Computer Crime Research Center
Who s spying on my Hotmail?
(By Bob Sullivan)

Aug. 28 Think using Yahoo or Hotmail e-mail at work protects you from your boss prying eyes? Think again. New spy software essentially lets employers or parents co-pilot virtually any kind of e-mail account, including private Web-based e-mail accounts like Yahoo and Hotmail. A new version of eBlaster spyware will secretly forward all e-mail coming and going through such Web-based accounts to a spy s e-mail, allowing anyone to ride-along even the supposedly private e-mail.

SPYWARE FIRM SpectorSoft Corp. which makes eBlaster, is hardly a stranger to controversy. But the new e-mail monitoring technology, which company president Doug Fowler described as almost a wiretap, is sure to stir even more.

It s common for office workers to keep personal matters out of corporate e-mail; many set up free Web-based e-mail accounts at Hotmail or Yahoo to help separate work and private affairs. But eBlaster 3.0, released Wednesday by SpectorSoft, makes it easy for employers or other interested voyeurs to read all e-mail going in and out of almost any kind of e-mail account.

What our customers have asked for more than anything is the ability to capture e-mails, specifically Web-based e-mails like Hotmail, Fowler said. We knew that s what our people wanted.

Fowler wouldn t describe particulars about how the technology worked, but said essentially that the moment a spy subject sends or receives an e-mail, a copy of the correspondence is forwarded to the spy. As an example, SpectorSoft public relationships representative Kasey Sellati showed MSNBC.com a note that was written by her daughter at home and forwarded to Sellati s work e-mail.

Mrs. LaFrance, Shay Sellati s note to a teacher read. Hi, this is Shay. I was just wondering if you ll be in your room tomorrow morning. I m going to come on Thursday, but I just wanted to see if I could get help tomorrow also for the test on Thursday. Thanks!

eBlaster also works on POP3 accounts, used by many Internet Service Providers, AOL e-mail, and Microsoft Exchange e-mail systems.

It works on virtually any kind of email, except for some of the smaller Web-based e-mail services, Fowler said.

Fowler said the software would be useful for parents who want to watch their children s e-mail activity in the early afternoon hours, when children are home from school but parents are still at work. Law enforcement agencies are also interested, he said Web-based e-mail like Hotmail was used extensively by the hijackers who planned the Sept. 11 attacks, sometimes in public libraries.

If our software had been installed in that library it would have recorded that Hotmail, he said.

But word of the software s new feature disturbed privacy advocate Richard Smith of ComputerBytesMan.com and he suggested potential users think twice before installing the software,

"This is e-mail wiretapping, Smith said. I would put up a big warning flag. Anybody who would consider buying this product should check with a lawyer first. There is a high probability it runs afoul of the Electronic Communications Privacy Act. I would not take the company s word that it s legal. Enacted in 1986, the Electronic Communications Privacy Act prohibits interception and disclosure of wire, oral, or electronic communications in most cases.

Spyware like that produced by SpectorSoft and competitor WinWhatWhere Corp. has not yet faced a definitive courtroom test. But David Sobel, general counsel of the Electronic Privacy Information Center, equated private Web-based e-mail account with an employee receiving a personal letter through the company mailroom. The contents of such a letter are protected by U.S. mail regulations.

The question is: Is there a reasonable expectation of privacy? I would argue that if a company.com account is provided to me for company business, I can assume it might be subject to monitoring ... but if I take additional step to set up a Hotmail account that I occasionally access from my desktop at work, I think that could be construed as an expression of an expectation of privacy.

Nevertheless, the spyware makers generally argue that employers have the right to observe anything that happens on company-owned computers.

There s no question there s a controversial aspect to all this, Fowler said. My advice to (employees): anything they are doing using company computers they should expect the employer may have a way to find out what s going on there. Fowler said his firm regularly advises customers to inform employees that all their activity is being monitored.

But Richard Eaton, president of competitor WinWhatWhere, has regularly accused SpectorSoft of targeting the suspicious husbands and wives market where the software is used secretly to catch a potentially cheating spouse in the act. That kind of surreptitious e-mail monitoring would be more likely to run afoul of wiretap laws. But even in that case, Sobel said, wiretap laws are very technology specific, and a judge wouldn t be able to rule on the legality of the software without knowing exact particulars about how the technology works. SpectorSoft would only provide a general sketch of its e-mail forwarding technology. So the legal status of eBlaster won t be determined until someone sues, Sobel said.

In the meantime, Eaton argues this is much ado about nothing. For years, he said, products like WinWhatWhere have been able to capture every keystroke a user types at a computer, or take screen shots at regular interval of everything a computer user does. That would include logging Web-based e-mail activity.

Whoop-de-do, Easton said when told about eBlaster s new feature. They are forwarding (the e-mail) on immediately. Ours shows up in the report you get every day, or every hour, however often you want it.

Source: Snipurl.com

Home | What's New | Articles | Links
Library | Staff | Contact Us
Copyright © Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907
[email protected]