Privacy group warns that e-mail software allows snooping

The Privacy Foundation has nicknamed this problem "e-mail wiretapping" because, by adding a few lines of JavaScript to an e-mail sent in HTML format, the sender can surreptitiously monitor any written messages attached to forwarded messages. Basically, if the recipient forwards the message to others, whatever he or she adds is returned to the original sender.

According to the group, some of the possible ways that this might be used include:

Monitoring the path of a confidential e-mail message and written comments attached.

In a business negotiation conducted via e-mail, one side can learn inside information from the other side as the proposal is discussed through the recipient company's internal e-mail system.

A bugged e-mail message could capture thousands of email addresses as the forwarded message is sent around the world.

Commercial entities, particularly those based offshore, may seek to offer e-mail wiretapping as a service.

The act requires the person reading a wiretapped e-mail message to be using an HTML-enabled e-mail reader that also has JavaScript turned on by default. Affected e-mail readers include Outlook, Outlook Express, and Netscape 6 Mail.

The risk is made possible because JavaScript is able to read text in an e-mail message. If a message is forwarded to someone else, the hidden JavaScript code in the page can read any text that has been added to the message when it is forwarded. This JavaScript code executes when the forwarded message is read. The JavaScript code then silently sends off this text to the original sender of the message.

The Privacy Foundation adds that a wiretapped e-mail message is difficult to detect but that an individual can avoid the e-mail wiretap by turning off JavaScript in the e-mail reader.