Can secure e-mail help sidestep suits?
The problem comes when lawyers issue subpoenas for company e-mail. Just ask American Home Products Corp., the maker of once-popular diet pills Redux and Pondimin. The company agreed to pay $3.75 billion on Thursday in damages after a team of cyber-savvy lawyers dredged up more than 33 million e-mails and documents from the company's servers.
"It has become the most requested form of evidence during discovery," said Kerry Stackpole, president and CEO of the 16-year-old Electronic Messaging Association. "Rarely does (e-mail) really go away, and it's almost always captured somewhere else, even if you think it is off your desktop."
Flip side
One company's fear is another's opportunity, however. Corporate concerns have spawned a nascent industry of start-up companies hawking secure e-mail products as a cure for the common lawsuit.
This week, San Francisco-based Disappearing Inc. got a lot of ink for its new technology, which promises to "encrypt, authenticate, track and delete messages, including those stored on back-up tapes or forwarded to third parties." The 11-month-old company also firmly aimed the product at large corporations looking to reduce possible legal dangers by deleting e-mail.
"We are all about giving companies the ability to set policies about what happens to e-mail over time," said Rod Lehman, vice president of marketing for Disappearing. "We are essentially letting people shred e-mail in the same way that they have been able to shred real-world documents."
In reality, Disappearing's software, which can be managed by company or by its customer, encrypts messages and then manages the keys -- throwing them away after a certain amount of time. Without the keys, investigators would have to decrypt each message singly at a cost of "about half a billion dollars," said Lehman.
Plenty of rivals
But it isn't the only player in the market, or even the first. A number of companies are rushing to market with secure e-mail products. Last month, as first reported on ZDNN, start-up QVTech Inc. aimed at a similar market with its own InteRosa product. Encrypted e-mail targeting the privacy-conscious consumer has also proliferated on the Web with such services as Hushmail.com, 1on1mail.com, and ZipLip.com, to name a few.
It's not surprising that smoking e-mail has corporate execs shuddering. In the American Home Products case, one e-mail included an administrator's complaints about spending the rest of her career paying off "fat people who are a little afraid of some silly lung problem," according to a report in the Wall Street Journal.
In the investigation of the Iran-Contra scandal, e-mail accounted for almost 85 percent of the legal evidence, said the EMA's Stackpole. And Microsoft defense against the Department of Justice has been repeated blunted by e-mail tracked down from Microsoft's servers. Microsoft declined to comment on the use of e-mail in the case.
Security a tough task
Yet, cryptographer and security specialist Bruce Schneier warns that some companies are overselling the abilities of their products.
"The (secure e-mail) system works as long the employee cooperates," he said, adding that today's "secure" e-mail systems are not really secure. "It's not a security thing; it's about policy compliance. Employees who want to can certainly bypass the policy."
Hush Communications Inc. -- a well-known provider of such encrypted e-mail services -- can certainly attest to difficulty of securing the service. The Anguilla, West Indies-based company published the complete source code of its service to let specialists try and poke holes in the security. At least one cryptographer did, admitted vice president and co-founder Jon Gilliam.
"He pointed out a few problems with our system," said Gilliam. "We have since fixed them." Other secure e-mail companies have not taken the open-source approach, however, leaving their actual implementation a big question mark.
Gilliam hopes its approach to security will help the company sign up corporations when it releases its own enhanced service in the near future.
Start-ups like Hush Communications need to answer such questions, and others, in a hurry -- with almost ten players in the market today, and more certainly on the way, quelling e-mail security nightmares is not a market for the faint of heart.