
Show HN: Email that self-destructs when forwarded - fec
http://nofwd.com
======
pyalot2
Right-click -> Save Image as -> forward to anybody you want

Most email readers block images by default

Disabled persons who rely on screen readers and other assistance technologies
just got screwed, thanks.

Answering by quoting your email just got really hard.

Some email services download images for you and don't link to your server.

I've read your email at the office, now I can't read it at home, or on my
iPhone, or vice versa.

Your email picture service is down or has server trouble, no recipient can
read such mails anymore.

Cryptographic email signing becomes meaningless as the recipient can't parse
the signature and message body to verify the hash.

A lot of spam filters might screen out emails that are nothing but an image.

Searching trough email by text will never find those emails because they
contain no text.

Devices with small screen sizes (iPhone and the like) can't re-layout the text
(as in word wrap), making such image emails really painful to read.

~~~
fec
Thanks, I'll try to address as many of these as I can. I've broken a few of
these into groups below, as I think they have similar solutions.

====

I) Where's the utility of this tool?

> Right-click -> Save Image as -> forward to anybody you want

1) The purpose of this demo is just to establish if anyone finds this type of
service useful. There are many ways to expand this technology so that it
becomes far more complex to defeat.

2) Perhaps I've sent this information to many people, but I've automatically
watermarked each image. Now I can track the information leak back to you and
carry out some more traditional corrective procedures...

3) Maybe this product just isn't for you? Perhaps this product is best suited
for companies and government organizations, where clear policies and penalties
already provide effective deterrents. This service would just supplement these
policy-instruments with additional automated protection, auditing and
watermarking.

===

II) Minor technical challenges:

> Most email readers block images by default

It's easy enough to turn images on, in the most widely-used clients. Just
looking at my inbox, embedded images are far from uncommon in emails.

> Answering by quoting your email just got really hard.

Answering by quoting email works great, if you're alright with quoting
everything. The SMTP integration supports full HTML emails and shows the
quoted email very similarly to the way that Gmail does.

====

III) Accessibility vs data protection tradeoffs. These are fine:

> Disabled persons who rely on screen readers and other assistance
> technologies just got screwed, thanks.

> Your email picture service is down or has server trouble, no recipient can
> read such mails anymore.

====

IV) Solvable problems:

> I've read your email at the office, now I can't read it at home, or on my
> iPhone, or vice versa.

This is solveable. See my other comment.

> Searching trough email by text will never find those emails because they
> contain no text. Devices with small screen sizes (iPhone and the like) can't
> re-layout the text (as in word wrap), making such image emails really
> painful to read.

NOFWD keeps an archive of the messages you send through it (which you can
choose to delete or disable if you wish.) You can search this.

====

V) Are these really a problem?:

> Some email services download images for you and don't link to your server.

Really? I'd like to know which. Haven't seen this happen yet.

> Cryptographic email signing becomes meaningless as the recipient can't parse
> the signature and message body to verify the hash.

> A lot of spam filters might screen out emails that are nothing but an image.

~~~
jstabbac
I still think the right click save as is still the most troubling. Besides
that you missed a couple of points, I'll help identify them here.

-Most people prefer to have emails off to stop the kind of tracking you mentioned in your watermarking point. Advertisers do this all the time.

-Could you elaborate on the quoting? I think the original poster meant that once you SEND a mail through nofwd the receiver cannot easily quote part and reply to you as they could with a text email. I think you're confusing the person doing the quoting with the original sender.

-III) is a matter of personal preference I guess. You mentioned that you see this working in government situations, there's no way they would implement this technology if there was no fallback for their disabled workers. Lawsuits everywhere!

-The archive you keep at nofwd.com - is it viewable for the receiver? I think once again you've confused the person doing the searching.

I'm pretty undereducated on the whole subject, I just noticed a couple things
you might want to go back and address in your rebuttal. I hope you find a
userbase for your system!

 __Edit: I guess the biggest issue I see with the system is that it takes away
a HECK of a lot of great functionality from email (copy-paste, embedded
replies, privacy as you must show images, accessibility, etc.) while adding a
paper thin layer of security. Anyone can just save a copy of the image, or
even screenshot their computer. If it's really critical, they can just
manually re-enter the info (assuming its something as trivial as sales numbers
or a condensed strategy). It seems like nofwd.com is to emails what drm is to
media, something that inconveniences legit users while not stopping people
from getting around it at all.

------
fec
My weekend project: <http://nofwd.com>

I created this project because I was tired of seeing my friends violate the
confidentiality of our private conversations, by constantly forwarding our
emails to third parties. As you at HN will understand, 100% unbreakable rights
management of digital content is physically impossible. That said, I think
that this tool has great value, at least for people who face the same problem
that I had.

