Breaking and associated brands will be offline for scheduled maintenance Saturday May 8 3 AM US EST to 12 PM EST. We apologize for the inconvenience.


Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Privacy hounds, take note. It just got harder to keep your e-mail confidential. With certain e-mail programs, composers of messages can now get copies of replies and forwarded messages secretly bounced back to them. Let us say opposing counsel sends you a confidential settlement proposal. You forward it to your client. If your opponent is sufficiently fluent in a basic programming language called JavaScript, he might be able to program his e-mail so that a copy of your forwarded e-mail gets delivered to him as soon as you send it. He or she will know to whom you forwarded the proposal within the company and your comments about it. This devious trick has earned the nickname “e-mail wiretapping” by the Denver-based Privacy Foundation. And like most hacker-like activities, it is quickly gaining prevalence. The exploit only works in certain instances. The e-mail must be written in HTML, the Web language that allows formatting like bold, italicized and centered text. The recipient must also be using an e-mail program with JavaScript enabled. If these conditions are met, it is easy to bug an e-mail with a few lines of relatively simple JavaScript coding. Portions of the code have now been published, albeit in a primitive form. The e-mail programs most likely to be affected are Microsoft Outlook and Outlook Express, Netscape 6 Mail, America Online 6.0 and newer versions of Eudora. Other e-mail programs that use the Internet Explorer Web browser to generate HTML coding also might be vulnerable. The Microsoft and Netscape e-mail readers are most at risk. They generally have JavaScript enabled by default. If you have any of these e-mail programs installed, it would be prudent to double-check your JavaScript setting. The Privacy Foundation has posted the instructions for disabling JavaScript in selected programs at In response to this alert, Microsoft stated that the newest version of Outlook Express comes with JavaScript disabled by default, and already has issued an Outlook patch that provides additional levels of protection against malicious e-mail messages. MILLIONS VULNERABLE But this also means that there are probably millions of copies of Outlook and Outlook Express already installed and in use. And unless the user has disabled the JavaScript feature, he or she is vulnerable to this exploit. The Privacy Foundation says that Hotmail and other Web-based e-mail providers automatically remove the JavaScript elements from incoming messages, and therefore are not vulnerable to this particular snag. But here is the real catch: Security is very much a process — not a product or a simple JavaScript on/off checkbox. A security system is only as strong as its weakest link. Even if recipients turn off JavaScript in their own e-mail program, their e-mail is still at risk of being disclosed to the original sender. This happens when they send the bugged e-mail to another person who also uses a JavaScript-enabled e-mail program such as Outlook. As soon as their reply is read, it sends off e-mail to the original sender, including the added comments the sender presumably thought safe. The immense (and disturbing) problem is that one’s e-mail security depends entirely on the JavaScript setting of every single person in the overall chain of e-mails. Education is a primary means of defense here. Attorneys and their clients, co-counsel and others that they deal with need to know that all parties have JavaScript disabled in their e-mail programs. They should probably also simply send their e-mail out as text, rather than in the fancier HTML-formatted version. This solution has the added benefit of ensuring that the e-mail is compatible with older e-mail systems that may not support HTML formatting. In case you are thinking that you yourself may want to create and send bugged e-mails, do not: The activity likely is against the law. Courts have not yet explored the issue at any length. But Philip Gordon, an attorney with Horowitz & Wake in Denver, is a fellow of the Privacy Foundation and an expert in wiretap law. Gordon notes that “Any lawyer (or their client) considering using the e-mail wiretap in their practice is at risk of violating the federal wiretap law.” In a posting on the Privacy Foundation’s Web site, Gordon stated that in addition to the federal wiretapping laws, sending such a message could also violate the Computer Fraud and Abuse Act. The sender could also face liability under state civil and criminal laws. With simple programming tools such as JavaScript, expensive wiretapping hardware is not necessary to track and view the responses to one’s e-mail. This should be enough to make all of us a bit more cautious as we click the send button. Jeffrey Beard is a legal technologist with Quarles & Brady in Milwaukee, Wis.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.