Self-Shredding E-Mail

yoink! writes: "I just read an article on CNN.com describing a self-shredding e-mail system. With all the persistent e-mail documents gathered by the Government in the MS Anti-Trust case, and the massive shredding of paper documents by parties in the Enron fiasco, it's no wonder people have been looking for an electronic solution to a material problem solved years ago with some cutting tools, a motor, and a garbage bag." One of the companies highlighted here was called Disappearing, Inc. when it was mentioned a few years ago, but now several others have joined the fray.

Common sense?

[Em+Emalb]

How bout not sending anything that could get you in trouble? Common sense should prevail here. But in the wake on Enron, I am sure they will do well.

One thing I did not see in the article, what happens if the person on the other end saves the email as an attachment, or saves it? I doubt it would be able to "shred" that. This is a very niche market item imo. Once again, DON'T SEND IT IF IT COULD GET YOU IN TROUBLE.

Re:Common sense?

[sql*kitten]

How bout not sending anything that could get you in trouble? Common sense should prevail here. But in the wake on Enron, I am sure they will do well.

There's a scene in Cryptonomicon in which Avi (I think) explains that important discussions have to take place between only two people at a time, so there is plausible deniability and nothing to subpoena.

This is why, even when email, videoconferencing and even faxes are widespread, nothing will ever replace face to face meetings for serious business.

Re:Common sense?

[Rogerborg]

• that important discussions have to take place between only two people at a time, so there is plausible deniability and nothing to subpoena

Here's an anecdote to back that up. I used to work for a company that did CGI, mostly for games. They were informed by a man-who-knew-a-man that Paramount needed some CGI for a some Star Trek game. Tiny problem:

• Paramount are savagely protective of their IP.
• They are pathologically opposed to licensing any reproduction of their IP, in even the most limited form. They especially do not want to give even temporary licenses to little "wannabe" subcontractors.
• To protect their trademarks, they have to be seen to be prosecuting any violations.

So, farcically, the whole thing was carried out by cryptic phone calls (from home numbers, more often than not) or face to face. No email, nothing in writing, no hard requirements, no direct references to any contract, expressed or implied, on the phone, in case the other side was recording it. Paramount needed plausible deniability that they even knew my employer was producing this stuff, as they would have to be seen to prosecute them, even though they (as represented by a middle manager) were informally soliciting the work.

So my employer put about a man year of work into producing a test sequence based on a guess of what Paramount might want (made for some happy animators, mind you), then it was taken by hand to Paramount to be viewed by a mid level peon, without even so much as a record of the appointment or meeting.

My employer lost the "bid". It was made clear to them (face to face) that they should under no circumstances account for the work as being to do with Paramount or Star Trek. They gambled a man year of work, lost, and then had to scam their own shareholders by cooking the books to cover it up.

With my hand on my heart, this is the honest truth. It's probably not even the whole truth, I only heard the stuff that got filtered through our bid manager.

So, yes, even legitimate businesses have a desire for self destructing messages. I won't say a "need", because the whole process was a farce. But just because it's dumb doesn't mean they aren't begging for it like a drunk soaped up cheerleader in a post-football shower (sorry, I just needed to get the bad taste out of my head).

It won't work...

[jnievele]

People still will be able to print out messages, or make screenshots of their MUA - ESPECIALLY when they know that the mail is going to self-destruct. So these expensive systems still won't guarantee against a copy surviving (especially if it's something hot that could be used to blackmail somebody, such as the order to shred all records...).

In short: Why waste money on a system that prevents Email from getting read by Law-enforcement-officers? Why not simply do nothing illegal? ;-)

Re:It won't work...

[InsaneGeek]

You need to look at what this is targeted at. It's not really for hiding anything illegal, most large companies would have used some form of crypto (having used PGP's Outlook plugin, you can't get much easier). But more for everyday things that really appear harmless, that come back and bite you. Best example off the top of my head:

Microsoft subpoenaed Netscape for all those internal message board documents, saying how much better IE was than Netscape. Nothing illegal, but would have been great to be killed automatically, look at how much damage *legal* posts did.

Now, someone actually subpoenaing a couple emails of printed off is probably very little of a concern, when compared to possibly gigs & gigs of emails laying around that can be subpoenaed and gone through, that would not only include the couple of printed emails already, but possibly even more.

I look at it like security, just because the only truely safe system from network hackers is a unplugged system, doesn't mean I shouldn't throw in the towel and not secure the systems that are plugged in.

