Dave Weinberger had a post the other day about the rapid decay of the Internet and I have just come upon some more evidence of it.
If you go to Google and enter "define: spyware", among the answers you get is
gathers information about Internet users without their knowledge or consent and delivers that information to advertisers or others who have access to the information.
Yup, that's about what I thought. So Yesterday a mate calls up, all excited, and tells me about this new product he has bought, - called MSGTAG.
Their website crows about their product, telling us
Everybody loves email. It's cheap, easy and instant. But how many times do you find yourself wondering what happened to your messages? You send an email out into the Internet, then wait patiently for a reply. But will it get there? Will they read it? When will they read it? And will it be too late? Where's the reply? Are they still checking that account? Are they on holiday? Should you just wait a little longer? What's the story?
Shall we look at how they fix it then?
Message tags take the uncertainty out of email by allowing you to deliver messages, instead of just sending them. MSGTAG is a new desktop application that tells you when your emails have been received and opened. It works alongside your existing mail program, sending you an email the moment your message is viewed — just to let you know. MSGTAG simply lets you know they've got the message. So now you don't have to wonder, because you'll know.
But hang on, how is that any different from adding a recipt to any email I send, you know, the annoying little dialogue that pops up and asks whether it can tell the sender that you have received their email?
How is MSGTAG different from the read receipts you already get in Outlook and other email programs?
Unlike traditional read receipts, MSGTAG doesn't hassle your recipient with pop-up boxes — it's completely automatic — and you can send tagged messages to practically any email address, including Hotmail and Yahoo addresses.
How kind of them NOT TO HASSLE ME!
It's unobtrusive.
MSGTAG runs in the background while you send your email as usual. This means that you don't have to write your message into a strange little box, or alter email addresses before you send anything. One of the best things about MSGTAG is that your friends don't need to do anything different either. There are no annoying pop-up windows asking them to send a notification back to you — all they see is a small MSGTAG footer stating that you've been notified of them having received the message.
So, what does the sender get out of this? Here's a notification
A message you sent has been read by its recipient.
Message to: "Earl Mardle" <earl.mardle@kn.com.au>
Subject: MSTAG Footer OFF
Sent: 2005-12-08 00:44:16 UTC
Received: 2005-12-08 01:12:10 UTC
Elapsed time: 27 minutes, 54 seconds
Notice that this is the Paid Version and the MSGTAG Footer is off. What does that mean?. Well, when the footer is ON, at least I, as the recipient, get this text at the bottom of the email
MSGTAG has notified the sender that you have read this message.
So, you get my email address, attach this crap to it and, by hijacking my machine, without my knowledge or permission, sends a confirmation to the sender that I have opened the email.
NOT WITHOUT A FIGHT YOU DON'T
There's a word for this Spyware. Their so-called Privacy policy says
MSGTAG facility
The Software uses the MSGTAG service to determine whether an e-mail that has been tagged by the Software has been received by the intended recipient. In order to achieve this, MSGTAG must store the subject, message ID, message recipient, date sent, and MSGTAG account name of the sender for each e-mail tagged by the Software. If tagging is disabled in the application, MSGTAG does not store this information. MSGTAG will not sell, share or rent this information to any other parties.At no stage in the MSGTAG process does the actual content of your e-mail get recorded. The only people who will read your e-mail are the intended recipient and you.
At no stage in the MSGTAG process does the company talk about their commitment to the privacy of the recipient, only their direct customers and, for a business that runs a spyware tool, how much credibility does their privacy policy actually have?
BUT WAIT, HERE'S MORE
I wrote to these guys and asked them the following.
MSGTAG Web Site wrote:
>
> Feedback from MSGTAG contact page, submitted at 01:20:59 08 Dec 2005.
>
> Name: Earl Mardle
>
> Email: earl.mardle@kn.com.au
>
> Product: None
>
> Comment:
> I am interested in the process. What changes does MSGTAG make to my machine or operating software when I receive an email from a MSGTAG user?
> What rights do I have to refuse to allow that confirmation to be sent?
Hi Earl,
Thanks for your email. MSGTAG makes no changes to your computer / OS when you receive an email. To send a MSGTAG tagged email, you'll need a copy of the MSGTAG application.
Recipients can refuse Mutual Mail style tags. This means that the sender doesn't receive notification, however the recipient cannot read the sent email.
Simon Young
MSGTAG Tech Support
http://www.msgtag.com/
MSGTAG has notified the sender that this message has been read.
No virus found in this incoming message.
Checked by AVG Free Edition.
Uhuh, so the tool makes no changes to my computer/OS does it? Then how does it manage to send a message back to their servers without telling me? Something gets changed. My mate Dave explains that it changes something about the way emails are routed and adds a step via Localhost (don't ask me, I'm not a techie) [See the next post for th ecret to this] which then allows it to send the message without hassling me.
The Mutual Mail product he refers to is perfectly fine by me, it refuses to allow me to open an email without me consenting to the receipt being sent. Fine, no problem, I'm, you know, hassled by the system to do something, to make a decision.
This tool enables a remote user to cause my computer to perform actions that I have no control over and that I may not want to happen. What;s more, it doesn't tell me what it is doing, in the free version it informs me that it has acted but in the paid version, the sender can turn that off. The recipient, however, is powerless.
A breach of ethics, a breach of privacy and a breach of trust, all in one.
