Self-Shredding E-Mail

yoink! writes: "I just read an article on CNN.com describing a self-shredding e-mail system. With all the persistent e-mail documents gathered by the Government in the MS Anti-Trust case, and the massive shredding of paper documents by parties in the Enron fiasco, it's no wonder people have been looking for an electronic solution to a material problem solved years ago with some cutting tools, a motor, and a garbage bag." One of the companies highlighted here was called Disappearing, Inc. when it was mentioned a few years ago, but now several others have joined the fray.

Re:Common sense?

[sql*kitten]

How bout not sending anything that could get you in trouble? Common sense should prevail here. But in the wake on Enron, I am sure they will do well.

There's a scene in Cryptonomicon in which Avi (I think) explains that important discussions have to take place between only two people at a time, so there is plausible deniability and nothing to subpoena.

This is why, even when email, videoconferencing and even faxes are widespread, nothing will ever replace face to face meetings for serious business.

Yeah, whatever.

[Cerebus]

"Self-expiring" email schemes work essentially the same way: a trusted key authority generates and stores encryption keys for any and all email. Reading an email requires authentication to the key authority, which either returns the key or decrypts the email. After a preset time, the key authority purges the encryption key, after which the email encrypted with that key is theoretically unreadable.

These schemes have several practical problems and weaknesses:

1) These are closed email systems. Composing, sending, receiving and reading all protected email *must* take place within the system. Communication outside the system typically involves a web-based email solution-- you don't actually send the email, you send a URL to a server that hosts the email for the recipient, and a one-time authenticator to access it.

2) There is no protection for email that is removed from the system. Screen captures, saving as text, etc. all remove the email from the "expiry" system, rendering it moot.

3) The key authority is a central point of failure. Reading any protected email requires that the key authority be online and available, and that it's keystore be intact. Any interruption in this services makes *all* email hosted by that service unavailable-- and this is (conceivably) all email in your enterprise.

4) If the key store is ever archived-- a typical response to worries about (3), above-- the archived keys can be used to access old mail that has otherwise "expired," or "shredded." There is nothing in the application of the encryption that prevents an archived key from being used past its valid date, should it be recovered from a backup or recovered forensically the key server's storage.

Just some thoughts.

Re:Honest men

[Carmody]

"Honest men have nothing to hide."

Not only is this statement false; it is dangerous.

If an honest man comes up with a new, beautiful, invention, shouldn't he hide it until the patent forms come out?

If an honest man writes a personal email to an honest woman, thanking her in detail for the honest sex they had last night, would he be suddenly dishonest if he didn't want those details accessible to any snoop a few years later?

If an honest man writes an email to his honest colleague, and makes some honest fun about the way that his honest customer dresses, just the way that colleagues often jest and jape, is it that big a stretch that he wouldn't want that email to surface years later in some lawsuit?

If you are living your life in such a way that you never write or say anything that you would like to keep private, I wouldn't call you "honest," I would probably call you "bland." And I don't believe that being bland is a virtue to which we should aspire.

we had this years ago

[jd142]

Back in the distant mists of time, when we had cc:mail in house, messages were deleted from the server after 15 days. Since it was not pop3 and all messages were kept right on the server instead of downloaded to your hard drive, it meant that after 15 days it was gone for good. In theory, backups were made. But the person in charge of cc:mail and the backups had . . . issues with the backup, so itwas hit and miss anyway.

If people wanted to keep a message, they did what every one using these e-mail shredders will do: either print it directly or copy and paste it into word and print it from there.

not in a corporate environment

[Tenebrious1]

Maybe for personal email. But a corporate email system is the property of the company. Anything you create on corporate time becomes the property of the company. An email you send to your co-worker does not become the "property" of the co-worker. It's still part of the corporate network and is still the property (and responsibility) of the company. Thus they have every right to "shred" the message.

They have every right to tell you not to print it out and save it; but of course that's what people will do if they know the messages will be deleted after a certain time. I print out and save messages to cover my own ass.

Which brings up a point. I print out the stuff with full headers, with message ID and info when it was sent; however, does it really serve a purpose? I remembered thinking that while watching "Clear and Present Danger", when Harrison Ford prints out a memo and shoves it into the other director's face saying something like "here's the proof". What good is my printout if I don't have server logs to back up that the message was actually sent to me? What good is a backup of the server logs if I can't prove it wasn't tampered by myself? I know my boss will believe me if I used it as proof to protect my ass, but would a jury? Am I just wasting trees?