"So that's what Hillary thinks of me"

The organisation has found that by embedding a piece of computer code into an e-mail, the originator of a message can see copies of any comments made every time the mail forwarded.

Only messages sent and received using e-mail programs that can read the HyperText Markup Language (HTML) and Javascript are at risk. HTML is used to format the elements of a webpage, telling a computer where to put them and what they should look like. Javascript works with HTML and makes it easier for web designers to add basic functions to webpages, such as counters that tally the number of people visiting a site.

Javascript should not be confused with Java - a much more powerful programming language developed by Sun.

But the Privacy Foundation has found that one of the documented functions of Javascript turns it into an almost perfect tapping program.

Wholly holey

"You really would never know that this is occurring, unless you could view the source code and know what it meant," said Stephen Keating, executive director of the Privacy Foundation.

The offending 20 lines of computer code reads the text of any comments added to a message and sends them back to that message's originator every time the mail is forwarded.

"Holes? I see no holes"

The vulnerability is found in Microsoft's popular Outlook and Outlook Express programs as well as messages composed and sent using Netscape Communicator 6.

The weakness was originally found by computer engineer Carl Voth in 1998. When he discovered the problem, Mr Voth told Microsoft but the company declined to plug the hole.

Posting peril

Users can take steps to protect messages being tapped by disabling Javascript in the vulnerable e-mail programs, but they can only be sure they are completely protected if every person receiving the message has taken the same action.

Both Microsoft and Netscape are working on patches for their respective programs.

The Privacy Foundation fears that the vulnerability could be exploited by a company negotiating with a partner and wants to monitor what is being said about a deal internally, or by marketing companies who want to gather e-mail addresses they can later bombard with junk mail. Some companies are already offering e-mail tracking services.

The perils of making unguarded comments were underscored in 1997 when Norwich Union was forced to pay �450,000 to Western Provident Association after it was judged to libel the rival on its internal e-mail system.