Hacker News new | comments | show | ask | jobs | submit login
Show HN: Email that self-destructs when forwarded (nofwd.com)
17 points by fec 1616 days ago | hide | past | web | 35 comments | favorite



Right-click -> Save Image as -> forward to anybody you want

Most email readers block images by default

Disabled persons who rely on screen readers and other assistance technologies just got screwed, thanks.

Answering by quoting your email just got really hard.

Some email services download images for you and don't link to your server.

I've read your email at the office, now I can't read it at home, or on my iPhone, or vice versa.

Your email picture service is down or has server trouble, no recipient can read such mails anymore.

Cryptographic email signing becomes meaningless as the recipient can't parse the signature and message body to verify the hash.

A lot of spam filters might screen out emails that are nothing but an image.

Searching trough email by text will never find those emails because they contain no text.

Devices with small screen sizes (iPhone and the like) can't re-layout the text (as in word wrap), making such image emails really painful to read.


Also, embedding links, maps, or anything fun becomes impossible.

It may also be possible to defeat their fingerprinting method, depending on how it works. It's pretty hard to differentiate between users online (most things can be spoofed), so it wouldn't surprise me to see it overcome.


Embedding pictures and HTML works great. Links, yes that's a problem.


Thanks, I'll try to address as many of these as I can. I've broken a few of these into groups below, as I think they have similar solutions.

====

I) Where's the utility of this tool?

> Right-click -> Save Image as -> forward to anybody you want

1) The purpose of this demo is just to establish if anyone finds this type of service useful. There are many ways to expand this technology so that it becomes far more complex to defeat.

2) Perhaps I've sent this information to many people, but I've automatically watermarked each image. Now I can track the information leak back to you and carry out some more traditional corrective procedures...

3) Maybe this product just isn't for you? Perhaps this product is best suited for companies and government organizations, where clear policies and penalties already provide effective deterrents. This service would just supplement these policy-instruments with additional automated protection, auditing and watermarking.

===

II) Minor technical challenges:

> Most email readers block images by default

It's easy enough to turn images on, in the most widely-used clients. Just looking at my inbox, embedded images are far from uncommon in emails.

> Answering by quoting your email just got really hard.

Answering by quoting email works great, if you're alright with quoting everything. The SMTP integration supports full HTML emails and shows the quoted email very similarly to the way that Gmail does.

====

III) Accessibility vs data protection tradeoffs. These are fine:

> Disabled persons who rely on screen readers and other assistance technologies just got screwed, thanks.

> Your email picture service is down or has server trouble, no recipient can read such mails anymore.

====

IV) Solvable problems:

> I've read your email at the office, now I can't read it at home, or on my iPhone, or vice versa.

This is solveable. See my other comment.

> Searching trough email by text will never find those emails because they contain no text. Devices with small screen sizes (iPhone and the like) can't re-layout the text (as in word wrap), making such image emails really painful to read.

NOFWD keeps an archive of the messages you send through it (which you can choose to delete or disable if you wish.) You can search this.

====

V) Are these really a problem?:

> Some email services download images for you and don't link to your server.

Really? I'd like to know which. Haven't seen this happen yet.

> Cryptographic email signing becomes meaningless as the recipient can't parse the signature and message body to verify the hash.

> A lot of spam filters might screen out emails that are nothing but an image.


I still think the right click save as is still the most troubling. Besides that you missed a couple of points, I'll help identify them here.

-Most people prefer to have emails off to stop the kind of tracking you mentioned in your watermarking point. Advertisers do this all the time.

-Could you elaborate on the quoting? I think the original poster meant that once you SEND a mail through nofwd the receiver cannot easily quote part and reply to you as they could with a text email. I think you're confusing the person doing the quoting with the original sender.

-III) is a matter of personal preference I guess. You mentioned that you see this working in government situations, there's no way they would implement this technology if there was no fallback for their disabled workers. Lawsuits everywhere!

-The archive you keep at nofwd.com - is it viewable for the receiver? I think once again you've confused the person doing the searching.

