by Kenneth J. Withers

Kenneth J. Withers is a Research Associate at the Federal Judicial Center in Washington DC, and a Ph.D. Candidate in Law and Information Studies at the University of Wales Aberwystyth (UK), where he concentrates on "electronic discovery" issues. The opinions expressed herein are his own, and are not necessarily those of the Federal Judicial Center or any other agency of the United States Courts.

By now, experienced trial lawyers on both sides of the "v" know that e-mail is often the richest source of discovery. E-mail has replaced memos, reports, and business meetings. It has also replaced telephone calls and water-cooler conversations. Thoughtlessly worded e-mail messages often come back to bite the hand that typed them. These creatures cannot be destroyed, no matter how hard the author or recipient hits the "delete" key. E-mail is often backed-up on intermediary computers or network servers as a routine matter, and the back-up media may be kept indefinitely. The process of "deleting" seldom erases a computer file; it merely marks the file for overwriting if space is needed on the disk (which in these days of multi-gigabyte storage capacity, is almost never). Perhaps most importantly, once e-mail is sent, the author has no control over how it is copied and distributed.

But despite a decade of high-profile e-mail gaffs, up to and including the Monica Lewinsky scandal, people churned out embarrassing and self-incriminating electronic messages at a dizzying rate, and computer systems meticulously preserved them for future discovery. The Microsoft antitrust trial changed all that. As a front-page New York Times story reported, "Never mind monopoly power in the marketplace; the real lesson corporate America is taking away from the Microsoft antitrust trial is that old e-mail can be a mine field of legal liability, not to mention a source of public embarrassment." (Amy Harmon, "Corporate Delete Keys Busy as E-mail Turns Up in Court," 11 November 1998).

This lesson has not been lost on high-tech entrepreneurs, who are busy marketing software and services to reduce electronic discovery exposure. Some of these products have a legitimate place in a well-designed electronic records management system. Others may simply be attempts to invent a smokeless gun. Soon the data shredders, disk sanitizers, self-deleting e-mail, and similar products or services will themselves be involved in litigation, and a new chapter in discovery will be born. This article will review some of these products and explain, in non-technical terms, what they attempt to do, and where they fall short.

E-mail With Suicidal Tendencies

"Self-deleting" e-mail programs are designed to automatically rid the user of specific unwanted e-mail messages. One of the best known of these, no doubt due to its clever name, is Disappearing Inc. Its product allows the writer of an email message to encrypt it and set "policies," making the encryption key available only to certain persons for a certain period of time. The encryption key is held by Disappearing Inc, and is automatically deleted according to the expiration policy set by the writer. After that point, no one can read the message, no matter where it is stored or to whom it has been transmitted. This San Francisco-based startup made a splash in the technical and business press in October of 1999 when it announced its new product. The marketing angle was clear. As reported in PC Week on 4 October 1999, the purpose of Disappearing Inc is to "reduce the costs or liability of litigation by eliminating potentially damaging messages before they can be used against a company in court."

On the same day, Colorado-based QVtech entered the market with its product, Interosa. Like Disappearing Inc, Interosa relies on encryption. But Interosa appears to have more features. Writers can create policies to prevent messages from being forwarded, printed, or cut-and-pasted into other documents. The company has indicated that it is working on policies that will mesh with corporate records retention programs. But like Disappearing Inc., Qvtech's 4 October 1999 press release posted on PR Newswire made clear its marketing priority: the product was developed to combat "the increasingly common practice of email confiscation in legal battles."

ZipLip.com of Mountain View, California, has a different approach. It also encrypts messages, but unlike Disappearing Inc and Interosa, the message is not actually stored and sent from the writer's computer or network. Instead, the writer visits ZipLip's web site and composes the message online. Ziplip then sends the recipient a short e-mail message stating that a message is waiting for them at ZipLip's web site. Using a previously agreed-upon password, the recipient goes to ZipLip to unscramble and view the message. After the message has been read, ZipLip claims it destroys it. The headline of the 26 May 1999 CMP Techwire story announcing the service was, "Service Keeps E-Mail Out of Lawyer's Hands."

The most recent entry in this market is SafeMessage from AbsoluteFuture. SafeMessage's solution is to eliminate e-mail servers entirely, both local servers and Internet servers, on the theory that the servers, with their built-in redundancy and unlimited storage capacity, are the main danger. SafeMessage uses encryption and temporary keys, similar to Disappearing Inc., but the messages are not sent through the users' e-mail systems at all. Instead they are sent via a temporary "peer-to-peer" connection set up by the software for the sole purpose of sending the message. The message is never handled by any intermediate computes, and therefore does not have a chance to be left for later discovery. While this form of messaging may be cumbersome, and demands that all parties have the software and agree to use it, it appeals to the particularly paranoid. To quote SafeMessage's web site:

[B]ypassing email servers completely and sending the encrypted data-packets point-to-point reduces trails and persistence. This not only prevents the Echelon-style attacks on email servers and identities, but also prevents the subpoena-attack by courts; if the message simply doesn't exist on tape or back up, it can't be exposed. (This additional security was actually just a side effect of our primary goal of auto-expiring messages. It was not the primary goal of SafeMessage.)

The Fatal Flaws

All of these "self-deleting" e-mail programs share a fatal technical flaw: they don't actually delete the messages at all. They encrypt the message, and perhaps avoid the network sever in sending the message, but the messages still exist on the senders', recipients', and perhaps other peoples' computers. The only things that are deleted are the encryption keys. A skilled computer forensics technician will be able to recover such messages using no more sophisticated methods than are used to recover other "deleted" files. The difference will be that the messages will be irretrievably encrypted, and will appear on the computer hard drives like cow pies in a field. A forensic record can be established that there was a message. Details such as the sender, recipient, date, and time of transmission may also be established. In the hands of opposing counsel, this information may be more valuable and damaging than the content of the messages, as the sender and recipient will to have to explain, in a deposition or under a court order, what the message was and why it needed to be handled in this fashion.

Aside from being unable to deliver on specific promises of "self-deletion," the use of these programs may also be tactically self-destructive. It begs the question of whether secrecy or wrongdoing is a regular business practice of the user. As one trial lawyer commented at a conference where these programs were discussed at length, "I can't wait to get in front of a jury and say, 'my opponent has a records management program, and it's called Disappearing Inc.'"

This threat is not speculative or idle. Most corporations and government agencies operate in an environment were record retention is mandated by statute or regulation. These requirements are generally media-neutral. As e-mail replaces paper communication, the retention requirements follow. Routine destruction of all e-mail, or selective destruction of e-mail that may contain information required to be retained, is a violation of these regulations and may lead to fines, loss of business licenses, or even indictments. The securities industry is an area where individuals might be tempted to use "self-deleting" e-mail communications, and where the repercussions would be particularly severe.

Finally, corporate control is impossible where individual employees use encryption and destroy documents. Executives and in-house counsel cannot effectively police their own organization, or defend it from challenge, if they are denied access to their own employees' business communications and records. None of the "self-deleting" e-mail programs has the equivalent of a skeleton key or back door for management.

Conclusion