Dmail Makes Gmail Vanish
Delicious Science, which last year acquired social bookmarking service Delicio.us, has released a Chrome extension that provides Gmail messages with the ability to self-destruct.
After installing the extension, Gmail users can send a message to anyone, whether or not that person uses the Dmail extension, and configure the message to deny access after a period of an hour, a day, a week, or never. In addition, a "Revoke Access" button provides a way to immediately disable access to a protected message.
If the recipient has the Dmail extension, he or she can read the message in Gmail until it expires or is revoked.
If the recipient does not use Dmail, he or she receives a message that says, "This secure message was sent using Dmail. To view this message, simply click the button below."
Clicking on the View Message link calls out to a server operated by Delicious (mail.delicious.com) to retrieve the encrypted message and decrypt it using a key generated locally on the sender's device and passed through Gmail. As product lead Eric Kuhn explained to TechCrunch, "Neither Gmail nor Dmail servers ever receive both the decryption key and encrypted message. Only the recipient and sender can read the email legibly."
After the message expires or is revoked, the text becomes, "This message has been destroyed and is no longer available."
[ Can I get a do-over? Read Gmail Undo Send Plus 3 More Improvements We Need. ]
It's not immediately clear how easy it would be for law enforcement to obtain the encrypted message from Delicious Science and the key from the sender, the recipient, or Google.
The accessibility of Dmail's source code – Chrome extensions are just collections of JavaScript, HTML, and image files – may help security skeptics decide whether or not to trust Dmail. The software relies on Gibberish-AES, a JavaScript library for OpenSSL-compatible AES CBC encryption.
However, the presence of JavaScript modules for tracking and analytics suggests this software isn't intended for people who want serious security; rather, it appears to be aimed at people who would like to feel they have more control over their data than regular email affords.
But feeling that something is secure isn't a guarantee that it is. Anyone who understands what Dmail does and doesn't want the message to vanish can simply take a screenshot of the message when it's readable or a photograph of the screen – it's not as if cameras are scarce these days. Also, the text in a decrypted Dmail message can be copied and pasted, unlike, say, a protected PDF.
Dmail isn't the first email software that promises control of information. Confidential CC, Pluto Mail, and GhostMail entered the market recently, all offering to make email messages go away. Snapchat popularized the idea for instant messages. And services such as Microsoft Exchange offer a way to recall messages sent in error within a corporate domain.
Despite its lack of novelty, Dmail is user-friendly enough that it may find a place among individuals and organizations who want more say in the accessibility of things they've said. The fact that it works with Google's rather popular Gmail can't hurt.
Dmail is presently free and listed as beta software. Placeholders on the Dmail website suggest additional capabilities will be offered to individuals and businesses.