I'm pretty undereducated on the whole subject, I just noticed a couple things you might want to go back and address in your rebuttal. I hope you find a userbase for your system!

Edit: I guess the biggest issue I see with the system is that it takes away a HECK of a lot of great functionality from email (copy-paste, embedded replies, privacy as you must show images, accessibility, etc.) while adding a paper thin layer of security. Anyone can just save a copy of the image, or even screenshot their computer. If it's really critical, they can just manually re-enter the info (assuming its something as trivial as sales numbers or a condensed strategy). It seems like nofwd.com is to emails what drm is to media, something that inconveniences legit users while not stopping people from getting around it at all.


>> "There are many ways to expand this technology so that it becomes far more complex to defeat."

There are not that many ways, unless you're willing to go the whole hog and install a rootkit on the recipients machine before he's allowed to view a mail. Obviously that would be bad. Like any DRM scheme the ultimate consequence ends at a bad place.

>> "companies and government organizations, where clear policies and penalties already provide effective deterrents. This service would just supplement these policy-instruments with additional automated protection, auditing and watermarking"

If you're forced to deal with security restricted information dissemination, then email is pretty much the wrong kind of tool.

>> "Answering by quoting email works great, if you're alright with quoting everything"

That kinda defeats the purpose of quoting mostly.

>> "Accessibility vs data protection tradeoffs. These are fine:"

Sure, they're fine for you. You're not disabled.

>> "NOFWD keeps an archive of the messages you send through it (which you can choose to delete or disable if you wish.) You can search this."

I use my email clients search box to search emails in my inbox, I think pretty much everybody does. This also doesn't cover the UX issues of a large image blob that renders unreadable on devices with other screen sizes than the desktop average.


The problem you are trying to solve is impossible to solve by modifying the contents of an email.

The problem is not that people can forward emails, the problem is that an untrustworthy person has been given valuable data.

You could press printscreen, take a photo... anything you do to that email can be overcome.

This doesn't mean your development has been in vein, I am sure you have learnt a huge amount executing this, and it is great to share it. Very impressed, thank you!


My weekend project: http://nofwd.com

I created this project because I was tired of seeing my friends violate the confidentiality of our private conversations, by constantly forwarding our emails to third parties. As you at HN will understand, 100% unbreakable rights management of digital content is physically impossible. That said, I think that this tool has great value, at least for people who face the same problem that I had.

Currently, you can use this tool manually, via the demo page, or you can integrate with your email client via the SMTP integration method. I'd like to find some way to streamline the setup process for the SMTP integration. Any ideas?

Other applications for this service:

- Use in addition to email disclaimers and confidentiality agreement footers at the bottom of emails.

- Watermark emails for tracking purposes.

- Supplement existing internal corporate policies for information disclosure.

- Provide additional auditing support for email access-control.

- Delete email messages after they have been sent.

Caveats:

- Currently detects all access attempts from the same computer as one single recipient. Likewise, accessing an email account from multiple devices will be detected as multiple recipients. I.e. each computer == one recipient.

- No real website design yet.

Stack:

Python / Tornado & adisp.py / Nginx / Nginx scripts / Redis / Postgresql

So HN, what do you think?


While I understand the motivation for this, I think it's actually a bad thing. Why? As you said, it's not perfect (and can't ever be), but when you create a service like this, people tend to use it in the way they see fit. If this got big, you'd have people actually using it to send emails that they think wouldn't be forwardable, when a simple copy and paste (at most) will defeat it.

It's a neat project, but it's snake oil that people will buy into. That's bad.


Ctrl+A, Ctrl+C. Voila plaintext (or in your case, a readable screenshot of the plaintext - I've been experimenting with the site meanwhile), let me forward that.

Moreover, I very much prefer my e-mail textual - some of my e-mail devices may be severely constrained in bandwidth and screen size; text compresses, transmits and scales way better (also: insert standard accessibility rant here).

Also, what of nomadic users? "Oh, your smartphone already accessed the one copy [for added fun, try "and didn't save it"]? No way to read the e-mail anywhere else, tough luck."

