SafeMessage Gets Export Approval

Self-destructing message-maker pitches private e-mail processing to ISPs. But is all as it apeers-to-peers?

by Jim Wagner of internetnews.com [November 11, 2000]

AbsoluteFuture gained US regulatory approval to market its encrypted e-mail program to worldwide companies this week.

The company received the blessings of the US Bureau of Export Administration Oct. 28 and anticipates gaining federal approval to sell its SafeMessage software solution to foreign government agencies within 60 days.

Good morning Mr. Phelps
The Bureau reviews all software using encrypted technology for export, but generally rubber stamps approval for distribution to European Union and other major countries. Only embargoed countries like Iraq, Iran, Cuba and Libya are banned from encrypted software.

SafeMessage provides end users "peer-to-peer" encrypted file sharing, similar to the technology used by music-swapping maverick Napster. Straight out of Mission: Impossible, the e-mail sender can also set a timer on the message, giving it a self-destruct cue when time expires.

Scott Whitmore, AbsoluteFuture vice president of sales and marketing, said the software goes far beyond the 128-bit encryption maximum found in Internet-standard Secure Sockets Layer. The layered encryption found in SafeMessage starts with 1,024-bit encryption and then layers it, making it next to impossible to crack the code before the message is erased.

The price of privacy
The e-mail bypasses normal e-mail routes by using its own set of servers, which route the incoming and outgoing messages. Whitmore predicts SafeMessage will be well-received in the overseas market, especially in countries lacking free speech and privacy rights.

"As paranoid as we are here in the US, it's worse overseas, which will make them very receptive to our product," Whitmore said. "Overseas, there aren't the laws Americans enjoy to protect a person's privacy."

Available now and used by corporate clients, the company plans to incorporate ISPs into the mix soon. SafeMessage currently has a global server set up to meet the needs of ISPs that want to resell the service to subscribers. Cost for the service is based on a monthly subscription fee dependent on the number of users.

Whitmore explained the fees, saying that the company is providing a valuable service on a higher level than those offered by advertising-sponsored anonymous e-mailers like Anonymizer.com.

Of course, security is only as effective as the weakest link in the chain — namely, the server, sender, and the receiver. For example, anyone who obtains the user name and password is able to peruse the contents of messages that haven't been wiped from the SafeMessage server.

Cracks in the code?
A discussion between cryptology members of Deniability.org, questioned whether the service isn't something that couldn't be replicated by a knowledgeable network administrator on any large business IT staff.

"They can always be viewed from the client machine — so what use is it?" said David Howe. "All I can imagine is that when the data has been deleted from the SafeMessages server, the authorities won't be able to resurrect it without cracking the original SSH negotiated key or having mounted a successful man-in-the-middle attack on the original session ... but I could knock together such a system in under 20 minutes which requires nothing but a server-gated SSL key, a suitable Web server/database combo and a Web browser."

The only thing separating it from a secure server made by someone on the IT staff, he said, was "a pretty label that says 'SafeMessage' on it."

You can't hide your prying eyes
The security of an individual's e-mail has come under worldwide scrutiny this year, as government's around the world try to find a legal, and ethical, method of monitoring illegal activities.

Earlier this year, the US Federal Bureau of Investigations tried to shove Carnivore down the throats of American Internet service providers, sending privacy advocates into an apoplexy of outrage over what it saw as a breach to the Fourth Amendment.

Even the government itself couldn't properly assure the public it could guarantee the rights of innocent citizens.

Representative John Conyers (D-MI), in a special meeting of the Judiciary Committee July 24, expressed little trust in the FBI's new snooping tool.

"Should we now be comfortable with a 'trust us, we're the government' approach?" he said. "I don't think anybody on this committee shares that view."

Across the ocean in England, ISPs and e-commerce companies are dealing with a political landscape that saw the passage of the Regulation of Investigatory Powers Bill, which gives English authorities, notably MI5, the right to place "black boxes" at PoPs around the country. Many businesses in England, including powerhouse investment company Goldman Sachs, are looking at options to move operations out of the country to avoid the government's prying.

No criminal intent
Federal law enforcement agencies on both sides of the Atlantic insist the snooping measures are needed to keep up with criminals using e-mail to send information about illegal activities.

Whitmore said his encrypted e-mail program wasn't designed to let criminals avoid the law, but for legitimate security needs.

"There's the capability of any technology to be misused, but our software was designed for the legitimate privacy needs of professionals," Whitmore said. "We're geared towards lawyers who want to protect their clients privacy, or the doctor and his patient. As a matter of fact, we're in talks with several US federal agencies to provide our e-mail solution to high-level employees.

"Look at the corporations out there," Whitmore continued. "Forget the FBI, it's all the other people out there that you have to watch out for. Packet sniffing tools are available for download anywhere. Companies that need to keep their financials private are especially vulnerable to corporate espionage."

Or, in the case of Microsoft Corp., keeping inappropriate e-mail messages private. The software giant landed itself in hot water, and sabotaged its own antitrust defense, when federal officials found damaging e-mail messages still residing in the hard drives of top executives.

—End    

Related articles:
	[Nov. 9, 2000]	ISP Associations Launch Carnivore Hotline
	[Sept. 29, 2000]	Stand-alone, Encrypted, Self-destructing E-mail