Currently, you can use this tool manually, via the demo page, or you can
integrate with your email client via the SMTP integration method. I'd like to
find some way to streamline the setup process for the SMTP integration. Any
ideas?

Other applications for this service:

\- Use in addition to email disclaimers and confidentiality agreement footers
at the bottom of emails.

\- Watermark emails for tracking purposes.

\- Supplement existing internal corporate policies for information disclosure.

\- Provide additional auditing support for email access-control.

\- Delete email messages after they have been sent.

Caveats:

\- Currently detects all access attempts from the same computer as one single
recipient. Likewise, accessing an email account from multiple devices will be
detected as multiple recipients. I.e. each computer == one recipient.

\- No real website design yet.

Stack:

Python / Tornado & adisp.py / Nginx / Nginx scripts / Redis / Postgresql

So HN, what do you think?

~~~
Piskvorrr
Ctrl+A, Ctrl+C. Voila plaintext (or in your case, a readable screenshot of the
plaintext - I've been experimenting with the site meanwhile), let me forward
_that_.

Moreover, I very much prefer my e-mail textual - some of my e-mail devices may
be severely constrained in bandwidth and screen size; text compresses,
transmits and scales way better (also: insert standard accessibility rant
here).

Also, what of nomadic users? "Oh, your smartphone already accessed the one
copy [for added fun, try "and didn't save it"]? No way to read the e-mail
anywhere else, tough luck."

You have addressed the above as caveats - however, there one more thing that
bothers me, immensely - the immediate, silent and complete retraction
capability: "I never said that" is bad enough, "I never sent you an e-mail
like that" would be worse. For dealing with certain people, I like to have a
local copy of what was written, just in case they change their mind later.
Even if I kept local copies of the screenshots, I like my evidence searchable,
too - eyeballing a bunch of images to find a specific e-mail is distinctly
suboptimal.

On the other hand, if you are facing the _one exact problem_ of people
mindlessly forwarding your e-mail, verbatim, this might be a useful mitigation
technique. It's a nice project, but not useful for me - it would solve
problems I don't have, while saddling me with other problems I don't want to
have.

As for "no real website design" - I actually _like_ the clean and minimal
design :)

~~~
wesley
If you read the site, they convert it to an image. Usability for this sucks,
no searching, no copying.

~~~
mansr
Nothing can stop someone simply saving the image and sending it as regular
email. If it can be read, it can be copied. No point pretending otherwise.

[Edit: fix stray question mark.]

~~~
drostie
Well, you could pursue legal action under the DMCA for those sorts of actions
in principle, but other than that, there is no need for a question mark on
your first statement.

It is, if you like, the exact problem that copyright enforcement and digital
rights management (DRM) have. No matter what you do, if you send me a threat
and I really want to forward that to the police department, I can always hit
"Print Screen." Simply showing X to me enables me to copy X. If you let me
play music out of my headphones, I can always in principle connect my
headphone jack to a computer's microphone input and get a lossy-but-acceptable
DRM-free copy, because my headphone jack does not implement DRM. (In the early
DRMed days of iTunes we used to do this with burning music to CDs, which
iTunes allowed.

Just allowing a kid to enter the movie theater allows him to smuggle in a
camera and post the video on BitTorrent. Just seeing is always sufficient for
lossy copying, if only because we keep a lossy copy in our memories. (I've
discussed this elsewhere but I'd prefer not to linkspam myself.)

------
benjoffe
Personally I would hate to receive email like this, if I viewed the email on
my phone I won't be able to view it on my work computer. If I'm working from
home the next day I won't be able to view the message (ever again!). If I want
to view the email in several months time I'm assuming it's highly unlikely
I'll be able to.

Maybe there's a market for this, and if so good for you, but my honest feeling
is that any desire for such a 'protection' is better solved by either talking
to the person on the phone or in person, or getting them to sign an NDA, or if
the recipient is so untrustworthy then don't engage with them.

~~~
fec
Temporary solution: If you have multiple devices, you can create an account on
NOFWD, and log into nofwd.com from each device. Now, NOFWD will see all of
your devices as a single entity, and not self-destruct your messages that you
view. This behavior can be ended by logging out again.

Long term: More generally, I want to expand the fingerprinting and management
technology, so that the system can automatically learn users and not flag
false-positives. Imagine how Paypal or Facebook detects that you're not
logging in from one of your usual locations.

NDAs and other legal contracts are one existing solution to this problem, but
those are very slow and heavy-weight. This is meant to be very fast and light-
weight. Neither solution is bulletproof. Instead of choosing though, you could
use both!

