InteRosa takes a stab at secure email

Startup seeks to protect companies against their own words.

A startup aims to help businesses protect email, easing the fear and legal liability that comes after hitting the "Send" button.

QVTech told ZDNN that next Monday it will announce InteRosa, a technology that controls various aspects of email. For example, a user could prevent his email from being forwarded beyond the original recipient, and even lock the text of the message to deter copying. Break the rules, "and it turns into bit sludge", said Bruce Fryer, QVTech's vice president of marketing.

QVTech, a startup formed from a collection of ex-Sun, Microsoft and Cray Computer engineers, aims to take the fear out of email security.

Driving the technology, which the company said was under consideration at USA.NET, a large email outsourcer, are several factors, including corporate fears of email being used against them in court. "Ask Microsoft -- old emails can come back to haunt you," said Geoff Mulligan, QVTech's artificer (chief technical officer). The company claims its new product -- a server system dubbed InteRosa -- will allow companies to control email sent by its employees across the Internet. Added Mulligan, "(InteRosa) continues to protect email for the life of the email."

The concern that InteRosa addresses is a relatively new one, but has a powerful poster child: Microsoft. During the on-going antitrust investigation by the Department of Justice, the software giant found words written by its own execs in email used against its position.

"Companies are scared," said security and encryption expert Bruce Schneier, president of Counterpane Systems, who pointed out that the mixed breeding of email has employees shooting themselves in their collective feet. "Email has the psychological equivalent of a voice conversation but the unfortunate legal equivalence of a written conversation." In other words, many employees are not thinking before they hit the "send" button.

On a less sensational level, several analysts said that eventually, the Internet economy will generate demand for more security. "In our transformation to an e-business world, organisations will absolutely need to have better security as they're transferring things on the Internet," said Alan Weintraub, an analyst at Gartner Group.

Weintraub thinks that by using policies, or rules that determine what employees can and cannot do, the product "extends mail one extra level from where it's ever been extended before." Whether the market is ready for that extension represents another question. "This is a very, very immature market," he said. "Many startups are emerging and there are no dominant players in it."

Lucas Graves, an analyst at Internet researcher Jupiter Communications, finds the product intriguing. "It has interesting possibilities," Graves said. "The questions are: How much are the technology requirements a barrier to adoption, and how secure is it truly?"

QVTech is intent on making the technology easy to use, said Fryer. "(InteRosa) is transparent. Nothing has to be pre-arranged (with the receiver, and there's) no proprietary software," he said. Analysts said that helps give InteRosa different tack than some other players in the secure email market, such as Hushmail, 1on1 and the Freedom Network.

Still, security ultimately will separate the technologies, and that is the toughest hurdle for them, said Counterpane's Schneier. Schneier, who authored Applied Cryptography as well as a candidate for the next government encryption standard, asserts that email, once it has left a company's server, can't be secured from outside attack. "Once it has left the server, it is vulnerable," he said. "Anything you can invent, (an attacker) can get around."

At the very least, a user could take a photograph of the screen. But that might not ring the death knell for these products, said Schneier. Many companies are just looking for a way to enforce their email policies. If the employees of both the sending company and the receiving company are honest, then secure email could very well work.