As a society, we’re obsessed with online security.
The realization that government agencies (namely the National Security Agency) have access to anything we do on the Internet might have been an eye-opener, but the fact that the web is leaky is far from news. Government access to data is just the tip of the iceberg.
Employees are going public with confidential or proprietary information, smartphones are going missing at a rapid rate, and cyber criminals are hitting corporate networks harder than ever. Email is especially vulnerable, given its propensity to be copied, forwarded, printed or squirreled away for years. There’s a demand for secure communication and some sort of solution to the concept that the Internet is forever.
A recent patent filing by AT&T (T) for self-destructing email is the latest step toward making email messages secure.
AT&T’s work clearly is aimed at corporate and government users and focuses on an email client that provides the ability for messages to self-destruct at a specific time, or under specific conditions (such as the message having been opened and closed by the recipient). It also would set limitations on what the recipient could do with the message; for example, preventing them from printing or forwarding it.
But aren’t there plenty of security measures in current email clients?
Well, yes, but the fact is most of them don’t work so well. You might have options for recalling a sent email or having an email delete itself after a certain period of time, but this seldom works the way we imagine it might.
When you recall an email you’ve accidentally sent, chances are your email server has a built-in delay, giving you a short window of opportunity to recall the message before it’s released. Once it’s out there, you might as well consider it “in the wild” — especially if it’s going from one email client to another (from Gmail to Outlook, for example), where rules don’t get applied uniformly. If someone picks it up on a smartphone where the device can go offline (and out of reach) at any time, forget it.
Even BlackBerry (BBRY), with a core enterprise market and a reputation for security, has failed to nail the issue.
AT&T’s idea has merit. There are plenty of companies that would rest easier knowing internal email couldn’t be forwarded to a competitor, or if it was forwarded they would immediately receive notification and have the option to kill all the copies in existence. And you can bet that organizations and government agencies all over the world would like nothing better than to use services like this to prevent leaks.
However, AT&T’s efforts have three pivotal issues.
Why It Won’t Work
First, to work effectively, the solution requires both sender and recipient to be using the same email platform. Once a message gets outside of that closed environment, it’s gone. That’s how systems like SnapChat (the private, self-destructing photo/video app) work, by controlling the content during sending, reception and viewing. Expecting everyone to standardize on one platform is unrealistic — especially with the BYOD movement in full play.
Second, no matter how many barriers you put up, people find a way around them. Turning to SnapChat again, it didn’t take long for websites full of “private” photos taken with the app to go online. The software’s method for deleting content has already been cracked, making those private files very recoverable should someone get their hands on a smartphone or computer that sent or received the files.
Even outside of the high-tech hacker toolkits, there are always low-tech methods that are virtually impossible to prevent — snapping photos of a computer display with a digital camera, for example. As Matt Hickey points out in Forbes, AT&T’s patent doesn’t seem to include a defense against the infamous screen capture, either.
Finally, even if all the technical hurdles could be overcome and a bulletproof system complete with auto-destruct email was released, there would undoubtedly be legal challenges. Deleting emails during the course of an investigation tends to be frowned upon, and some regulatory bodies require documentation (including email) to preserved for a set period of time.
If AT&T ever reaches the point of commercializing its secure email system, there will undoubtedly be takers, despite its inherent limitations. After all, pretty much anything will be an improvement over the current situation.
But the prospect of a bulletproof email system — one where content can be tracked, controlled, deleted or recalled at will no matter where it is — is likely to remain a pipe dream.
As of this writing, Brad Moon did not hold a position in any of the aforementioned securities.