By Cecily Barnes
Staff Writer, CNET News.com
September 22, 2000, 12:20 p.m. PT
URL: http://news.cnet.com/news/0-1005-200-2841067.html
A start-up is set to release a novel messaging service that lets people send heavily
encrypted email directly to each other, a development that could be a boon for privacy
advocates but a headache for law enforcement authorities.
AbsoluteFuture.com of Bellvue, Wash., has dubbed its service "SafeMessage," describing
it as a "direct messaging" service that transmits messages from party to party without
the use of a central server.
This distinction is significant because email, which always passes through mail
servers, leaves a trace copy of itself that can be subpoenaed, read or otherwise
accessed by unauthorized readers.
Besides bypassing a central server, the messages are heavily encrypted and are
programmed to be automatically erased after a period of time designated by the sender.
The encryption not only prevents outsiders from reading the message, but also limits
the message recipient's ability to forward, cut and paste, or print the message.
"(Email) leaves a permanent trail," said CEO Graham Andrews. "Not only on your
computer and the receiver's computer, but also three or four servers in the middle."
Whether or not direct messaging can strip away all traces of a document sent over the
Internet is unclear, as the system does not do away with the need for an Internet
service provider to allow parties to share files.
"It's certainly going to pass through the server that connects you to the Internet and
the server that connects the recipient to the Internet, but it will not pass through
the typical mail servers," said Tony McNamara, AbsoluteFuture's chief technology
officer.
Amid growing concerns about privacy on the Internet, more people are inquiring about
the secure transfer of data online, especially in instances of financial and banking
data. AbsoluteFuture joins a growing list of companies that are responding to this
market need with encrypted email services.
Rival products include HushMail, ZixMail, Disappearing Inc. and Authentica.
Unlike AbsoluteFuture, however, these services use ordinary email delivery systems
that are prone to online eavesdropping and may leave trace copies behind in the
computers used to carry them. AbsoluteFuture believes it has found a solution to this
problem by harnessing technology known as peer-to-peer networking, which connects
personal computers directly, without the need for a central server to route file
transfers.
Meta Group analyst David Thompson calls the market for peer-to-peer or encrypted
messaging nascent. "People are just starting to realize that this kind of thing is
even possible," he said.
Peer-to-peer technology gained widespread notice after file-swapping company Napster
was sued by the Recording Industry Association of America for allegedly facilitating
the transfer of copyrighted material.
While SafeMessage does not present any copyright violation, it could undermine the
efforts of law enforcement agencies that sift and subpoena email messages to catch
criminals. Most notably, privacy advocates have called attention to the FBI's
Carnivore program, which is installed at ISPs and scans massive amounts of email to
track messages sent by people under investigation.
AbsoluteFuture's SafeMessage system would potentially allow people to operate below
this radar screen.
AbsoluteFuture said it is marketing its product primarily to corporate clients. "We
believe this should be available to individual consumers, too, but we're not really in
a position to handle that, so we are going to go the route of licensing to ISPs,"
Graham said. "We are very close to signing up several resellers."
The company said SafeMessage is already being tested by a number of large corporate
clients including a major oil trading company in Moscow, a large accounting firm, and
a couple of stockbrokers.
To use SafeMessage, a person signs on to the program with an ID and password,
similarly to an email client. When typing the recipient, the person sends the contact
to AbsoluteFuture's server, which locates the recipient online and allows the sender
to send the message directly to the recipient.
The message is encrypted before it leaves the sender's computer, and the decoder key
is destroyed. If the recipient is not online, the sender must send the message to
AbsoluteFuture's server, which will hold the message until the recipient logs on or
the message times out.
"In one sense this is slightly less secure because we're looking after it," Graham
said. "But we don't have the key to get at it. Even if there was a court order for the
message, it is highly encrypted. We'd say, 'OK, go ahead try to open it.'"
Meta Group's Thompson said that while the system sounds secure, he is not convinced
that it is foolproof. He said that during the period of time before the message is
destroyed, keys exist that could unscramble the encryption.
"At some point everything is gone," he said. "But there is some window in there in
which there is still exposure"
