
Tracking logo found in Navy email to Navy Times amid leak investigation - Jerry2
https://www.militarytimes.com/2019/05/17/secret-tracking-device-found-in-navy-email-to-navy-times-amid-leak-investigation-raises-legal-ethical-questions/
======
TrueDuality
This article is making it seem like tracking pixels are illegal and require a
search warrant. This is definitively not the case. Search warrants are
required only when requesting that information from a third party or against a
person's will.

When through the normal course of using a technology you reveal information to
the government (in this case the military) they can use that information
against you.

Having an embedded image from a third party server in an email is well within
normal usage of email. Logging IP addresses of machines that access content on
a web server is also well within the normal usage of that server.

I'm also not sure what the journalist is afraid of in this case. Your IP
address reveals almost nothing about you beyond a rough physical location on
its own. Considering the Navy sent this email they already know WHO the
recipient is. From an editor or authors name I could most likely find what
city they live in with no extra help beyond Google.

There absolutely isn't anything illegal or even suspicious about this. If you
want to go absolutely crazy mad with paranoia maybe they could collude with
another federal agency to tap that network connection... but that is
INCREDIBLY unlikely for this.

~~~
ejfox
> The Navy email to Navy Times contained hidden computer coding designed to
> extract the IP address of the Navy Times computer network and to send that
> information back to a server located in San Diego. Under U.S. criminal law,
> authorities normally have to obtain a subpoena or court order to acquire IP
> addresses or other metadata. Not using one could be a violation of existing
> privacy laws, including the Electronic Communications Privacy Act.

They lay it out pretty clearly in the article. What you are describing might
be true for a private company, but that same behavior from a military branch
of our government is very different.

This is a really interesting area of law that I don't think has been settled.

One could argue that attaching this tracking pixel to an email is similar to
attaching a GPS tracker to a vehicle. In United States v Jones in 2012, the
supreme court ruled that placing a GPS device on violated the 4th amendment.

> "the Government's installation of a GPS device on a target's vehicle, and
> its use of that device to monitor the vehicle's movements, constitutes a
> 'search'"

Regardless of whether it was "well within normal usage of email" or not is
kind of irrelevant.

It is also very different coming from the government as opposed to a private
institution.

It is also very different to be targeting a news outlet (especially one that
has been critical of you!).

I would absolutely challenge you on both points - this is ABSOLUTELY
suspicious, and as they pointed out in the article, likely illegal – and I
haven't gone crazy mad with paranoia.

~~~
astura
>One could argue that attaching this tracking pixel to an email is similar to
attaching a GPS tracker to a vehicle. In United States v Jones in 2012, the
supreme court ruled that placing a GPS device on violated the 4th amendment.

One can't make this arguments based on the Jones ruling because Jones doesn't
apply in this situation. The entire reason why the court ruled that physically
attaching a GPS tracker to a car is against the fourth amendment is because
attaching the device involves physical trespass on a suspect's vehicle which
they considered part of his "personal effects." A tracking pixel doesn't have
the physical intrusion bit that the court found unconstitutional. In Jones the
court only addressed the physical intrusion, not the GPS data itself.

[https://en.wikipedia.org/wiki/United_States_v._Jones](https://en.wikipedia.org/wiki/United_States_v._Jones)

>Also left unanswered was the broader question surrounding the privacy
implications of a warrantless use of GPS data absent a physical intrusion – as
might occur, for example, with the electronic collection of GPS data from
wireless service providers or factory-installed vehicle tracking and
navigation services.[27] The Court left this to be decided in some future
case, saying, "It may be that achieving the same result through electronic
means, without an accompanying trespass, is an unconstitutional invasion of
privacy, but the present case does not require us to answer that
question."[36]

~~~
toyg
_> A tracking pixel doesn't have the physical intrusion bit_

It does trigger a request on the user's computer, which is a personal effect,
after effectively smuggling code onto it. Definitely a grey area.

~~~
aosmith
Just playing devils advocate... Isn't the (poorly configured) mail client
making the request?

~~~
swixmix
The real problem is that it is acceptable for lawyers to use email for
sensitive communications. Many lawyers just don't understand-- and don't want
to. The rules that allow them to practice forbid being nefarious.

(What I'd do is a different topic.)

~~~
pferde
My take on it is that the real problem is email software not making it clear-
as-day to the user that the message they are about to open is in fact a
webpage, and that they will be actively connecting to the World Wide Web to
load it, and potentially allowing third parties know that they have opened the
message.

Regular people won't make the mail <-> WWW connection in their head without
being told, nor should they be expected to.

------
mabbo
For anyone not following what was done here: they added a tracking pixel. This
is a single-pixel image with "src=<myserver>". You send it to someone and get
the IP address of everyone who opens the email because they download the
image. (This is why your email client asks if you want to open images).

It's not malware, really, and it can't harm a local computer that opens it.

But it is a sign that the prosecutors in this case believed the reporter would
forward the email on to their source, giving the prosecutors the IP address of
that person. And there is some question of whether that's ethical or not.

~~~
JohnFen
I'm really surprised that the recipients aren't following basic email security
protocols here: don't allow HTML rendering of emails, don't allow linked
images to be referenced and used, and don't open attachments that you weren't
expecting to receive.

