Contents 3/16/01

Click. 'Bugging' Someone's E-mail Is Quickly Catching On.

Click. Harvard makes a case study of venture law.

`Bugging' Someone's E-mail Is Quickly Catching On

By Jeffrey Beard American Lawyer Media March 15, 2001

Privacy hounds, take note. It just got harder to keep your e-mail confidential. With certain e-mail programs, composers of messages can now get copies of replies and forwarded messages secretly bounced back to them.

Let's say opposing counsel sends you a confidential settlement proposal. You forward it to your client. If your opponent is sufficiently fluent in a basic programming language called JavaScript, he might be able to program his e-mail so that a copy of your forwarded e-mail gets delivered to him as soon as you send it. He or she will know to whom you forwarded the proposal within the company and your comments about it.

This devious trick has earned the nickname "e-mail wiretapping" by the Denver-based Privacy Foundation. And like most hacker-like activities, it's quickly gaining prevalence.

The exploit only works in certain instances. The e-mail must be written in HTML, the Web language that allows formatting like bold, italicized and centered text. The recipient must also be using an e-mail program with JavaScript enabled.

If these conditions are met, it's easy to bug an e-mail with a few lines of relatively simple JavaScript coding. Portions of the code have now been published, albeit in a primitive form.

The e-mail programs most likely to be affected are Microsoft Outlook and Outlook Express, Netscape 6 Mail, America Online 6.0 and newer versions of Eudora. Other e-mail programs that use the Internet Explorer Web browser to generate HTML coding also might be vulnerable.

The Microsoft and Netscape e-mail readers are most at risk. They generally have JavaScript enabled by default.

If you have any of these e-mail programs installed, it would be prudent to double-check your JavaScript setting. The Privacy Foundation has posted the instructions for disabling JavaScript in selected programs at

In response to this alert, Microsoft stated that the newest version of Outlook Express comes with JavaScript disabled by default, and already has issued an Outlook patch that provides additional levels of protection against malicious e-mail messages.

But this also means that there are probably millions of copies of Outlook and Outlook Express already installed and in use. And unless the user has disabled the JavaScript feature, he or she is vulnerable to this exploit. The Privacy Foundation says that Hotmail and other Web-based e-mail providers automatically remove the JavaScript elements from incoming messages, and therefore are not vulnerable to this particular snag.

But here's the real catch: Security is very much a process-not a product or a simple JavaScript on/off checkbox. A security system is only as strong as its weakest link. Even if recipients turn off JavaScript in their own e-mail program, their e-mail is still at risk of being disclosed to the original sender.

This happens when they send the bugged e-mail to another person who also uses a JavaScript-enabled e-mail program such as Outlook. As soon as their reply is read, it sends off e-mail to the original sender, including the added comments the sender presumably thought safe. The immense (and disturbing) problem is that one's e-mail security depends entirely on the JavaScript setting of every single person in the overall chain of e-mails.

Education is a primary means of defense here. Attorneys and their clients, co-counsel and others that they deal with need to know that all parties have JavaScript disabled in their e-mail programs. They should probably also simply send their e-mail out as text, rather than in the fancier HTML-formatted version. This solution has the added benefit of ensuring that the e-mail is compatible with older e-mail systems that may not support HTML formatting.

In case you are thinking that you yourself may want to create and send bugged e-mails, don't: The activity likely is against the law.

Courts haven't yet explored the issue at any length. But Philip Gordon, an attorney with Horowitz & Wake in Denver, is a fellow of the Privacy Foundation and an expert in wiretap law. Gordon notes that "Any lawyer (or their client) considering using the e-mail wiretap in their practice is at risk of violating the federal wiretap law."

In a posting on the Privacy Foundation's Web site, Gordon states that in addition to the federal wiretapping laws, sending such a message could also violate the Computer Fraud and Abuse Act. The sender could also face liability under state civil and criminal laws.

With simple programming tools such as JavaScript, expensive wiretapping hardware isn't necessary to track and view the responses to one's e-mail. This should be enough to make all of us a bit more cautious as we click the send button.

Harvard Makes a Case Study of Venture Law

By The Recorder March 15, 2001

Craig Johnson is still a popular guy at Harvard Business School -- even if the Internet economy is in the tank.

Last week, the Venture Law Group co-founder trekked to Harvard to answer questions from students who are studying his firm.

It's the second time Johnson has traveled to the university where VLG is used as a case study in Harvard business professor Ashish Nanda's class.

This time, the class was particularly interested in VLG's attorney retention goals. Though it may not seem like such a pressing issue given the economic downturn, VLG wants to keep all of its attorneys and has wrestled with ways to sweeten the pot.

"Johnson had some very strong views on retention and that's something we preach for professional services firms," Nanda said.

Nanda learned of the firm from a student's research report. His series of case studies include a wealth of information on VLG's professional services model, its equity stakes, and the systematic way the firm approaches retention.

For example, VLG limits the number of clients each partner may represent and it lets partners cut back on their workloads in exchange for a cut in pay.

Overall, the case study is interesting reading and dishes up to Harvard students and management professionals enrolled in the university's executive program some juicy facts.

For instance, the firm's founders went without pay for six months while they struggled to get the firm off the ground, and to make its trademark investments in clients.

And it took a while for those investments to reach true critical mass. In 1998, VLG Investments doled out just $3 million in stock to partners. That was up to more than $30 million the following year and by 2000, it more than tripled to $100 million-plus.

Meanwhile, fees in 1999 generated $53 million in revenue, which came out to profits of $4.53 per point. As for retention, the firm's turnover rate in 1997 was 16.40 percent, 21.33 percent in 1998 and in 1999, 17.04 percent.

And while it's not zero, that's not bad. By comparison, Brobeck, Phleger & Harrison, a firm not known for extraneous retention programs, had a 23 percent turnover rate in 1999.