Cybersite

Security expert Richard M. Smith of Brookline, Mass., said 8220;Web browser cookies and e-mail messages don8217;t mix. Web surfing is supposed to be anonymous, but with the cookie leak security hole, companies can easily match our e-mail addresses to the Web sites we visit. I hope that Netscape, Microsoft and other software makers will quickly patch this hole.8221; Smith also sent a report to the FTC this week detailing the technical details of how companies do this, which is now available at tiac.net/users/smiths/privacy/cookleak.htm on the Web.

Many e-mail readers display e-mail messages using a Web browser. If the message contains graphics retrieved from the web when the mail is opened, the loophole allows the recipient to be assigned a unique serial number in a cookie8217;, which will later be silently transmitted as the recipient surfs the Web. Many companies encode the recipient8217;s e-mail address in the URL web address of the graphic, so that their servers can match the cookie to the e-mail address.

Jason Catlett, President of Junkbusters Corp. said, 8220;Cookie leaks are the bug from spammers that keeps on bugging. It8217;s intolerable that e-mail can be used to silently zap a nametag on to you that might be scanned by a site you visit later. It8217;s like secretly barcoding people with invisible ink.8221;At the FTC8217;s hearings on online profiling last month, privacy groups called for an immediate halt to the practice. Andrew Shen, Policy Analyst at the Electronic Privacy Information Center EPIC said that 8220;The lack of government action continues to place the average user unaware of the tracking and surveillance technologies at work at the mercy of companies that often abuse their privacy.8221;

Excerpted from the archives of the Electronic Frontier Foundation eff.org