~~~
dgzl
Are you really surprised though?

~~~
JohnFen
I am, although I know that I shouldn't be. I just would like to think that
people in professions that are more likely to attract attackers take more care
about these things than the average person.

~~~
dgzl
At the very least, you could chalk it up to human error.

------
remyp
Not only are tracking pixels an invasion of privacy, they've held up in court
as proof of receipt.

I helped build a product that blocks them at the enterprise level without
affecting the presentation of the message or requiring end user effort:
[https://messagecontrol.com](https://messagecontrol.com)

~~~
crooked-v
While this looks interesting and useful, there's no pricing info anywhere, so
I didn't bother sharing it with anyone at my workplace.

~~~
GordonS
They do say it's for the enterprise, and unfortunately "contact us" pricing is
par for the course. It is very annoying though - if I'm interested, I'll need
to email/phone. And if I email, nobody will tell me pricing until I speak to a
sales bod, at least once, until they figure out how much money they can likely
extract from us.

Folk selling B2B complain about the long time it takes to convert a lead to a
sale, to a PO, to a payment - but these slimey sales tactics are just as much
to blame.

------
papln
The issue here isn't about knowing whether the the recipient read the email,
which is not an interesting thing to spy on.

It's about the sender seeing whoever the recipient forwards the email to, and
about the sender seeing the recipient's network information (although that's a
hard sell because the recipient already advertised their network presence by
using email), and the use of non-HTTPS servers that could be compromised to
intercept traffic.

------
tedunangst
_“He was instructed that the embedded image contained a cyber-tool known as a
‘splunk’ tool,’ which can allow the originator full access to his computer,
and all the files on the computer,” according to a Portier defense motion
filed Tuesday._

What? How does a tracking pixel do that?

~~~
asspelunker
Are they... referring to a... _Splunk_ logging agent? I doubt it, but maybe
the JPEG packed a binary appended to the end of the image file?

Either way, if such were the case, this payload would need to rely on the
presence of, and thus exploit, some sort of vulnerability in whichever host
cached it. Not impossible, but not exactly a trivial maneuver.

If they had suspects in mind, and had an awareness of OS version and patch
level, it might be within the realm of possibility to land a working payload.

Furthermore, if they were targeting Navy personel, there might even be a level
of control to selectively enable a backdoor that permits a more advanced
outcome than would ordinarily be possible in the wild against random
individuals around the world.

Maybe the plan was to hit internal personnel with a specialized payload that
only affects Navy assets...

------
inetknght
Tracking peoples' email is no less of a violation of privacy.

Laymen do not understand that simply opening an email can be tracked via image
loading "secret pixels". I think that makes it an open secret.

~~~
jbob2000
In order for it to violate your privacy, it needs to take some kind of data
from you that is considered private. What data is a tracking pixel taking from
you?

The only thing a tracking pixel "takes" is the address of the computer that
downloaded it and the time it was downloaded. None of that is your private
information.

~~~
inetknght
> _What data is a tracking pixel taking from you?_

Let me just list a _few_ of the things that I consider private:

* The fact that I viewed the email in any way

* The fact that the email was opened on more than one date

* What IP address is assigned to me by my service provider

* What user-agent is used by me (and what version)

* Whether or not I share my IP with other email addresses

* Bandwidth information about my network

* Latency information about my network

> _None of that is your private information._

You are dead wrong on this point.

~~~
remyp
In addition to the above, many tracking services log your location and some
even measure how long you read the message for. They can also make a good
guess at whether you forwarded the message to someone else.

Even if you turn off images it's not always good enough: some trackers try to
load any external resource they can, like sounds and fonts.

~~~
inetknght
> _Even if you turn off images it 's not always good enough: some trackers try
> to load any external resource they can, like sounds and fonts._

Whoa. While that doesn't _surprise_ me, I didn't know about it. Can you
demonstrate it with various providers? Gmail, for instance?

~~~
remyp
Yep. Try sending an email using Yesware to Gmail.

------
cryptonector
Ah yes, this is a good reason to use text-based MUAs. Though it's not the
reason I use text-based MUAs. Another good reason is that HTML for e-mail is
horrible.

------
sys_64738
My credit card company has done this too. They sent a letter (via snail mail)
saying that my email address on file wasn't being read so they would rescind
my online account unless I verify the email address.

------
LinuxBender
Why was the military not forcing all traffic through a locked down and
monitored VPN? Red vs Black not a thing in military crypto any more? When did
this change?

------
chuckgreenman
There is a question as to whether it is legal or not, it is unequivocally
unethical.

~~~
torstenvl
If you're going to make an inflammatory claim like that, you should articulate
your basis. What ethics rule are you claiming was violated?

~~~
chuckgreenman
The prosecutors embedded a tracking image in an email that they sent to
journalists and the defense. It's not just for tracking to see if the
recipients have opened the email, but it could help them identify who the
email is forwarded to.

