The tracer software that Hewlett Packard investigators used to try to sniff out boardroom leaks sounded like it had been ripped from the pages of a bad science-fiction novel. That is, until the company began talking about it in detail at a congressional probe into the spying scandal.
The technology tool the company used, called a web bug, is designed to allow email senders to track the path a message takes, including whether a recipient opens the message and forwards it to another party. And it turns out the technology is widely used in email newsletters to track readers and also by law-enforcement in investigations, according to security experts.
A spokesperson for the California attorney general's office said that HP's use of web bugs is not linked to the 4 October charges of five people, including former HP chairperson Patricia Dunn, on allegations that they used false pretences to access individuals' phone records.
However, HP's boardroom leak investigation did use the web bug technology as part of an unsuccessful attempt to trick a journalist into revealing her confidential source on the company's board of directors, according to HP security investigator Fred Adler.
Security expert Richard Smith said most people who use the internet have been subject to web bugs. "Any kind of commercial email is probably going to have them in there," he said.
HP turned to a small Australian company called ReadNotify.com to help track the email messages. ReadNotify tracks both email and Microsoft Office documents. It will tell when the email you sent was read, and will guess the location of the recipient, based on the reader's IP address.
The ReadNotify service is popular in law enforcement and also in industrial espionage investigations, said Chris Drake, ReadNotify's chief technology officer.
Here's how web bugs operate: the bug's author puts an image on a web server and assigns the image a unique website address, or URL, and then sends an email that contains a link to this image. The image can be hidden from sight or displayed in plain view - a corporate logo, for example.
When the recipient opens the email, that person's computer looks up the image and in doing so sends that information to the web server. Another way of implementing the tracking technology is for ReadNotify users to add '.readnotify.com' to the end of the recipient's email address.
When the question of whether web bugs are legal has been tested in the US, courts have tended to focus on whether this type of technology violates federal wiretapping laws, says Chris Jay Hoofnagle, senior staff attorney at the University of California, Berkeley.
Hoofnagle says state courts could take up the issue of web bugs, considering the existence of antihacking laws in states such as California. California law prohibits certain uses of computer resources without the permission of the user, and nobody knows for sure whether HP's actions would violate this law or similar statutes in other states, Hoofnagle says.
At the hearing before House Energy and Commerce Committee members, HP's Adler said his company had used web bugs "a dozen to two dozen" times in the three years he had worked there and considers them to be a legitimate investigative tool.