cat brain.log | less

Getting it down on `paper`

Your Emails are Public Domain

Here’s a scary little bit of information I uncovered by accident. I own and operate a local server. I don’t advertise its existence, as it’s primarily used as a local file server, backup, and job processing machine. One of my “constituents” had asked for some data that I happened to have archived a while back. I placed the data on this server, generated a unique URL so that this person could access the data, and then I emailed the URL to him. The email address is an “” address.

I’m scrolling through my apache error logs, when I notice a 404 for a lower-case version of the unique URL described above. When I traceroute the location of access, I notice the access came from an MSN machine in a different location than the person I had intended to send the link to. The intended recipient had not left the state, let alone city, so it’s impossible that the accessor of the link is the intended recipient. I know that this person has not forwarded or shared the URL, and I’m fairly confident that there is no spyware on this person’s computer.

The only logical explanation is that MSN (hotmail) is skimming emails, harvesting URLs to populate the Microsoft search engine.

If the above explanation holds, there are two very big problems with this practice. First, it’s a violation of user privacy. Second, it’s a security risk. Imagine if the custom URL had an email address embedded in it? Or worse, some confidential data. Since the MSN link harvester followed the URL, it has unsuspectingly provided this private data to 3rd party machine via http server logs.

Want to embarrass someone? Send an email to someone with an address, where the body of the message is  a bunch of URLs to sites of ill repute.  Include a url parameter implicating various members of congress (or other organization).  Have site’s records subpoenaed/published (perhaps a bit tricky, unless you happen to own the site of ill repute).  Let important persons attempt to explain how their credentials ended up in site’s records.

I do not recommend this, but maybe someone will finally hold Microsoft accountable for its invasion of privacy.

TL;DR I emailed a URL to a friend with an email address, an MSN bot followed the URL. does not protect its users’ privacy.

EDIT: It was brought to my attention that I have overlooked the possibility of clicked links being tracked and followed.  This would be similar to the BingGate scandal from a few weeks ago.  Refutation: Bing is only tracking visited content.



No comments so far.

(comments are closed)