Email with Cookies Has Privacy Advocates in an Uproar

6 December 1999
A new "cookie" scare has privacy pundits in an uproar. Novell CEO Eric Schmidt recently announced that his credit card number had once been stolen, probably by a cookie attached to an email, according to reports in ZDNet. In fact, consumer and privacy advocates have asked the Federal Trade Commission to close software loopholes that potentially allow bulk emailers to identify consumers through "cookie" technology.

Security expert Richard M. Smith of Brookline Mass., said "Web browser cookies and email messages don't mix. Web surfing is supposed to be anonymous, but with the cookie leak security hole, companies can easily match our Email addresses to the Web sites we visit. I hope that Netscape, Microsoft and other software makers will quickly patch this hole.'

Smith also sent a report to the FTC this week detailing the technical details of how companies do this, which is now available at http://www.tiac.net/users/smiths/privacy/cookleak.htm on the Web.

"Cookie leaks are the bug from spammers that keeps on bugging. It's intolerable that email can be used to silently zap a nametag onto you that might be scanned by a site you visit later. It's like secretly bar-coding people with invisible ink,' added Jason Catlett, Junkbusters Corp. president.

Many email readers display email messages using a Web browser. If the message contains graphics retrieved from the web when the mail is opened, the loophole allows the recipient to be assigned a unique serial number in a "cookie,' which will later be silently transmitted as the recipient surfs the Web. Many companies encode the recipient's email address in the URL (web address) of the graphic, so that their servers can match the cookie to the email address.

Just last month many of these same advocacy groups had asked the FTC to halt online profiling tactics used by most direct marketers. "The lack of government action continues to place the average user -- unaware of the tracking and surveillance technologies at work -- at the mercy of companies that often abuse their privacy," said Andrew Shen, policy analyst at the Electronic Privacy Information Center (EPIC).

ZDNet spoke with several security experts who downplayed the seriousness of the email cookies. According to the experts, its unlikely that most people would have to worry about their credit card numbers being stolen in a similar fashion.