You have addressed the above as caveats - however, there one more thing that bothers me, immensely - the immediate, silent and complete retraction capability: "I never said that" is bad enough, "I never sent you an e-mail like that" would be worse. For dealing with certain people, I like to have a local copy of what was written, just in case they change their mind later. Even if I kept local copies of the screenshots, I like my evidence searchable, too - eyeballing a bunch of images to find a specific e-mail is distinctly suboptimal.

On the other hand, if you are facing the one exact problem of people mindlessly forwarding your e-mail, verbatim, this might be a useful mitigation technique. It's a nice project, but not useful for me - it would solve problems I don't have, while saddling me with other problems I don't want to have.

As for "no real website design" - I actually like the clean and minimal design :)


If you read the site, they convert it to an image. Usability for this sucks, no searching, no copying.


Nothing can stop someone simply saving the image and sending it as regular email. If it can be read, it can be copied. No point pretending otherwise.

[Edit: fix stray question mark.]


Well, you could pursue legal action under the DMCA for those sorts of actions in principle, but other than that, there is no need for a question mark on your first statement.

It is, if you like, the exact problem that copyright enforcement and digital rights management (DRM) have. No matter what you do, if you send me a threat and I really want to forward that to the police department, I can always hit "Print Screen." Simply showing X to me enables me to copy X. If you let me play music out of my headphones, I can always in principle connect my headphone jack to a computer's microphone input and get a lossy-but-acceptable DRM-free copy, because my headphone jack does not implement DRM. (In the early DRMed days of iTunes we used to do this with burning music to CDs, which iTunes allowed.

Just allowing a kid to enter the movie theater allows him to smuggle in a camera and post the video on BitTorrent. Just seeing is always sufficient for lossy copying, if only because we keep a lossy copy in our memories. (I've discussed this elsewhere but I'd prefer not to linkspam myself.)


> I was tired of seeing my friends violate the confidentiality of our private conversations, by constantly forwarding our emails to third parties.

You're trying to solve a SOCIAL problem with TECHNOLOGY.

Better solution: get ACTUAL friends who won't stab you in the back given the chance.


Sometimes what you may attribute to malice, is actually just carelessness or stupidity.


Njix is right, but don't let the flaws in this experiment prevent you from sharing and building more projects.

He does point out a valuable lesson, do not try and fix a problem from one area with another, which applies a lot in development... I see people fixing CSS rendering issues with JS for instance.


I too understand the motivation of the project yet.... IMO if you can't trust the person you are having a conversation with then don't have it.

Great job at building something people are using, although it's not something I'd use.


Personally I would hate to receive email like this, if I viewed the email on my phone I won't be able to view it on my work computer. If I'm working from home the next day I won't be able to view the message (ever again!). If I want to view the email in several months time I'm assuming it's highly unlikely I'll be able to.

Maybe there's a market for this, and if so good for you, but my honest feeling is that any desire for such a 'protection' is better solved by either talking to the person on the phone or in person, or getting them to sign an NDA, or if the recipient is so untrustworthy then don't engage with them.


Temporary solution: If you have multiple devices, you can create an account on NOFWD, and log into nofwd.com from each device. Now, NOFWD will see all of your devices as a single entity, and not self-destruct your messages that you view. This behavior can be ended by logging out again.

Long term: More generally, I want to expand the fingerprinting and management technology, so that the system can automatically learn users and not flag false-positives. Imagine how Paypal or Facebook detects that you're not logging in from one of your usual locations.

NDAs and other legal contracts are one existing solution to this problem, but those are very slow and heavy-weight. This is meant to be very fast and light-weight. Neither solution is bulletproof. Instead of choosing though, you could use both!


The problem with your multiple device solution is that it puts burden on the recipient, who's highly likely to have any idea what NOFWD is. The fingerprinting solution you outline next is highly flakey as well, as it would require a critical mass of users to gather the necessary data, and even then the kind of algorithms you'd need are orders of magnitude more complex than the ones Facebook etc. use, as those catch instances of users logging in from foreign countries (or perhaps states), and would not catch cases where the 3rd party is in the same city, a very likely case.