~~~
benjoffe
The problem with your multiple device solution is that it puts burden on the
recipient, who's highly likely to have any idea what NOFWD is. The
fingerprinting solution you outline next is highly flakey as well, as it would
require a critical mass of users to gather the necessary data, and even then
the kind of algorithms you'd need are orders of magnitude more complex than
the ones Facebook etc. use, as those catch instances of users logging in from
foreign countries (or perhaps states), and would not catch cases where the 3rd
party is in the same city, a very likely case.

A typical scenario I imagine is that the recipient will lose the message, and
end up emailing or calling back for the same information, which will annoy all
parties (or possibly worse, they'll lose the information and ignore it
forever), as well as require the information be transmitted more times than
usual (something someone security conscious probably won't like).

I hate to be so critical of this service, but I just can't see this being
useful. I wouldn't call this hitting a nail with a sledgehammer, it's more
like hitting a nail with a six foot ceramic feather.

------
VonLipwig
Is this really needed?

It really inconveniences the recipient. They cannot copy and paste the email.
This can sometimes be important. Often private emails contain usernames,
passwords or urls.

You cannot view emails on multiple computers without first yourself going out
of the way to register multiple devices..

There are many scenarios where forwarding the email is important. You may want
your solicitor to look at it whatever.

It seems to me the best use of this service is just to send people some hate
mail as it makes it difficult for laymen computer user to forward it to
someone who can do something about it.

Email isn't a secure platform, if you don't want what you write getting out
there don't send it, use another medium, avoid sending emails to untrusted
people.

Making the email an image means I probably won't read it.. I guess that is one
way to stop me from forwarding it.

~~~
fec
The idea is that you don't use this for all of your emails, just the ones that
you don't want forwarded.

------
viraptor
I'd accept it if it had only false negatives in "different person" detection.
False positives are not really acceptable with this method now that we've got
people using webmail/clients/mobiles.

For example, my client at work is on all the time - it will happily pre-cache
all the images. But the same message will be visible on my mobile too - what
happens when I open it there? If I got an error, I'd probably check with
website for accessing the same mailbox - what would happen after 2 "forwards"
- image deleted?

This is a reality of today's offices, not an edge case I'm afraid. It will
also fail for shared email accounts (for example "info" or "support" type
destinations). Or auto-forward while someone is on long vacation will do
exactly the wrong thing - let someone else read it, but not the real
recipient.

------
tjic
This has been done a dozen times before.

I worked at Authentica around 1999-2000. They got it working decently enough
and were later bought by EMC.
<http://www.emc.com/domains/authentica/index.htm>

The problem is that the data can be grabbed by image tools, etc., so you end
up getting in a race to hack all sorts of libraries that can grab the screen,
save text, etc.

~~~
fec
Great, this solution obviously addressing a burning need. May I ask, were
previous solutions free and work on nearly all email clients?

I don't really see any major race happening. The best information grabbing
tool already works great - people's eyes. The purpose of this tool is just to
make forwarding a little harder, and add auditing and watermarking for
environments where this added information can be acted on.

------
mike-cardwell
You're using a CNAME at the root of your domain for your DNS. This is invalid.
Anybody who is using the Unbound DNS server and also has DNSSEC verification
enabled, will not be able to access your site. All lookups will lead to a
SERVFAIL.

------
wesley
What is the unique fingerprint made of? If I upgrade my windows software (for
example), will I still be able to read the email (which is an image!)

And if I buy a new computer, then import my backed up emails, will I still be
able to read it?

------
corkill
Just need to find a niche where this doesn't completely piss everyone off. I'm
sure they are out there, the government and legal ones you mentioned sound
promising.

I also like the sound of the watermarking idea or sending slightly different
text to find leaks.

Best way to get adoption of a product make it the law for people to use it!

------
rvkennedy
I really feel that this is not what email is for. An email is an historic
document, atomic, and linked to a specific time of sending. When you forward a
mail, you're not sending that actual mail, you're creating a new mail that
references the original. In other words:

web = procedural

email = functional

~~~
arethuza
Some email clients allow you to attach the original email as an attachment
when you forward/reply rather than embedding the text - I guess in that case
you are arguably including a copy of the original.

~~~
rvkennedy
Quite right, and interesting, because you're then sending a copy of the email
as defined by MIME. What you're not doing is modifying the original - as soon
as you do so, it becomes a different email.

------
moe
Seems redundant, Outlook has that feature built-in.

(try deciphering a mail that went through multiple outlooks)

------
dotmanish
Does IP Address and Mail-Client identification play a role in your reader-
fingerprint?

What would this mean for people in your LAN and using the same version of
Mail-Client as yours?

------
webwanderings
Lotus Notes has this feature for a long time. You can disable forwarding.

But of course, you cannot prevent anyone from screen printing and forwarding.

------
h2s
DRM for email.