In this case, the journalists have confidential sources, they may forward that
email to them, which would leak the source's IP, which could reveal the
identity of the source.

A free and strong press is how we keep powerful institutions in check. It is
not an inflammatory statement to say that a reprisal by a government
institution that has been accused of doing something unethical is unethical.
It's just common sense.

~~~
torstenvl
I understand why you don't _like_ it. I asked why you think it's an ethical
violation.

In case you decide to answer that question eventually, the model ethics rules
are here:
[https://www.americanbar.org/groups/professional_responsibili...](https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/model_rules_of_professional_conduct_table_of_contents/)

I would really be interested in knowing which one you're alleging was
violated.

~~~
wgj
For the layperson, ethics is generally something we know when we see it.
That's not in bad faith.

IANAL, but clause (a) looks potentially applicable.

[https://www.americanbar.org/groups/professional_responsibili...](https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_4_4_respect_for_rights_of_third_persons/)

> or use methods of obtaining evidence that violate the legal rights of such a
> person

I don't expect to see this prosecutor disbarred, but one can still call out
the unethical behavior.

~~~
torstenvl
Okay, but that raises the question: what legal right do you think is being
violated?

I am not aware of a legal right not to receive e-mail with remote-loading
images.

------
luqven
Pixel tracking is literally everywhere, so assuming this was malicious is a
stretch.

However, if they can establish the navy did it expressly in the hopes this
email would be forwarded to a “leaker”, that might be a bigger deal

------
java-man
The government got away with warrantless widespread surveillance uncovered in
2013. It will get away with this too.

We (American people) essentially let it slide, and as a result, we deserve the
consequences.

------
redwards510
Wow, it's always funny when articles written for laymen dance around simple
technical terms with fluffy language ("device", really?).

I'm really curious if this would have been considered an issue if it was just
a visible header image like a logo. Does making it a single pixel make it more
illegal than a image in plain sight? Both perform exactly the same function
and both must be explicitly loaded by most email clients.

~~~
mjevans
They're probably following the legal description of the technology in
question, not the actual method.

~~~
suff
Pretty sure the press would bump their forehead on a journalism bar set that
high.

~~~
Retric
Journalists often use terms they don’t really understand in a context that’s
not quite appropriate.

~~~
mjevans
Someone who did understand probably explained it IN lawyers terms to them; it
may have been a tech-law focused lawyer they consulted on the ramifications,
or the journalist covering navy laws in question.

------
jbob2000
Oh my god, they think a tracking pixel is a "secret tracking device". Jesus
christ, get over yourselves, EVERY email has these in them...

~~~
dang
Could you please stop posting unsubstantive comments to Hacker News? That bit
of the title is the least interesting and least important thing to post about.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
java-man
From the article:

"The Navy email to Navy Times contained hidden computer coding designed to
extract the IP address of the Navy Times computer network and to send that
information back to a server located in San Diego. Under U.S. criminal law,
authorities normally have to obtain a subpoena or court order to acquire IP
addresses or other metadata. Not using one could be a violation of existing
privacy laws, including the Electronic Communications Privacy Act."

"“It is illegal for the government to use [the emails] in the way they did
without a warrant,” he said. “What this constitutes is a warrantless
surveillance of private citizens, including the media, by the military."

"Hicks would not state for the record whether the Navy obtained a search
warrant or subpoena in connection with the emails with tracking devices."

~~~
lwf
It's just a tracking pixel:

> “I am writing regarding your emails from yesterday, which contained an
> embedded image that was not contained in any of your previous emails,”
> Parlatore wrote. “At the risk of sounding paranoid, this image is not an
> attachment, but rather a link to an unsecured server which, if downloaded,
> can be used to track emails, including forwards. I would hope that you
> aren’t looking to track emails of defense counsel, so I wanted to make sure
> there wasn’t a security breach on your end. Given the leaks in this case, I
> am sure you can understand.”

~~~
JoshTriplett
> It's just a tracking pixel:

So? The mechanism doesn't ameliorate the issue.

The government is rightfully held to a higher standard when it comes to
information collection. Particularly when it comes to collection of
information from defense attorneys on an active case.

~~~
jbob2000
The tracking pixel doesn't provide any material information, it just tells you
that a certain computer downloaded the image at a certain time.

It doesn't tell you WHO downloaded the image (but you could deduce that if you
had other information, such as who was using the computer at the time it was
downloaded) and it doesn't tell you WHY that image was downloaded (was it
because an email was opened? Or was it because the email was scanned for
viruses?).

~~~
inetknght
> _The tracking pixel doesn 't provide any material information_

[https://www.dol.gov/general/ppii](https://www.dol.gov/general/ppii)

Email addresses are considered Personally-Identifiable Information even in the
United States (and certainly in the EU too).

Deduction of who downloaded the image is obscene and a violation of that
person's privacy.

Any correlation of email address information with any other information at all
could be considered a violation of that person's privacy: the IP address and
user-agent information alone is sufficient enough to point in the direction of
a malicious attack. And there are people who have some _serious_ safety
concerns: people who've been abused by significant others and are prone to
being victim to stalking or hacking is just _one_ example.

