Self-Shredding E-Mail

yoink! writes: "I just read an article on CNN.com describing a self-shredding e-mail system. With all the persistent e-mail documents gathered by the Government in the MS Anti-Trust case, and the massive shredding of paper documents by parties in the Enron fiasco, it's no wonder people have been looking for an electronic solution to a material problem solved years ago with some cutting tools, a motor, and a garbage bag." One of the companies highlighted here was called Disappearing, Inc. when it was mentioned a few years ago, but now several others have joined the fray.

PGP can be a substitute

[SomethingOrOther]

When encrypting a message with PGP you can use the -m option (or sellect the 'secure viewer' if you are using one of the windoze versions) Doing this prevents the recipiant from saving a plain text version on their disks

No, it isn't as good as "shreading" and there are ways to cercumvent this if the recipiant was so incliend, but it is a good substitute providing you trust the recipiant.

If you dont trust the recipiant then WTF are you doing sending them such an e-mail in the first place!

Yeah, whatever.

[Cerebus]

"Self-expiring" email schemes work essentially the same way: a trusted key authority generates and stores encryption keys for any and all email. Reading an email requires authentication to the key authority, which either returns the key or decrypts the email. After a preset time, the key authority purges the encryption key, after which the email encrypted with that key is theoretically unreadable.

These schemes have several practical problems and weaknesses:

1) These are closed email systems. Composing, sending, receiving and reading all protected email *must* take place within the system. Communication outside the system typically involves a web-based email solution-- you don't actually send the email, you send a URL to a server that hosts the email for the recipient, and a one-time authenticator to access it.

2) There is no protection for email that is removed from the system. Screen captures, saving as text, etc. all remove the email from the "expiry" system, rendering it moot.

3) The key authority is a central point of failure. Reading any protected email requires that the key authority be online and available, and that it's keystore be intact. Any interruption in this services makes *all* email hosted by that service unavailable-- and this is (conceivably) all email in your enterprise.

4) If the key store is ever archived-- a typical response to worries about (3), above-- the archived keys can be used to access old mail that has otherwise "expired," or "shredded." There is nothing in the application of the encryption that prevents an archived key from being used past its valid date, should it be recovered from a backup or recovered forensically the key server's storage.

Just some thoughts.

The obvious observation

[JohnPM]

Can I just go ahead and point out the obvious here. Self-shredding email or whatever you want to call it can only work with the consent of the recipient, which goes completely against the tone of the CNN article:

Senders can destroy messages either remotely or automatically, without a recipient's consent or cooperation.

Just like the whole digital-rights management problem, eventually you have to give access to the message to your recipient and they can store a copy. If it's displayed on your screen then even the most recalcitrant software can be bypassed with a screen-shot or at absolute worst, a photograph of your monitor.

All these schemes can do is make it less convenient to store the email you receive. Even so, the receiving software could be dissasembled (DeCSS style) and you could create tools that would store the plain-text like a normal email client.

Re:Can there ever be a perfect digital shredder?

[mpsmps]

I have been looking at the Authentica. It appears to me that Authentica's product (prominently mentioned in the article) has a lot of powerful access control features that address the issues in the above email, but offer no protection against a court-ordered review of email. In particular, Bill Gates can't use such systems to protect himself from legal review. Backups do not defeat the system because the emails are encrypted and can only be viewed using a secure viewer. According to a review:

On the viewer side, recipients need Authentica's plug-in to Netscape and Microsoft browsers for viewing protected content....Authentica's plug-in...decrypts into protected memory, so that recipients never have direct access to decrypted content.

The "mail chain" is not destroyed, but instead is made more explicit. Again, from the review:

The "recall" name also refers to the user's ability to see what's been done with a specific piece of content. The system keeps a complete audit trail of all access and changes to rights and permissions.

The person in charge of granting rights can apparently change them anytime in the future to either "unshred" a message or make an existing message unreadable even in the viewers mailbox:

The person granting rights can change-and even revoke-privileges after content has been delivered.

What I conclude from this is that even if the system works as designed (a big if), it is at most useful for protecting your documents against people who cannot influence the "person granting rights". In particular, this wouldn't seem to protect documents in a court fight. The judge could require that the person granting rights unshred the document and cough up the audit chain to see exactly who viewed it and when.

If you have AIM on a Macintosh...

[J'raxis]

Open up Preferences and click on IM, then click Automatically Save IM Sessions to Log File.

You were saying?

• Macintosh AIM logs. PC version has a Save option for each individual chat.
• ircle logs.
• BitchX logs.
• mIRC logs.
• pIRCh logs.
• And in programs that dont have a log or save feature, theres always select, copy, paste.

Need I say more?