Defeating Email-Retention Systems

Backing up digital information is, obviously, an important task which every organization and business should undertake. Thing is, deciding what to backup isn’t as difficult as deciding who gets to make that decision. This holds especially true where email is concerned: it used to be that users could control their own email, and why not? Surely the person who actually reads the mail can be trusted to decide what is important and needs to be archived, and what isn’t, and doesn’t?

Sadly, that’s fairly rare these days, because the new trend is – understandably enough – to archive everything, even if it really is spam. Disk space is cheap, and you obviously can’t trust users to voluntarily follow policy – or, in some cases, the law.

Most of the time, that’s only really a problem for systems adminstrators, who naturally have to store and manipulate these ever-growing archives. In some fields, though – like law enforcement, to name just one – there are times and circumstances when some emails – or at least their contents – really shouldn’t be retained where anyone with a Freedom of Information Act or local sunshine-law request can get a copy.

The problem is that… how do I put this… a lot of organizations have some interesting ideas about who gets to decide what email is released in response to such requests. All too often, the person who sent or received the messages isn’t involved in the process, and so can’t say “hey, don’t release this, because doing so would jeopardize an ongoing investigation”, for example. What’s a person to do?

Well, you could use encryption, like PGP – but often that sort of thing is explicitly prohibited by one’s organization or agency. You could also use steganography, but that’s just a pain in the ass, and no good if you’re in an environment which restricts your ability to install or run “outside” software. You could just use a third-party email service – Yahoo or Gmail, for instance – but a lot of the same arguments apply – and who wants to check a whole bunch of email accounts several times a day? A popular “solution” is to use email attachments, but this doesn’t work as well as could be wished; if the attachments are archived – which is almost always the case – you really haven’t secured or protected your communications any.

My suggestion for these circumstances: Host the content of the message elsewhere, and only email a hyperlink to it. The tech-savvy could lease their own server (or virtual server) somewhere, upload files to a hidden directory, and setup a cron job to purge week-old files from the directory every evening; the not-so-tech-savvy could host images containing their message, say, in a private PhotoBucket folder. It sounds crazy, but it works; you can get a fair degree of extra anonymity by using one of those URL-redirection services (just Google “URL redirection”). This isn’t super-secure – I wouldn’t use it to discuss, you know, national-security stuff, at least in un-obfuscated language, but it’s probably more than adequate for the majority of communications between confidential sources or informants and their “handlers”, and is probably the easiest way to preserve a partial record of the communication while hiding the actual substance from retention – and disclosure.

Is this unethical? Not necessarily, though it should be fairly obvious that such a technique could easily be abused by people engaging in nefarious shenanigans. It’s not a bad idea, merely one that could, yes, be put to bad use. Is it illegal? If used by a government employee, probably. Maybe. It’s certainly circumventing the spirit of every data-retention policy I’ve ever seen, if not – necessarily – the actual wording. Still, pragmatically, it’s something that I think has it’s uses, and is reasonably difficult to counter: as a practical matter, preserving a copy of every link – the contents of whatever every link points to – in every email received at an agency or organization is simply not doable. Storage space is cheap, but it’s not that cheap, and such a course of action would probably take months or even years for lawyers to vet, because it raises some very interesting questions. Besides, were such a policy implemented, it’d be trivial to circumvent:

“Hey, check out this link: www.foobar.org.tld/gallery/image1024.gif , only change the two to a six and the four to a five, kthxbai”.

For extra credit, you could ask yourself – and remember, the point is basically to circumvent email-retention policies for incoming mail only – why is email received by government employees considered, potentially, releasable under the FOIA or state-level equivalents, anyway? I’m all for openness and transparency, don’t get me wrong – but while I’m 100% behind email sent being held accountable – it’s literally the product of our tax dollars at work – I’m, pragmatically, a little more ambivalent about mail received, in part because it seems like there could be some fairly real if unexplored privacy issues there, you know? Just food for thought…

Published in: Geekiness, General, Security | on February 18th, 2009| 1 Comment »

Both comments and pings are currently closed.

One Comment

  1. On 2/22/2009 at 2:56 pm Tim Said:

    BTW, Ironport already does this with their PXE stuff:

    http://www.ironport.com/technology/ironport_pxe_encryption.html

    The system basically is a key escrow service, and you, as the person who sent the message, can revoke the message, which basically disallows the key server from dishing up the keys to the people who want to decrypt the message. I’m not sure, but it may even delete them, making the messages truly unrecoverable without some significant brute-forcing.

    I’m not sure, but I believe you can buy a subscription to their service too rather than having to buy one of their boxes. This looks like it’s it: https://res.cisco.com/websafe/about