BUT WAIT, THERE'S MORE
Instead of the receipt being sent direct to the sender, which would be bad enough, these turkeys insert themselves into the traffic stream, the recipt, goes to their servers and is then forwarded to the sender. They assure the sender that "At no stage in the MSGTAG process does the actual content of your e-mail get recorded. The only people who will read your e-mail are the intended recipient and you."
Mhmm, and I am supposed to trust them because? They already hijack my machine, they [OK, they don't hijack the machine, just the trusting relationship] already breach my privacy and trust and they expect me to believe that? And they may not do so right now, but there is nothing that says one of their people doesn't modify the tag to pick up a few other goodies on the way, like my address book, or the content of the email, and at the very least they are watching traffic when they don't have to.
And, by the way, since I have no contract with them, they appear to believe that they have no obligations to me, and that I have no call on them, and that my privacy and control of my machine and my trust in my email client are all negotiable for $50
Oh, this company wants you to trust them with your emails, and wants everyone to trust them with the receipts, so you'd expect them to be You know, the kind of company that proudly tells the world who it is and what it stands for by putting their full contact details on the home page, where you can find them easily.
But if you want to find them, you have to burrow down to the bottom of the press release. Yeah, every trustworthy business on the net puts its contact details down there, works like a charm.
Contact details
Simon Young
Fisher Young Group Limited
PO Box 13 945
Christchurch
New Zealand
Holy cow, a New Zealander, now I am ashamed.
email: simon.young@fisheryoung.com
direct phone: +64 21 790 077
website: www.msgtag.com
So, to sum up, we have an unknown, and in principle, unknowable number of customers running this software sending god knows how many emails to thousands, tens of thousands, millions of people who are having their email spied on, the information sent, Via MSGTAGs servers, without their involvement, knowledge or consent. Their email clients are being induced to send messages that the users don't and can't know about and in the process there is a massive breach of trust being perpetrated between correspondents and in the system.
Nice one boys. The sooner that gets broken the better.
First stop is here, if you feel like raising the issue, go ahead. Me I'm off to the NZ Government regulator I think, maybe the cops, probably Slashdot.
Then its Eudora, MS, Pegasus and any bother email clients, firewall and anti-virus people. In the meantime, if you give a damn, take up the cudgels.
I haven't seen those emails, but in all likelihood, all it does is tack a call to a "web bug" (a 1x1 transparent GIF with a tracking ID in the URL) at the bottom of the HTML variant of the email, just as DoubleClick will put tracking pixels on web pages.
Most of the better email clients, including Mac OS X's Mail.app and recent versions of Outlook have an option to not download images in an email until instructed to do so. That option pretty much takes care of web bugs. An alternative would be to use a text-only email client.
Posted by: Fazal Majid | December 09, 2005 at 04:32 PM
Could be worse .. you could live in France and have to deal with this.
And then there's the telco's agressive push these days to suggest that completely own the pipes.
Bad month in the forward life of the Internet, I guess.
Posted by: Jon Husband | December 10, 2005 at 08:47 PM
Erm - I think that's a typepad stat counter at the bottom of your page code?
I ask because, looking over the rest of their site, what they seem to be doing is using one or other of the tricks web stat counters, except with HTML email.
Now, web stat collection does have all the problems you mention above - I once left a comment on a blog and they responded by telling the world what I'd looked at while I was there.
But web counters are also normal and - if you're informed - expected.
In principle this isn't much worse.
You can't actually use the internet if you don't accept people's privacy statements, and it's pretty clear to me that they really don't have the actual emails available to them.
If you're concerned for your own sake - not just about this but about anything similar - get an email client you can set for text only. Of course, that might hamper your enjoyment of your email a bit.
And tick all those boxes in your browser security.
Posted by: lyndon | December 16, 2005 at 02:23 PM
I got Msgtag simply because a significant number of my important e-mails get gobbled up by spam filters in transit. I put "I'm using Msgtag to confirm that my e-mails are getting through" in the fully-visible footer so everyone knew I was using it, and why.
It's all pretty academic because it's totally unreliable. Most e-mail clients won't download the .gif images by default. I tried to get even a partial refund of what I paid for Msgtag Status 2, and Msgtag refused. I've done a web page with all e-mail communications between me and them as a warning to others.
Posted by: Bob | March 30, 2007 at 04:01 AM
Ok, so what can we do, what can we install, to prevent these trespassers from getting those invasive receipts? How can we prevent them from hijacking our email?
Wendy
Posted by: Wendy | July 03, 2007 at 04:33 AM
Wendy.
I use Eudora, which lets me turn off the auto download of images. It still dispalys any images embedded in the email, but doesn't call for the images from the server when you open the email. Other email software has the same options though I'm not sure where.
Many are automatically configured not to call for the images in the first place, which these guys know, (they said so in an email to me) so they are not merely inclined to invade people's privacy, they are also ripping off gullible people for a service that essentially they cannot guarantee to deliver anyway.
Posted by: Earl Mardle | July 03, 2007 at 10:18 AM
I found that people with an obligation to respond to email often fail to do so because they find it convenient for ducking their responsibility. Then lie about having ever received the email. MSTAG provided me with a way to determine whether my message actually got through. I don't feel guilty at all.
Posted by: nick sodano | September 16, 2007 at 12:38 AM
Nick,
Define obligation to respond.
How do you negotiate that obligation? How do you do it by snail mail?
BTW, the system wouldn't work with me because I have turned off images, could you sue me for breach of obligation to respond?
Posted by: Earl Mardle | September 16, 2007 at 09:04 AM