business is increasingly transacted electronically.

For example, many news and information sources are transmitted electronically, in exchange for a licence or subscription fee. If the news transmission is encrypted with a "pixel tag" that allocates each subscriber with a unique identifier, every time the message is opened or forwarded to another party, a message is sent to the publisher's server. The publisher is then able to determine how many copies of its publication are being read, and whether this is being done by non-subscribers.

So What?

For an organisation that uses e-mail to transmit or comment on matters of a sensitive or confidential nature, be aware that someone with a basic knowledge of JavaScript programming, may be able to track your confidential or private communications and may be able to "steal" your proprietary information. This can open you up to a raft of legal exposures, ranging from breaches of contractual confidentiality and intellectual property obligations, to allegations of negligence and breaches of privacy legislation (to name but a few). The commercial exposure can be even greater - the loss of key information (and maybe even a key deal) to a competitor could devastate your business!

The key message is this: Given the capabilities of an increasingly electronic age, we should all be a little more cautious before hitting the "send" button or reply to an e-mail.

This is a general summary only and should not be taken as a substitute for specific advice.


Contacts

Michael Sage, Partner, michael.sage@simpsongrierson.com
Earl Gray, Partner, earl.gray@simpsongrierson.com
Jan Kelly, Partner, jan.kelly@simpsongrierson.com
Sarah Foster, Associate, sarah.foster@simpsongrierson.com

Simpson Grierson lawyers
Web site: Simpson Grierson

May 2001