A typical scenario I imagine is that the recipient will lose the message, and end up emailing or calling back for the same information, which will annoy all parties (or possibly worse, they'll lose the information and ignore it forever), as well as require the information be transmitted more times than usual (something someone security conscious probably won't like).

I hate to be so critical of this service, but I just can't see this being useful. I wouldn't call this hitting a nail with a sledgehammer, it's more like hitting a nail with a six foot ceramic feather.


Is this really needed?

It really inconveniences the recipient. They cannot copy and paste the email. This can sometimes be important. Often private emails contain usernames, passwords or urls.

You cannot view emails on multiple computers without first yourself going out of the way to register multiple devices..

There are many scenarios where forwarding the email is important. You may want your solicitor to look at it whatever.

It seems to me the best use of this service is just to send people some hate mail as it makes it difficult for laymen computer user to forward it to someone who can do something about it.

Email isn't a secure platform, if you don't want what you write getting out there don't send it, use another medium, avoid sending emails to untrusted people.

Making the email an image means I probably won't read it.. I guess that is one way to stop me from forwarding it.


The idea is that you don't use this for all of your emails, just the ones that you don't want forwarded.


I'd accept it if it had only false negatives in "different person" detection. False positives are not really acceptable with this method now that we've got people using webmail/clients/mobiles.

For example, my client at work is on all the time - it will happily pre-cache all the images. But the same message will be visible on my mobile too - what happens when I open it there? If I got an error, I'd probably check with website for accessing the same mailbox - what would happen after 2 "forwards" - image deleted?

This is a reality of today's offices, not an edge case I'm afraid. It will also fail for shared email accounts (for example "info" or "support" type destinations). Or auto-forward while someone is on long vacation will do exactly the wrong thing - let someone else read it, but not the real recipient.


This has been done a dozen times before.

I worked at Authentica around 1999-2000. They got it working decently enough and were later bought by EMC. http://www.emc.com/domains/authentica/index.htm

The problem is that the data can be grabbed by image tools, etc., so you end up getting in a race to hack all sorts of libraries that can grab the screen, save text, etc.


Great, this solution obviously addressing a burning need. May I ask, were previous solutions free and work on nearly all email clients?

I don't really see any major race happening. The best information grabbing tool already works great - people's eyes. The purpose of this tool is just to make forwarding a little harder, and add auditing and watermarking for environments where this added information can be acted on.


You're using a CNAME at the root of your domain for your DNS. This is invalid. Anybody who is using the Unbound DNS server and also has DNSSEC verification enabled, will not be able to access your site. All lookups will lead to a SERVFAIL.


What is the unique fingerprint made of? If I upgrade my windows software (for example), will I still be able to read the email (which is an image!)

And if I buy a new computer, then import my backed up emails, will I still be able to read it?


Just need to find a niche where this doesn't completely piss everyone off. I'm sure they are out there, the government and legal ones you mentioned sound promising.

I also like the sound of the watermarking idea or sending slightly different text to find leaks.

Best way to get adoption of a product make it the law for people to use it!


I really feel that this is not what email is for. An email is an historic document, atomic, and linked to a specific time of sending. When you forward a mail, you're not sending that actual mail, you're creating a new mail that references the original. In other words:

web = procedural

email = functional


Some email clients allow you to attach the original email as an attachment when you forward/reply rather than embedding the text - I guess in that case you are arguably including a copy of the original.


Quite right, and interesting, because you're then sending a copy of the email as defined by MIME. What you're not doing is modifying the original - as soon as you do so, it becomes a different email.


Seems redundant, Outlook has that feature built-in.

(try deciphering a mail that went through multiple outlooks)


Does IP Address and Mail-Client identification play a role in your reader-fingerprint?

What would this mean for people in your LAN and using the same version of Mail-Client as yours?


Lotus Notes has this feature for a long time. You can disable forwarding.

But of course, you cannot prevent anyone from screen printing and forwarding.


DRM for email.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: