Re: Scope for self-destructing email?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 14 August 2017 at 20:01, vaibhav singh <vaibhavsinghacads@xxxxxxxxx> wrote:
> With regards to this, me and my friends were thinking about the idea of a
> self-destructing email, wherein the sender will mark the mail to be
> destroyed (expunged from the server) once the receiver(s) have finished
> reading it/after a time period chosen by the sender.
>
> Another enhancement to this idea was a notification which will be sent from
> some (Exploding email RFC) compliant MUA, in case the receiver refuses to
> delete the email from the client. (I know Snapchat is a poor example here,
> but they apparently send notifications to the originator of the snap in case
> any receiver tries to capture the screenshot of the snap. This is, in
> theory, what we are trying to do here).
>

It's pretty much unenforceable. It is, however, theoretically possible
to build a mechanism to request the later deletion of a message using
MSGTRACK (RFC 3885) as a basis - but that's likely to be merely a
means to let others know you made an error rather than a real way to
delete a message.

> I would also like to know about things (working groups, internet drafts etc)
> which are being done to enforce GDPR to
> email and Instant Messaging especially.

In Instant Messaging, things are slightly different.

Because there's an online, synchronous communications path, then
protocols like XMPP can use "Perfect Forward Secrecy" techniques to
limit access to the original message, and protocols such as OTR, "The
Signal Protocol", and OMEMO all deliberately prevent non-repudiation
post-facto.

Therefore after a conversation, it is difficult to decrypt the
messages (you'd need to persistently store ephemeral keys) and
impossible to strictly prove that the message as captured was not
simply a forged log (although since computer logs are usually
admissible evidence, this is of debatable use).

In terms of Pseudonymity, XMPP builds this into chatrooms (XEP-0045)
and is making this slightly better in its replacement, MIX (XEP-0369).

However, all of these still boil down to keeping honest users honest -
the GDPR applies to people and organisations, and not to computer
systems per se. It means we (system and protocol developers) are
required to consider these use-cases to remain relevant, certainly,
but the actual compliance to these laws is a matter for the end user.

Dave.




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]