Outlook

[Orre]

Why not use outlook. It does that whenever it wants on my Unverity (randomly).

Snake Oil ?

[CaptainZapp]

I'm sure many corporate bigwigs would sure be happy, if some of their e-mails sent/received might have self destructed. (Kenny Boy and his Anderson crownies come to mind).

I fear however that they might be in for a surprise when the apparently "self shredded" messages pop up at all those likely and unlikely places like backup tapes, swap files, printouts and the like.

It's probably safer to employ a clean and transparent corporate culture, then getting kicked in the but by embarassing messages popping up on ol' backup tapes.

Can there ever be a perfect digital shredder?

[phil_atk]

Document destruction is very topical at the moment - but the question must ultimately be whether it is possible to destroy digital documents as easily as their paper counterparts?

With a traditional document (esp. in the case of sensitive items) versioning is kept to a minimum, and hence the total destruction of a 'mail chain' would be possible. With digital documents it is too easy for multiple versions to exist - using the email example you could have multiple vendors and multiple sysadmins with mailbox backups, many of which could be unknown to the individuals concerned.

With digital documents there will always be an tension between the desire to be able to fix a system that breaks (using backups) and to digitally shred sensitive items. This will probably mean that there will never be as much certainty with digital shredding as traditional shredding.

Re:Can there ever be a perfect digital shredder?

[mpsmps]

I have been looking at the Authentica. It appears to me that Authentica's product (prominently mentioned in the article) has a lot of powerful access control features that address the issues in the above email, but offer no protection against a court-ordered review of email. In particular, Bill Gates can't use such systems to protect himself from legal review. Backups do not defeat the system because the emails are encrypted and can only be viewed using a secure viewer. According to a review:

On the viewer side, recipients need Authentica's plug-in to Netscape and Microsoft browsers for viewing protected content....Authentica's plug-in...decrypts into protected memory, so that recipients never have direct access to decrypted content.

The "mail chain" is not destroyed, but instead is made more explicit. Again, from the review:

The "recall" name also refers to the user's ability to see what's been done with a specific piece of content. The system keeps a complete audit trail of all access and changes to rights and permissions.

The person in charge of granting rights can apparently change them anytime in the future to either "unshred" a message or make an existing message unreadable even in the viewers mailbox:

The person granting rights can change-and even revoke-privileges after content has been delivered.

What I conclude from this is that even if the system works as designed (a big if), it is at most useful for protecting your documents against people who cannot influence the "person granting rights". In particular, this wouldn't seem to protect documents in a court fight. The judge could require that the person granting rights unshred the document and cough up the audit chain to see exactly who viewed it and when.

Honest men

[xenocide2]

have nothing to hide. I don't think shareholders would see an email shredder as good news. Sure, you've reduced "liability," but you could further reduce it by having a higher set of moral codes. If I was a shareholder, I'd probably dump the company if news that the company needed to protect itself from itself.

Its too bad that company execs won't see things that way. I guess the most valuable thing then to have as an investor is the list of Dissapearing, Inc's clients.

Re:Honest men

[zangdesign]

Then explain why we have cryptography, steganography, spy agencies, wiretaps, etc.

That's the same horsecrap argument right-wing Republicans have been using for years.

Re:Honest men

[Carmody]

"Honest men have nothing to hide."

Not only is this statement false; it is dangerous.

If an honest man comes up with a new, beautiful, invention, shouldn't he hide it until the patent forms come out?

If an honest man writes a personal email to an honest woman, thanking her in detail for the honest sex they had last night, would he be suddenly dishonest if he didn't want those details accessible to any snoop a few years later?

If an honest man writes an email to his honest colleague, and makes some honest fun about the way that his honest customer dresses, just the way that colleagues often jest and jape, is it that big a stretch that he wouldn't want that email to surface years later in some lawsuit?

If you are living your life in such a way that you never write or say anything that you would like to keep private, I wouldn't call you "honest," I would probably call you "bland." And I don't believe that being bland is a virtue to which we should aspire.

Re:Honest men

[0xdeadbeef]

I think you're missing the point. Privacy is one thing. Hiding your lawbreaking behavior from the government and your shareholders is a whole different ballgame.

The real dangerous thing is the way many people advocate privacy while their intent is to shield criminal activity. That is what causes "if you're not a criminal, you've got nothing to hide" mentality in law-n-order types.

Re:Honest men

[mpe]

...have nothing to hide.

Not even from the dishonest?

Re:Honest men

[edp]

"Honest men have nothing to hide."

