December 6, 1999 Web posted at: 11:25 a.m. EST (1625 GMT) by Margret Johnston and Keith Perine

From...

WASHINGTON (IDG) -- Privacy and consumer groups are asking the U.S. Federal Trade Commission (FTC) to require software makers to close what they say is a security loophole in browsers that leaves people who read unsolicited e-mails vulnerable to the loss of their anonymity as they surf the Web.

A letter and a detailed report about the security hole was sent to the FTC by organizations including the Electronic Privacy Information Center (EPIC), the Electronic Frontier Foundation (EFF) and anti-spam group Junkbusters, according to a joint statement by these bodies.

	MESSAGE BOARD
Online privacy

The FTC will give the petition "serious review," an FTC spokesman said. Microsoft and Netscape spokesmen said their companies are also examining the claim.

The petition is the latest in a series of efforts by Internet privacy groups to get the U.S. government to regulate online privacy. Net advertisers and companies that closely monitor Web surfers' habits are resisting regulation in favor of policies that allow them to police themselves. So far, the FTC has adopted a wait-and-see approach.

MORE COMPUTING INTELLIGENCE

IDG.net home page

Make your PC work harder with these tips

U.S. legislators take hard look at spam bills

Spam bill backers focus on porn

IDG.net's products pages

Reviews & in-depth info at IDG.net

E-BusinessWorld

IDG.net's Windows software page

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletters

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

The problem brought to light by the privacy organizations affects people with e-mail readers formatted in HTML, which includes popular programs such as MS Outlook, MS Outlook Express, Netscape Messenger, Eudora and Hotmail, according to the report, written by Richard Smith, a security consultant.

Many Web sites are set up to create a cookie, or unique serial number, on the PC of the person browsing. The cookie allows their surfing behavior to be traced, but it doesn't identify them. Smith said the latest use of cookies, however, is that they can be created when someone reads an unsolicited e-mail in a Web browser, and that is alarming because it means the user can be identified.

The cookie is created when users read an unsolicited e-mail with graphics in it, such as a banner advertisement off the Web, Smith said in a conference call. These banner ad companies typically "hide" the recipient's e-mail address in the Web address of the graphic, so that their servers can later match the cookie to the recipient's e-mail address, Smith said.

This information is often sold to spammers, or senders of unsolicited commercial e-mails.

"When you go to a Web site they will not only know your cookie, but also your e-mail address," Smith said. "Bottom line, you lose anonymity when you go to a Web site."

Smith said he hasn't discovered any companies that are abusing the information they gather. However, he added that the current cookie situation is disturbing nonetheless because it's difficult for the average consumer to know they are being "slipped a marked bill" that will identify them as they move around the Web.

Jason Catlett, president of Junkbusters, said he was also very disturbed by the new "Orwellian" use of cookies.

"It's intolerable that e-mail can be used to silently zap a name tag onto you that might be scanned by a site you visit later. It's like secretly bar-coding people with invisible ink," Catlett said.

He said the equivalent in the nonelectronic world would be a catalog that is sent to a home in an envelope with the ability to send out the recipient's address to other stores the minute the envelope is opened.

"They all find out that you opened the mail and they get an invisible tracking number, so if you go to a store ... that number is reported to them and they can build that information into a database," Catlett said.

Catlett said he expects both Microsoft and Netscape to close the loophole willingly. Nevertheless, he said, the petition was submitted to the FTC in order to make sure that the software companies do so.

Catlett also sees the petition as a test of the FTC's willingness to take the lead on the Internet. "If they don't act on this, it will show that they're asleep at the watch," Catlett said. "This is an opportunity for the FTC to show that they are alert."

Margret_Johnston is Washington correspondent for the IDG News Service. Keith Perine writes for The Industry Standard. Mary Lisbeth D'Amico of IDG News Service contributed to this story.