MORE ON THE PUSS'S PRIVACY PUZZLE


The Puss's Privacy Puzzle, posted only yesterday (scroll down - it's immediately under this blog), has received numerous comments and responses. Apart from those attached to the original blog, the following are worthy of note:

First, fellow blogger C. E. Petit explains in brief:

"The reason that Outlook has that particular behaviour is the problem with webbugs--usually 1 x 1 pixel items. The privacy hook is that code in the webbug tells the computer from which the picture is downloaded what email address requested that picture and its IP number--which are both immensely valuable to spammers, as they indicate that a given message has reached a human being. Thus, the privacy issue".
In similar vein David Pearce (Eric Potter Clarkson) explains:

"Outlook blocks by default downloading of material referenced in emails, including pictures, because they can in fact uniquely identify you. What is common to find in (html-formatted) spam emails is that they contain html links which have codes in them unique to the email address to which the email was sent. By downloading the picture sent in response to accessing this link, the spammer is easily able to tell whether the email was read, and can update his records accordingly, i.e. mark your email address as being 'live', and therefore more valuable".
For those who want a fuller technical description, David Brophy (F. R. Kelly, Dublin) really goes to town:

"There were two pictures attached to your email. One of them was: http://www.meankitty.com/images/NumNum.jpg, and the other was http://www.cybercrime.gov/rules/netizen4_files/privacy.gif.

In order to see those pictures my email client has to contact the sites www.meankitty.com and www.cyberbcrime.gov, so the owners of those sites can (at a minimum) see that someone at my IP address has looked at those pictures. If those addresses were created solely for use in that email circular, then those site owners could tell that I opened that email (though not of course if Outlook prevents me from opening the pictures).

Taking this a step further, the address of a picture attached to an email sent to you could be something like http://ipkitten.blogspot.com/spam_program/check_for_active_ addresses/jeremy@.asp. An otherwise identical email sent to Merpel could have an embedded picture with an address of http://ipkitten.blogspot.com/spam_program/check_for_active_ addresses/merpel.asp. If you opened the email using an old version of Outlook and Merpel opened it with a newer version including the "privacy" feature (and without clicking on the picture to download it), then the evil spammer would be able to tell that your address was active but would be unable to determine that Merpel's address was active.

Taking this a final step, if the spam email purported to provide cheap credit (or indeed Viagra without prescription), the ability to identify those recipients of a spam email who were both active addresses and interested enough to open the email (thereby automatically downloading the pictures and alerting the web server) would enable those addresses to be sold on for a premium and would almost certainly result in more spam in the future".
Chris Rycroft (Oxford University Press) adopts an approach based more on moral than on technical reasoning:

"Could it possibly be that it is supposed to protect the "privacy" of someone (most commonly in the workplace) in the sense that it guards against embarrassing pictures automatically being displayed on screen in full view of work colleagues…; whereas text is just text and cannot be so easily read from a distance...".
Finally, Anonymous posted a Comment this morning that reads as follows:

"... the IPkat should note that hotlinking to images from other sites for its posts is also not a good idea. First, it uses bandwidth that is being paid for by somebody else, and indeed increases their costs. Secondly, if this annoys one of those people, all they have to do is upload another picture in the same place with the same name and IPKat's visitors could be subjected to a different sight entirely".
Anonymous is right, but it seems to be accepted blogging custom and practice to hotlink images and the IPKat has received many appreciative emails from people who actually like them. He also checks back-blogs regularly in case offensive images have been superimposed. It is also the IPKat's policy to remove any images where (i) the copyright owner objects and (ii) the objection is sustainable under copyright law - but that's another issue entirely!

The Kat (above) takes time
to look up his copyright law.
MORE ON THE PUSS'S PRIVACY PUZZLE MORE ON THE PUSS'S PRIVACY PUZZLE Reviewed by Jeremy on Thursday, September 29, 2005 Rating: 5

1 comment:

All comments must be moderated by a member of the IPKat team before they appear on the blog. Comments will not be allowed if the contravene the IPKat policy that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should make a constructive contribution to the discussion of the post on which they purport to comment.

It is also the IPKat policy that comments should not be made completely anonymously, and users should use a consistent name or pseudonym (which should not itself be defamatory or obscene, or that of another real person), either in the "identity" field, or at the beginning of the comment. Current practice is to, however, allow a limited number of comments that contravene this policy, provided that the comment has a high degree of relevance and the comment chain does not become too difficult to follow.

Learn more here: http://ipkitten.blogspot.com/p/want-to-complain.html

Powered by Blogger.