The most obvious and American counterexample to that is the voting booth. It has a privacy curtain, and I bet you use it.

Honest people have things to hide from dishonest people. Hiding your vote protects you from being threatened or rewarded for your vote. Hiding your business plans prevents your competitor from beating you to the punch. Hiding your homework prevents other students from cheating. Hiding your phone number prevents some telemarketers from bothering you. Hiding your home address prevents customers from bothering you after business hours. Hiding an embarrassing (but ethical) hobby provides enjoyment of life while protecting from harassment. Hiding your religion protects you from persecution.

Re:Honest men

[sphealey]

And for B, I guarantee, you Mr. Conspiracy Theorist, that I have not broken 50-100 laws this morning, unless Congress has passed a law against skipping breakfast. We (at least I presume you do as well) live in the United States of America, not Communist Russia, where anything worth doing was illegal

I don't go in for conspiracy theories much, myself. Although there clearly are powerful groups of people in the world who enjoy power/money for its own sake.

As for your comment about not breaking any federal laws, clearly you haven't read the US Code (or the Federal Register, since the Supreme Court ruled that administrative regulations have the force of law) lately. Flush the leftover pills from a prescription down the toilet and and the question is not if you have broken FDA and EPA regulations but how many. ill you be prosecuted for that? Probably not - unless someone decides you have something they need. What's that? One of the customers for your database consultancy is the local mosque? Hmmm...

Before you flame back, please spend a few hours at your local library scanning through a couple weeks' Federal Registers.

To you other points: countersuits are a nice idea, unless you are facing an opponent with 100,000 times your resources. Then you are screwed, because even if you win your $10,000 award will not cover your $500,000 in legal fees. And it is nice to think that the feds only go after "bad guys", but the definition of "bad guy" can change quite rapidly. Just ask Mr. Ashcroft.

sPh

PGP can be a substitute

[SomethingOrOther]

When encrypting a message with PGP you can use the -m option (or sellect the 'secure viewer' if you are using one of the windoze versions) Doing this prevents the recipiant from saving a plain text version on their disks

No, it isn't as good as "shreading" and there are ways to cercumvent this if the recipiant was so incliend, but it is a good substitute providing you trust the recipiant.

If you dont trust the recipiant then WTF are you doing sending them such an e-mail in the first place!

Re:PGP can be a substitute

[jnievele]

The trouble with PGP is: Once it becomes so widespread that the government has to fear loss of face in front of a court, other countries will do the same as the UK: Pass a law that requires you to hand over the key, or else...

Besides, with PGP you still can't control if the RECIPIENTS of the mail keep it - the point of these new systems was to delete the mail after you sent it.

Re:PGP can be a substitute

[CatherineCornelius]

When encrypting a message with PGP you can use the -m option (or sellect the 'secure viewer' if you are using one of the windoze versions)

Doing this prevents the recipiant from saving a plain text version on their disks

I hope nobody reading this will rely on "pgp -m" for security--it's just a convenience that tries to ensure that your recipient doesn't do something insecure such as saving plaintext to disk, but if he wants to he can probably still do that with a couple of keypresses.

Yeah, whatever.

[Cerebus]

"Self-expiring" email schemes work essentially the same way: a trusted key authority generates and stores encryption keys for any and all email. Reading an email requires authentication to the key authority, which either returns the key or decrypts the email. After a preset time, the key authority purges the encryption key, after which the email encrypted with that key is theoretically unreadable.

These schemes have several practical problems and weaknesses:

1) These are closed email systems. Composing, sending, receiving and reading all protected email *must* take place within the system. Communication outside the system typically involves a web-based email solution-- you don't actually send the email, you send a URL to a server that hosts the email for the recipient, and a one-time authenticator to access it.

2) There is no protection for email that is removed from the system. Screen captures, saving as text, etc. all remove the email from the "expiry" system, rendering it moot.

3) The key authority is a central point of failure. Reading any protected email requires that the key authority be online and available, and that it's keystore be intact. Any interruption in this services makes *all* email hosted by that service unavailable-- and this is (conceivably) all email in your enterprise.

4) If the key store is ever archived-- a typical response to worries about (3), above-- the archived keys can be used to access old mail that has otherwise "expired," or "shredded." There is nothing in the application of the encryption that prevents an archived key from being used past its valid date, should it be recovered from a backup or recovered forensically the key server's storage.

Just some thoughts.

Re:Yeah, whatever.

