IETF Logo Mail Archive

Re: Scope for self-destructing email?

Matthias Merkel <moritz30@moritz30.de> Wed, 16 August 2017 17:30 UTC

Return-Path: <moritz30@moritz30.de>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E46B126CB6 for <ietf@ietfa.amsl.com>; Wed, 16 Aug 2017 10:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.08
X-Spam-Level: *
X-Spam-Status: No, score=1.08 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723, MISSING_MIMEOLE=1.899, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1cT_6664AAkS for <ietf@ietfa.amsl.com>; Wed, 16 Aug 2017 10:30:41 -0700 (PDT)
Received: from sender-of-o52.zoho.com (sender-of-o52.zoho.com [135.84.80.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 035EC132344 for <ietf@ietf.org>; Wed, 16 Aug 2017 10:30:40 -0700 (PDT)
Received: from [192.168.179.178] (p5DC6529D.dip0.t-ipconnect.de [93.198.82.157]) by mx.zohomail.com with SMTPS id 1502904635181654.2937958497436; Wed, 16 Aug 2017 10:30:35 -0700 (PDT)
Date: Wed, 16 Aug 2017 19:30:23 +0200
Subject: Re: Scope for self-destructing email?
Message-ID: <c661043b-0870-436a-b27e-95f0b7a51923@email.android.com>
X-Android-Message-ID: <c661043b-0870-436a-b27e-95f0b7a51923@email.android.com>
In-Reply-To: <CACZ1GiooBdEZ_YcBZPQNFkbT0DsGf-Cu25fPYzWcLamLUAH+TA@mail.gmail.com>
From: Matthias Merkel <moritz30@moritz30.de>
To: vaibhav singh <vaibhavsinghacads@gmail.com>
Cc: "ietf@ietf.org Discussion" <ietf@ietf.org>, joel jaeggli <joelja@bogus.com>
Importance: Normal
X-Priority: 3
X-MSMail-Priority: Normal
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64
X-ZohoMailClient: External
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/1Hj9rK1b9WgFSEJ3szheQN414k4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 17:30:43 -0000

Well. The problem with a central authority is that it has to be trusted.

In case my company will serve as central authority we would provide public audits which everyone could use to verify we followed the rules.

In case some other organisation would serve as central authority I'd suggest to require it to provide these audits as well.

On Aug 16, 2017 6:50 AM, vaibhav singh <vaibhavsinghacads@gmail.com> wrote:


On Tue, Aug 15, 2017 at 8:42 AM, joel jaeggli <joelja@bogus.com> wrote:
On 8/14/17 12:01, vaibhav singh wrote:
> Hi,
>
> As some of you may already know, General Data Protection Regulation
> (GDPR), about to be enforced in the EU within months, and calls for
> strict regulations for Right to rectify communications, Right to be
> forgotten , Pseudonymisation and Data portability.
>
> With regards to this, me and my friends were thinking about the idea of
> a self-destructing email, wherein the sender will mark the mail to be
> destroyed (expunged from the server) once the receiver(s) have finished
> reading it/after a time period chosen by the sender.
>
> Another enhancement to this idea was a notification which will be sent
> from some (Exploding email RFC) compliant MUA, in case the receiver
> refuses to delete the email from the client. (I know Snapchat is a poor
> example here, but they apparently send notifications to the originator
> of the snap in case any receiver tries to capture the screenshot of the
> snap. This is, in theory, what we are trying to do here).
>
> I would also like to know about things (working groups, internet drafts
> etc) which are being done to enforce GDPR to
> email and Instant Messaging especially.

In order that you have some assurance that the demands provided at the
input side are honored on the receipt side you need effectively
end-to-end control over the system, that is the sender, receiver, and
any intermediate hops are part of the same administrative domain such
that any control imposed is actually implemented. That might be
practical for an email system but not generally for the email system.




We found an archived thread of a similar proposal for XMPP being made in XMPP Standards list as well. There were a couple of neat outcomes from that discussion, which I would like to present here as well.

There were a couple of improvements/compromises we were thinking:

1.) The popular opinion is that this will be unenforceable on the client; we can actually drop the idea of clients being forced to clean up those messages altogether. Our initial plan to propose this was to let the sender of the email decide whether he wants to store his emails on the server or not; that would be what we will be focusing on then.

2.) Matthias suggested a way to implement feature discovery for this:

Have a central list (possibly mentioned in the documentation of this) of IPs and domains that really support this feature (a central registry that maintains the list would test if it really works; I'd offer that my company can do this but that would have to be decided by the public). If a SMTP server advertises the feature and it is on the list send the mail without any warnings, if it advertises it but is not on the list warn the user that the server might potentionally fake the ability to do this. If it does not advertise the feature but is on the list warn the user that the server may not have the ability. If it neither is on the list nor advertise the feature ask the user if they want to send the email without self-destruction enabled.

This seems to work for me. Any problems which could come up with having a central authority for this feature?

3.) We may have to assume that the sender and receiver of the mail are trusted; this would mean that the mail may have to be encrypted prior to sending:

Encryption would allow you to establish a level of trust with the recipient. I.e. you encrypt the message and mark it for ‘self destruct’. You then have to trust the recipient to destroy it (but at least you don’t have to trust every server along the way). This gives you some level of reassurance that the message will be destroyed, assuming the recipient is trustworthy (and runs trustworthy clients).

4.) A really boiled down version of ephemeral mails could just mark the mail "outdated" if the information provided in the mail is not expected to hold good after some time, instead of actually expunging the mail.

why not try to accommodate both realitys and define a feature which is called "Invalidation of Messages" or similar instead of "Destructible  Messages". The goal of this feature should be to mark messages in a way,
that the client somehow can mark the message as "not being relevant anymore" or something like that. So it could still be displayed but
grayed out for example telling the receiver that the message can be ignored. Additionally there could then be added an attribute "deletionrequest" which can be set for clients which really want to have destructible messages like Signal does.

Any thoughts?

--

Regards,
Vaibhav Singh

v2.23.0 | Report a Bug | By Email