The HP scandal and IT security for journalists
Posted by
Martin Stabe
on 3 October 2006 at 11:06
Tags: Information Security, Journalism
Details of tactics used by computer firm Hewlett-Packard in the company’s effort to plug a boardroom leak continued to emerge this week during a Congressional committee hearing in Washington.
Some of the details highlight the growing need for journalists to be aware of the capabilities of corporate and government information security specialists seeking to uncover confidential sources who they have pledged to protect.
In an effort to identify the sources of a board-level leak, private investigators acting for HP e-mailed a bogus tip to CNET News.com journalist Dawn Kawamoto, purportedly from a disgruntled HP employee.
The e-mail contained what has been referred to as a “tracer” or “web bug” provided by a company called ReadNotify. Anyone who opened the e-mail would have had their IP address revealed to the e-mail’s sender. That information could then be used to see what other communications have been sent to or from that address. The investigators apparently hoped that Kawamoto would forward the phoney message to her source.
The simplist explanation of the technique came from Richard Stiennon, an analyst with IT-Harvest, quoted in a piece by Gregg Keizer on TechWeb’s IT security site, Dark Reading.
“Technically, a tracer isn’t spyware because it’s not software,” Stiennon told Dark Reading.
“A tracer is usually a 1-by-1-pixel image embedded in an HTML message. The image resides on a server, so that when the recipient views the message, there’s an entry in the server log that the image was downloaded. It would tell them who viewed that message, or at least their IP address,” he explained.
The technique has long been used by online publishers — including CNET — to trace the readership of their e-mail newsletters. But it is also used by spammers to identify active e-mail addresses. Because of this, many modern e-mail packages allows users to block images from remote servers.
It’s certainly not illegal in California, where all this occurred.
“Regardless of whether it is legally defensible, on an ethical level, using Web bugs to track a reporter is troubling,” Kurt Opsahl, a lawyer at the Electronic Frontier Foundation, told the San Jose Mercury News.
Equally “troubling” is that the HP’s investigators obtained the telephone records of both Kawamoto and her colleague Tom Krazit. The congressional investigation has also revealed that the company had monitored instant message exchanges between an HP employee and Wall Street Journal reporter Pui-Wing Tam.
The possibility placing spies, possibly hired as cleaners, in the San Francisco offices of the Wall Street Journal and CNET was apparently discussed at an HP meeting, although the idea was rejected.
Lessons learned for journalists? Work e-mail, instant messages and telephones are not secure methods for communicating with sources who have been promised confidentiality, and journalists have a duty to know this when making such guarantees.
See also: Protecting sources online
Tags: Information Security, Journalism