[GooberToo]

And if you use this system for which law enforcement access is required whereby the emails are no longer available will you now be charged with interference of an investigation? Dustruction of evidence? Failure to co-operate in an investigation?

I doubt there is currently much a legal-leg to stand here to prevent your self from being raked over one way or another.

Please keep in mind, I'm not a lawyer, however, these seem like the obvious paths law enforcemet would go to ensure these systems don't prohibit their ability to investigate.

we had this years ago

[jd142]

Back in the distant mists of time, when we had cc:mail in house, messages were deleted from the server after 15 days. Since it was not pop3 and all messages were kept right on the server instead of downloaded to your hard drive, it meant that after 15 days it was gone for good. In theory, backups were made. But the person in charge of cc:mail and the backups had . . . issues with the backup, so itwas hit and miss anyway.

If people wanted to keep a message, they did what every one using these e-mail shredders will do: either print it directly or copy and paste it into word and print it from there.

not in a corporate environment

[Tenebrious1]

Maybe for personal email. But a corporate email system is the property of the company. Anything you create on corporate time becomes the property of the company. An email you send to your co-worker does not become the "property" of the co-worker. It's still part of the corporate network and is still the property (and responsibility) of the company. Thus they have every right to "shred" the message.

They have every right to tell you not to print it out and save it; but of course that's what people will do if they know the messages will be deleted after a certain time. I print out and save messages to cover my own ass.

Which brings up a point. I print out the stuff with full headers, with message ID and info when it was sent; however, does it really serve a purpose? I remembered thinking that while watching "Clear and Present Danger", when Harrison Ford prints out a memo and shoves it into the other director's face saying something like "here's the proof". What good is my printout if I don't have server logs to back up that the message was actually sent to me? What good is a backup of the server logs if I can't prove it wasn't tampered by myself? I know my boss will believe me if I used it as proof to protect my ass, but would a jury? Am I just wasting trees?

Self-Shredding E-mail Howto:

[Shuh]

Steps to self-shredding e-mail:

1. Get your "@enron.com" account...
2. Use account.

Re:Lessons Learned

[rarose]

My very first manager at my first real corporate job drilled into my head that you assume every email you write will be published in the paper... if you aren't comfortable with that then it shouldn't be said in email. It's a rule that's served me well...

Spyware

[Registered+Coward+v2]

I wonder how this stuff interacts with spyware that logs keystrokes, viewed screens, email, etc.

Of course, talk about being hoisted by one's own petard:

Company X installs spyware on its machines - "to protect itself"; and the results wind up as evidence in a court trial, including "shredded" emails. Concievably, Company Y could send the email, and have it recovered from X.

Re:They're at it again.

[David+Price]

This is absolutely true. However, these systems are not at all designed to foil the presumed intent of the recipient to copy the content (as DRM systems for copyrighted entertainment content are). They're designed to give a level of automatic prevention against inadvertent copying.

Consider, as an example: I run a business in which sensitive information is bandied about by internal corporate e-mail. In order to keep a whole variety of bad things from happening to that information (subpoenas years later, inadvertent forwarding to somebody who shouldn't see it, proprietary information being leaked by cast-off hardware), I enact an electronic document destruction policy; one year after an internal e-mail is sent, it is destroyed. I mandate use of one of these self-shredding systems to help enforce my policy.

Now I haven't really helped anything from a strict can-it-be-done standpoint: a whistle-blowing employee can still take the aforementioned camcorder and set it up; a sysadmin who's for some reason obsessed with archiving all his mail can probably download a crack for the system in question. These issues are pushed into the realm of policy, but the number of such issues that have to be dealt with strictly by policy means decreases by an order of magnitude. What I have really accomplished is to drastically reduce the probability that something will happen that nobody in the organization intended.

Archivists can't be happy about this

[D_Fresh]

From a security standpoint, this is great, but from a historical perspective, this is an archivist's nightmare. How do you write a biography of a famous figure of the information age without their email to go through? (I know, insert MS trial email joke here.) How many current biographies of presidents, CEOs, entertainers, etc. are based on their mounds of personal correspondence squirreled away in six million shoeboxes in the family archives? With self-destructing email, the possibility of finding such a treasure trove in email form just got even smaller than it already was.

Been there, Done that.

[sharkey]

describing a self-shredding e-mail system.

Been out for years, described here. You can even get a demo version!

Self-Deleting Spam

[Ukab+the+Great]

Self-shredding e-mail is cool. But messages that kill themselves if they contain the strings "Get Out of Debt" or "Penis Enlargment" would really kick ass.