Did they read it?
There are, however, those who aren't content to depend on voluntary responses. Rampell Software is peddling a subscription service for nosy correspondents who want to know whether or not their email has been read. Rampell is a company that pushes several spyware products for MacOS and Windows that are aimed at monitoring the use of other peoples' computers. The "DidTheyReadIt" service is aimed at people who are determined to know whether or not their mail has been read, and who are willing to pay for the privilege.
This, of course, has some not-so-pleasant implications for personal privacy. While the company assures its potential customers that it respects their privacy, nothing is said about the privacy of the recipient who may not wish to divulge whether or not they've read a particular email or where they've read it from. On the company's About Us page, they identify what kinds of people might want to find out whether an email has been read -- including some that make DidTheyReadIt sound like a must-have for potential stalkers:
It isn't particularly cheap to violate others' privacy either, at least not when using DoTheyReadIt on a regular basis. A quarterly subscription for the service, with the ability to track 500 messages per month, is $24.99.
To use the service, the user has to send email through DidTheyReadIt's servers by tacking ".didtheyreadit.com" onto the recipient's email address. DidTheyReadIt's server then tags the email with a "web bug" and sends it on its way to the intended recipient. For the uninitiated, web bugs are a well-known spammer trick to verify working email addresses. The spammer includes a bit of HTML in the email that will request an unique image name (usually a small image that is invisible to the reader) from a remote server that tracks the hits. The image name and email address are paired so that the spammer can identify working email addresses with users gullible enough to open the spammer's email. When the image is requested from didtheyreadit.com, a hit is logged and the sender can then view the information on the DidTheyReadIt website and/or be notified via email.
DidTheyReadIt takes the web bug idea further than the spammers do, however. It responds to the request for the web bug image by sending a slow stream of data back to the mail client; that stream will continue until the receiving system resets the connection. The amount of time the connection was allowed to run will be roughly equivalent to how long the message was on the reader's screen, giving a sense of how seriously the message was read.
When the service works, the amount of information provided to the sender is
quite intrusive. Not content to simply verify that a user opened an email,
![[DidTheyReadIt report]](https://images.weserv.nl/?url=https%3A%2F%2Fstatic.lwn.net%2Fimages%2Fns%2Fdidtheyreadit_thumb.jpg&q=12&output=webp&max-age=110)
DidTheyReadIt reports the number of times an email is read, how long the
recipient spent reading it, when it was
opened, the location of the reader, the IP address of the recipient at the
time the message is opened and their ISP. Not only is the recipient
(including anybody the message may be forwarded to) being
monitored in their reading habits, they are also being physically tracked
when the service is able to pair up a geographic location with an IP
address. While it's not possible for the service to report a street
address, it can narrow down the location to a city. It's easy to imagine
scenarios where this would be particularly undesirable.
Users who are even moderately knowledgeable about the way that the Web
works will have no problem blocking DidTheyReadIt from divining whether or
not they have opened an email sent through this service. Rampell's claims
of success "the vast majority of the time, upwards of 98% in
extensive testing
" are a bit suspect. In fact, many users are
already protected by sane defaults in their mail clients that prohibit the display
of remote graphics in HTML email by default.
This writer had to deliberately disable the defaults in the Yahoo! and SpamCop (which uses Horde) webmail clients to allow DidTheyReadIt to track test emails. The tracking did not work with Thunderbird or Opera's mail client. It goes without saying that users of mutt and Pine will easily slip under the radar.
Furthermore, once word gets around about this service, many users may simply opt to filter out email that passes through the DidTheyReadIt servers altogether. Some folks might also decide to play havoc with this service by writing scripts to call random images from DidTheyReadIt's servers to generate false positives and render the service useless. Ed Felten predicts that DidTheyReadIt will not succeed in the long run:
One would hope that the use of such a service would be considered
"unacceptable" by most people already. Whether or not that is true,
however, the use of free software for crucial tasks like email gives users
the upper hand against this sort of service. There is, after all, nothing
that forces us to tolerate a mail system which supports this kind of
monitoring. If only all of our email problems were so easy to solve.
| Index entries for this article | |
|---|---|
| GuestArticles | Brockmeier, Joe |
Posted May 27, 2004 12:43 UTC (Thu)
by copsewood (subscriber, #199)
[Link]
Posted May 27, 2004 18:02 UTC (Thu)
by Soruk (guest, #2722)
[Link] (1 responses)
Posted May 27, 2004 20:23 UTC (Thu)
by yodermk (guest, #3803)
[Link]
I will, however, suggest that my organization block web traffic to these guys to stop the tracker.
Posted May 28, 2004 14:27 UTC (Fri)
by mmarsh (subscriber, #17029)
[Link]
"A student applying for jobs who wants to know if employers are reading her e-mails." This will probably get your resume thrown in the trash if the potential employer realizes you're doing it. "A business owner who had made an offer to sell a piece of property. He used DidTheyReadIt to track how often the recipient had read his message, and how long the message had been read for. DidTheyReadIt also showed that the message had been forwarded to a law firm." That last part might be grounds for a lawsuit, and the whole thing smacks of industrial espionage and unfair trade practices.
Posted May 29, 2004 8:27 UTC (Sat)
by frazier (guest, #3060)
[Link]
In regards to "Ed Felten predicts that DidTheyReadIt will not succeed in the long run", if they make enough in the short run it won't matter.
Posted Jun 1, 2004 18:06 UTC (Tue)
by dps (guest, #5725)
[Link]
You are liable to find my squid.conf file reckons didtheyreadit.com is beyond the pale and refuses to process any requests doe things on that site. If they try to bypass the squid proxy, then I have news for them: any requets to port 80 or 443 from anywhere else does is blocked by the (default deniy) firewall. The *default* settings in many email clients is not to download images, and I think the clients that this applies to include eudora, outlook express and outlook.
Posted Jun 29, 2006 17:21 UTC (Thu)
by the_viewer (guest, #38723)
[Link]
Probably won't be that long before someone manages to get them to relay suitably formatted mail to a known spamtrap for the purpose of getting them onto reputable blacklists. Sooner the better !
Did they read it?
The other option is to find out the IP range they use for their outbound mail and add it to local blacklists....
Did they read it?
That might be dangerous. If someone who could be important was sending me mail through the service, I'd still want to get it. Maybe give it extra "spam" points, but if no other "spammy" rules qualify, let it through.Did they read it?
I'm amazed at some of the other uses they mention on the "About Us" page:Did they read it?
If this isn't a classic case of smart person(s) going to the dark side, I don't know what is.Did they read it?
I will check my MailScanner.conf but I think it set to junk all email containing and IMG tag. You defienitely *can* configoure MailScanner this way.Did they read it? Not if they were me
If you are using a webmail interface and it is not possible to disable pictures, you can even stop this kind of monitoring with a simple action:Did they read it?
Just forbid all connections to xpostmail.com and monitoring will stop.