Saturday, September 02, 2006


The Wall Street Journal

This Email Will Self-Destruct

New Services Help Safeguard
Outbound Messages Against
Forwarding and Tampering
By ANDREW LAVALLEE
August 31, 2006; Page D1

People who want to open email from patent attorney Andrew Currier have to know the drill. First, they must answer a predetermined question, such as "Where did we first meet?" If they answer correctly, they will then be allowed to view the contents of the email -- but they can't alter it or forward it to anyone else.

Concerned about privacy, the Toronto-based lawyer has begun using a new service that encrypts his emails and tries to keep unintended recipients from reading the contents. The tool, developed by Echoworx Corp., adds a "send secure" button to his Microsoft Outlook email program. Unlike other email-security systems Mr. Currier has tried, this one doesn't require recipients of his emails to download any software or use the same email program.

[Image of Secure Button]
In Secure Mail, recipients must answer a predetermined question to open email.

"I really need it to be easy for the client on the other end," says Mr. Currier, who says that leaked information could be disastrous for one of their patent applications. "People don't appreciate just how vulnerable email is."

Amid heightened privacy concerns, a handful of technology companies are touting new services designed to make existing email programs, such as Microsoft Corp.'s Outlook, more secure, with features ranging from emails that can't be forwarded to self-destructing messages that can be viewed only for a limited time. While most email programs by themselves guard against inbound attacks such as viruses and spam, they give computer users little control over the messages that are sent. So these third-party developers, which aren't working directly with Microsoft or other email companies, aim to fill that hole.

The new outbound-email services focus on safeguarding data and protecting the sender from legal liability, says Richi Jennings, an email-security analyst at Ferris Research in San Francisco. "The state of the art of the technology, though, for some time has just made it really difficult to deploy," he says. "That seems to be changing."

Echoworx, a closely held Toronto company, launched its new Secure Mail service in January. The service is sold through Internet service providers, including AT&T Inc., Verizon Communications Inc. and BellSouth Corp., which charge consumers $5 to $8 a month. The service appeals to individual users, as well as companies that want to ensure confidentiality, says Chris Erickson, an executive vice president at Echoworx. He declined to say how many people are currently using the service.

"For consumers it's all about identity theft," says Mr. Erickson. And because Secure Mail makes it easier to prove that messages were received and that their contents were unchanged, businesses can more safely negotiate deals through email, he says.

Another new service, Kablooey Mail, allows consumers to send "self-destructing" emails that can be viewed for only a limited time, which may appeal to people who don't want a record of their correspondence. The free service, which made its debut in July, lets individuals log on to Kablooey's site to compose a message and set an expiration time, which can range from 10 seconds to two weeks after the message is opened. (Senders can also elect to have the message not expire.) A copy of the message is saved in the sender's account, where it can be reviewed by the sender later, or deleted altogether for extra security.

The email is sent from the Web site, but appears as though it is coming from the sender's personal email address, such as an Outlook account. It shows up in the recipient's inbox with a link to a Web site with the message's content as well as a timer that shows how long before the message expires. A recipient is instructed to use only the up/down arrow keys or scroll bar to read the message; any other keystroke causes the message to expire instantly, which removes the message from the screen and prevents the recipient from accessing it again.

In addition to preventing alteration of email and letting the sender destroy messages, the service also allows senders to track when an email was opened, the recipient's Internet protocol address, and how long he or she viewed the message, says John Flanagan, chief technology officer of CDS Technologies LLC, the Delray Beach, Fla., company that designed Kablooey. The company will provide an affidavit with this tracking data if requested in a legal dispute. "It gives us a greater level of control" over email communications, Mr. Flanagan says.

Email is increasingly called on as evidence in court, says Dana Henry, a consultant for RPost International Ltd., a Los Angeles-based provider of "registered email" services. It is relatively easy to change the contents of a message or say it was never delivered, says Ms. Henry, a former Los Angeles County Superior Court judge. "There is such incredible deniability on the part of the other party who is the recipient."

The RPost service, which also works with Outlook, is designed to ensure the authenticity of messages so that they can be used in legal disputes, if necessary. The program adds a unique digital seal to each registered email. A few minutes after sending the message, the sender receives an email receipt that includes when the message was delivered and opened. RPost will also verify whether the original message's content was changed. The sender can choose whether or not the email tells the recipient that the message is registered.

The RPost service, which charges senders 59 cents for each registered email, added a new feature in July that checks for "risky" content, such as Social Security numbers or key words that senders -- or the senders' employer -- have flagged, before delivering the message. Customers, especially lawyers and technology professionals, are interested in using the service to protect senders from email-related liability, says RPost CEO Zafar Khan. "That can often cost the company quite a bit more, especially in this country, in litigation and litigation-discovery costs," he says.

The new products aren't without their hurdles. Echoworx customers must warn recipients they'll be prompted with a question before they can read their email, and not being able to forward messages is sometimes a hindrance, says Darren Williams, an investment banker in Toronto. His employer, Solaris Capital Advisors, provides the Echoworx tool for all its employees.

[Email Graphic]

As more companies develop email-security products, Microsoft isn't sitting idle. The company, whose Outlook technology is open enough to allow third parties to develop add-ons, says it is aware that consumers have security concerns. The coming Outlook 2007, which is expected to be widely available early next year, will let users send emails with expiration dates and electronic postmarks, as well as messages that can't be forwarded or printed.

While several of the new features overlap with Echoworx, Kablooey Mail and RPost's, says William Kennedy, general manager of Office communications services for Microsoft, there are still opportunities for third-party developers. "It doesn't mean for a second that we're not interested in a product that, out of the box, is very secure. But some customers may have specific requirements," he says.