Web bugs can track MS documents, says privacy group

Some Microsoft Corp. software has the potential to track documents sent through the Internet, providing information to the sender that identifies the recipient, according to a Denver-based privacy research organization.

Using so-called “Web bugs,” the author of a file created with some Microsoft products, including Word, Excel and PowerPoint, can track those files when they are sent through the Internet via e-mail, and report back to the author where and how often the document is read, according to the Privacy Foundation.

A Web bug is a graphic element on a Web page or in an e-mail message that is designed to monitor who’s reading the Web page or e-mail message. Web bugs are often invisible because they are typically only one-by-one pixel in size, about the size of a period at the end of a sentence, and they are also transparent.

The tracking potential occurs when a file sent through the Internet contains an image file located on a remote Web server. If the document contains a Web bug, a signal will be sent back to the document author, said Richard Smith, chief technology officer at the Privacy Foundation.

The signal, obtained through server logs, will contain the IP address from which the sender can retrieve the host name of the computer.

In addition, if the bugged document is forwarded to and opened by other computers, it can send back the Internet address and host names of those computers to the sender, Smith said.

The Privacy Foundation said its findings could have broad implications for businesses and other agencies that might decide to use this tracking ability. It could also affect individuals who are unlikely to know that the document they are reading is communicating back to the author through the Internet.

“For example, a public-relations firm that sends out a press release in a Word document via e-mail could use a Web bug to see how many reporters are reading the document,” Smith said.

Smith said other potential uses for document Web bugs include tracking the path of confidential files and detecting copyright infringement.

But Smith acknowledged that, to date, he isn’t aware of any companies, including Microsoft, that are using Web bugs in that way.

However, Microsoft spokeswoman Tonya Klause said the information released by the foundation was “misleading.”

“This isn’t a Microsoft issue, it’s an [Internet] issue. Any Web-enabled application [or vendor’s operating system] can be subject to this feature,” Klause said. “It was misleading to pinpoint one particular [company’s] software.”

Smith agreed, saying that the same problem could exist in any file format that supports automatic linking to Web pages or images.

Andrew Shen, a policy analyst at the Washington-based Electronic Privacy Information Center, a public interest research organization, said that although people should be aware of this issue, it isn’t widespread.

“There is no evidence that Microsoft or any other company is using this capability,” Shen said. “But now [that the word is out], maybe companies will start doing that.”

But Paul Graves, a spokesman for Interhack Corp., a security consulting firm in Columbus, Ohio, was less forgiving of Microsoft.

“It is definitely alarming that a Word document would be used in that way,” Graves said. “But the fact that Microsoft has holes in its applications that could be exploited comes as no surprise, because in order to give ease of use to its end users, Microsoft doesn’t cover its tracks.”