Un-Script Me

By Charles Miller

Last week in this column, I introduced readers to a newly available service called “Email Protection” provided free of charge by the folks at DuckDuckGo, the Internet privacy company that empowers you to seamlessly take control of your personal information online without any tradeoffs. A logical question might be, “Why should I ever need to bother to use the ‘Email Protection’ service?” A not-so-hypothetical example could be the following:

In your inbox there appears a spam email or an email from the store from which you ordered something years ago. You click on the email, not knowing that hidden from view the email includes a script that executes when the email is opened. The script hidden inside that email instantly telegraphs an alert to the boiler room of a far-off telemarketing center. The message appearing on the screen of a telemarketer reads, “Jane Doe, phone number 555 543 6789, just opened the advertising email and spent 34 seconds reading it.” Now the telemarketer has been handed some valuable inside information: you just spent half a minute reading the email, you did not delete it in the first five seconds, you were home when you opened the email, and you are most likely still at home near the phone if they call you right away. You see, it is not always a coincidence when some telemarketer calls you right after you saw their spam email.

Another scenario could be that when you read an email, you might not necessarily want the sender of that email to know where you are in real-time. But a hidden script could easily telegraph the message, «The email was opened 2:47pm on a smart phone located at coordinates 20°54’51.5”N 100°44’37.1”W.» The sender of the email would then know which bench you were sitting on in the Jardin in San Miguel de Allende when you opened their email. There are many reasons why you might not want your location known, not the least of which is letting would-be burglars know when you are away from home and your house might be unoccupied.

Apart from possible benefits of removing scripts from your emails, simply creating a unique email address, and giving that one to your bank easily gives you better security. After you do that, any time you receive an email (allegedly) from your bank, it should have been sent to the unique email you created for the bank. Any email (allegedly) from your bank but sent to your regular email address and NOT the unique address should alert you that the email is a fake.

Last week I suggested that interested users point their browser to the website duckduckgo.com/email/ then follow the instructions to protect their existing email address. On this website you, can take advantage of the free email service that removes advertising and tracking scripts from your emails. The best thing about this service is that it allows you to continue using your existing email address while filtering any senders who might be sneaking hidden scripts into the emails they send you.

Charles Miller is a freelance computer consultant, a frequent visitor to San Miguel since 1981, and now practically a full-time resident.  He may be contacted at 415 101 8528 or email FAQ8@SMAguru.com.