Self-Shredding E-Mail

February 18, 2002

In the offline world, it can be quite a challenge to retrieve and destroy confidential documents from a business deal gone sour or a top-secret project that involved outside help.

The options boil down to either trusting your former business partner - or resorting to illegal breaking and entering.

But e-mail is changing those rules, thanks to virtual shredding. Senders can destroy messages either remotely or automatically, without a recipient's consent or cooperation.

And that gives senders unprecedented control over what they distribute.

Though usage of the technology is still relatively low, interest is growing, thanks in part to new federal laws governing privacy of health care and financial data.

Interest has also been spurred by the antitrust case against Microsoft Corp., in which damaging e-mail memos from Bill Gates and other senior executives became the government's key evidence.

The recent shredding of electronic documents by Enron Corp.'s outside accountants, along with the growing use of e-mail in business, may prompt even more thinking about how to preserve and destroy records without running afoul of the law.

Authentica Inc. and other companies make online shredding systems that scramble e-mail messages and limit access to the software key needed to decrypt them. To make messages "disappear," access to the key is withdrawn after a given time.

Software company Peregrine Systems Inc. bought Authentica's system about nine months ago. Senior executives use it to send e-mail to one another and to the company's board of directors.

"Today's business market is so competitive, we want to make sure that communications that were meant to stay confidential and secure remain that way," said Doug Hampshire, Peregrine's systems administrator.

The trouble with e-mail is its persistence.

Hitting the delete key only removes a message from the computer's digital index, and forensics experts can often retrieve it later. Even if it's gone from a recipient's hard disk, plenty of copies exist elsewhere - on e-mail servers used in transit, on backup tapes kept for years.

Or perhaps an employee checked e-mail from home or forwarded it to a personal Hotmail account. Copies would then reside on the home computer or at Microsoft, which runs Hotmail.

Without systematic procedures for purging old messages, e-mail may linger for years.

Computer backup systems were generally developed for disaster recovery - not with lawsuits and investigations in mind, said Kristin Nimsger, legal consultant for Ontrack Data International Inc., a data-recovery company.

In addition to Authentica, Atabok Inc., SafeMessage Americans Inc. and Omniva Policy Systems have systems designed to keep embarrassing or incriminating messages from surfacing years later. In essence, they allow e-mail to self-destruct.

Many of these services can also restrict what recipients do with messages - such as bar them from forwarding, copying or printing e-mail. These digital-rights management tools work much like copy-protection systems being developed for music, movies and e-books.

For the most part, the law allows businesses to destroy documents as long as they do so uniformly and regularly, not in response to a specific threat of lawsuit or criminal investigation.

There are exceptions. The IRS, for instance, recommends keeping tax records at least seven years in case of audit. Brokerages and other financial institutions also have strict record-keeping requirements.

So what happens when a sender sets a 30-day limit but the recipient has a seven-year legal obligation? What if a recipient gets a subpoena but the message disappears in the meantime?

The more sophisticated digital technology becomes, the more gray areas emerge in Internet law.

Though a 2000 federal law gives electronically signed documents the same legal standing as paper documents, electronic documents can't be considered equal to paper if senders can shred them by remote control.

Senders get unprecedented powers over decisions normally left to the recipients. So it becomes up to the recipient to go back to the sender to request a paper or permanent electronic copy - and count on the sender's cooperation.

"It's inconvenient, but I don't see any other way," said Kumar Sreekanti, chief executive of Omniva.

Critics warn that the technology is not foolproof.

"The operating system creates so many temporary backups that the user normally does not see," said John Patzakis, president and general counsel for Guidance Software Inc., which makes computer forensics software.

For example, he said, text that is printed often goes to a temporary "print" file that is not encrypted.

Even if the self-shredding software disables printing, copying and screen-capture functions, nothing will stop a determined person from photographing the screen or jotting down the information by hand.

And the technology can't help companies automatically destroy e-mail they receive. By the time e-mail reaches a recipient, several unencrypted copies already exist.

Christopher Wolf, co-chair of technology litigation and policy at the Proskauer Rose law firm, says e-mail users are better off watching what they say "rather than coming up with gimmicks to avoid having records."

Steve Jones, a professor of communications at University of Illinois-Chicago, also warns that sender controls could reveal too much about how little you trust the recipient.

"How much of that you want to have communicated to people I'm not very sure," he said.