NEWS One of the more high-profile additions to Microsoft's Office software – Outlook with emails that 'self-delete' after a set time to keep senders from electronic slip-ups – may not be quite the security revolution it's been talked up to be.
A Microsoft spokeswoman told silicon.com that, rather than removing itself from the recipient's inbox entirely or self-destructing, an email that has been "timestamped" using the new function will remain, clearly visible, in the recipient's inbox. However, without being granted new rights from the sender, the recipient still won't be able to open it.
silicon.com readers were unimpressed with the unique and novel tool, not fancying it to be hugely novel or that unique. Reader Graham Silversides highlighted that a similar tool was already at work in other Windows software: "This feature is already available in Outlook XP. From within a new email message in the Options box there is a tick box called 'Expires after:', where you can set the date and time for the message to 'expire' or disappear. I have tried this and it works."
Another reader, Paul Wilson, raised the point that Lotus Notes had included a similar feature for years. He went on to raise the issue of corporate responsibility. "If companies are forced down the route of saving everything that is sent by email, the user side will not be an issue," he said.
It's a sentiment that Alyn Hockey, director of research at mail-filtering firm Clearswift, agrees with.
"Email and web security is as much about preventing data leaving the organisation as it is protecting the organisation from threats, such as viruses and spam, coming into the organisation," he said. Email is now a corporate issue, warranting company-wide policies covering use and retention. By establishing best practice policies to meet internal, regulatory and legal requirements, mistakes can be prevented."
The issue of compliance regulations and 'best before' emails is still a tricky one, with Hockney highlighting that the technology could prevent business complying with regulations that demand an email be archived and available for scrutiny for years after it has been sent.
While the new technology may leave some users lukewarm, it seems that there's one group of users that may be very happy to get their hands on it.
David Naylor, partner at law firm Morrison and Foerster, said the new software may actually help criminals, allowing people to threaten companies or individuals via email and then theoretically hide the evidence.
He told silicon.com: "While you can see its uses, there is plenty of scope for abuse of this technology. You could say that people talk to each other - and that's equally hard to evidence. The difference here though is that email provides a medium for mass, remote communication, often across borders and legal boundaries."
Comments
There are 13 comments. Join the discussion
1. anonymous
Yet more 'functionality' we don't need from Micro$oft. What a joke. Why don't they spend more time addressing all the security holes in their software.
2. anonymous
This is just silly; people making comments (even the author) on technology they neither undertsand nor get right when complaining about it. The email is always available using existing archiving systems and the administrator of the system can always override the expiration.
There is no "self-destruct" or disapearance of the email. It simply cannot be opened by the receiver after a certain date.
Also, a criminal would have to allow access to the mail in the first place using his/her own email address as the basis for allowing that. Yea, some idiot is going to send you a threatening email where his address is contained (encrypted) in the private key.
Basic freakin research...
3. anonymous
Well written article, many good points raised.
This Microsoft idea is idiotic! Absolutely idiotic! Not to mention highly illegal!
The addressee of ANY mail is the legal owner of the mail - whether it be email or snail mail - NOT the SENDER!!!
Therefore, if the sender chooses to destruct a recipient's e/mail, they are then committing corporate sabotage.
Not to mention what people will have to go through to check the disappearance of the email, or possible corruption of their CRM program.
Oh yeah, lots of legal cases coming up here - was this 'improvement' designed by MS or the lawyers?
Another good reason why NOT to use Outlook.
4. Richard Haselgrove
How much co-operation does it require from the receiver's e-mail client for this to work?
If I send an e-mail in the belief that it will become protected after a certain time, but the receiver is using a legacy or non-MS client, my guess is that either:
The e-mail will not be readable at all, thus wrecking any concept of open standards and customer choice, or:
The legacy client won't know about the 'read by' date, and will go on displaying the message on request ad infinitum - and I'll have been sold a dud.
5. anonymous
Err - this feature is even in older versions of Outlook (as in Outlook 2000). What is the article going on about?
6. A Campbell
Time bombing, no printing no see eMails - surely Microsoft know about Screen scraping Dohhh :-)
7. anonymous
Come on, basic research answers this. In order for you to send protected email to someone you have to have a trust relationship with them. There is a process for setting this up either internally or externally. You can't just send it willy-nilly.
Screen-scraping doesn't work as it has to go through the same mechanisms as copy/paste functionality.
There is a free download for IE for those users who don't have/aren't using Office including Outlook.
Basic freaking research...
8. Harold Fuchs
What is the position if I sign a pornographic/libellous/... letter on my employer's letterhead (physical paper) and snail-mail and/or fax it to one or more recipients?
Is the position *different* from the position if the letter had been an e-mail instead?
If so, why?
If not, why all the current debate/panic re e-mails and no equivalent re letterhead?
9. anonymous
If I don't use microsoft's email systems, and someone sends me an encrypted mail, how do I deal with it? either the encryption is public domain (e.g PGP, currntly unreliable in some MS products) which currently means that providing I can access the data I can decode it, or it is proprietry and I probably can't see it at all. Yet another way for users to waste IT suport time sending emails the recipients cannot view.
As if a proprietary binary file format (.pst) for emails that is impossible to archive and view unless the full program is installed isn't bad enough.
10. Mark O'Connell
Been using Outlook for ages and recently moved to Lotus Notes 6.5. Best thing we ever did. Notes 6.5 rocks!
11. Mike Pendray
In order to completely ensure that no record of an email exists after a certain date, you would need to disable forwarding, copy and paste, and printing, and render the email unreadable by any mail client that does not respect the "delete by" feature.
Furthermore you would need to disable the "Print Screen" option, whilst that may be possible, you cannot prevent any one from using a camera to take a screenshot.
If encryption is not used, then there is also the matter of all the mailboxes that handled and forwarded the email on its route to be delivered, and any backup copies that might be kept.
12. David J Walker
<yawn> Yet another potentially dodgy "enhancement" that nobody is going to have any use for, and that will probably compromise some other more useful facility if I know M$.
It would be really nice if, just for once, they released something that actually worked like it says on the tin and stuck with it for a few months, instead of coming out with a practically endless stream of products of ever-increasing complexity and intractability, so that just when you have managed to get a stable system, you have to change it at considerable expense because of the appearance of new hardware which won't run anything other than the "latest and greatest" OS from the House of Bill, and that won't quite integrate with the rest of the system, doesn't understand the scanner and insists on chopping the bottom inch off all documents printed on the existing printers.
I bet the spyware bit works great though.
13. Derek Pearce
And if I set my system clock to a date before the "expiry date"?
or
take a hex version of it
or
print it
come on, unless the mail message itself is a self contained program then this can so easily be circumvented that it's laughable.