Technology that promises highly secure, confidential and self-destructing messages over the Internet isn’t only available to top secret intelligence agents.
Chicago, Ill.-based VaporStream Inc., which released its first demo of the VaporStream non-documentable e-mail service in 2006, has since designed an enterprise-ready version and patented the technology.
VaporStream gives users the privacy and confidentiality they would expect when they are not online, said Joseph Collins, president and CEO of VaporStream. “Unfortunately, we live in a world where everything you do online is recorded,” he said.
Collins likens VaporStream to a phone conversation. “VaporStream, in essence, is a record-less messaging system. Similar to a conversation like we are having over the phone, it allows us to have the conversation and once you see it, read it and reply to it, it’s gone,” he said.
VaporStream is typically used for negotiations and when the parties decide they’ve reached an agreement, they can send each other a traditional e-mail to become the official record moving forward, he said.
Like e-mail, VaporStream is text-based, but messages cannot be cc’d, forwarded, saved or printed. Messages are automatically deleted after they are read and stored in RAM to disappear without a trace. Conversations use 256-bit encryption and are transmitted over SSL.
As an additional security measure, the service separates the header and body of messages, so even if someone were to take a screen capture of a message, it would not display the “who, what, where and when” to make it a piece of information that could be referenced, he said.
The VaporStream Messaging Service (VMS) operates out of a centralized location, which is responsible for “routing, instant notification, keyword filtering, queuing and de-queuing the messages” for all users, states VaporStream’s site.
The infrastructure is “housed in multiple Tier 1 facilities located in Los Angeles, New York, and Chicago.” All of the message servers are run in RAM and there are no hard drives connected to the servers, VaporStream states.
Users can access the service through Web browsers, plug-ins for Microsoft Outlook (2003 and 2007) and Lotus Notes, or mobile apps for the iPhone, Blackberry and Windows Mobile phones.
Enterprises can deploy the VaporStream Enterprise Server (VES), which authenticates users through the VES into their Active Directory or Lotus Domino service. VaporStream says the messages “will never reside on the organization’s internal servers” and “go directly from the VaporStream client to the VMS servers located on the VaporStream network.”
The service uses the SaaS model. Pricing for individual accounts is US$7.50 per month and messaging requires both parties to use the VaporStream service. Enterprise pricing varies.
The pricing is actually “much cheaper than e-mail,” said Collins. Licences for Microsoft Exchange can range from $5 to $10 per user per month and this doesn’t take into account additional costs like servers, backups, archives and maintenance, he said.
But VaporStream is designed to compliment, not eliminate, e-mail. VaporStream takes the non-important conversations out while still allowing those conversations to take place, he said.
The value isn’t so much about up front e-mail costs but what happens to a corporation when it goes through a legal situation, he said. And by lowering the overall volume of e-mail within an organization, VaporStream reduces costs related to litigation, he said.
“Once you get sued, the cost of e-discovery is unbelievably expensive and the cost is really how much information do you have to go through,” said Collins.
VaporStream also provides a convenient way to conduct private conversations without “the burden of big encryption layers,” he said. The company targets health-care providers in the U.S., for example, which are required by law to communicate in a secure, private manner for patient confidentiality reasons, he said.
The technology might appeal to Canadians for the same reason. “Canada has much higher standards of privacy than the United States, especially for corporations,” he said.
Organizations required by law to provide privacy to their employees can use the service as a private channel for messaging and allow employees to separate personal matters from corporate business records, he said.
“As long as you know without a doubt that you are in the regulatory clear, you could use a system like this,” said Tim Hickernell, lead research analyst at London, Ont.-based Info-Tech Research Group. But “companies need to be very careful with this,” he added.
VaporStream could be very useful for top-secret pharmaceutical research teams or for military battlefield purposes, but the average organization “could get themselves into trouble very quickly with this technology,” said Hickernell.
“I’m worried about the average organization who might think this is the way to get around litigation,” he said. “Just because you are destroying the record of a conversation does not mean there are no legal requirements for you to record decision-making processes,” he said.
VaporStream walks a “very fine line” with their messaging and how they are positioning the technology, according to Hickernell. “What disturbs me about this is they seem to be positioning it as if you’re kind of sneaking around requirements,” he said.
Hickernell recommended enterprises that need to have non-recorded discussions use Web conferencing instead, if meetings in one room don’t work. “The ideal place to be having these types of conversations is with a real-time collaboration product, not an asynchronous collaboration product at all,” he said.
“The problem to me is not that e-mail is unsecure. The problem is that these kinds of conversations got shifted to asynchronous channels and they shouldn’t be. They should be occurring in real time with real-time collaboration,” he said.
Web conferencing provides both audio and video collaboration, allows individuals to look at documents or presentations, and doesn’t have to record anything, he said. “Most of these systems don’t have, by default, any recording capability unless you pay extra for that capability,” he said.
Collins said the company wants to be a “good corporate citizen” and one of the terms of agreement is that users comply with their native country’s laws and rules.
Brokers in the U.S., for example, must record all e-mail messages, instant messages and phone conversations, so they couldn’t legally use VaporStream for business, he said. “But most citizens can, and there isn’t a law against using VaporStream. At the end of the day, it is basically conversation software,” he said.
VaporStream also complies with federal wiretap rules in the U.S., said Collins. “VaporStream on the network end is very similar to a phone system, so you can wiretap it if given a federal warrant or subpoena. Again, you’re going to be able to get information moving forward, similar to a phone call. You aren’t able to get anything prior,” he said.