1. Field of the Invention
This invention relates to various improvements on the electronic mail system and method described in U.S. patent application Ser. No. 09/390,363, herein incorporated by reference.
The improvements are (i) the addition to the systems described in the parent application of an electronic mail control applet that allows the sender or originator of an electronic mail message to control the lifespan and handling of the message after it is sent while using his or her existing electronic mail application to create, modify, and send the message; (ii) the addition of a feature that allows, for purposes of maximizing the efficiency of lifespan and handling control of a message after sending, the addition or deletion of electronic mail wrapper information such as the time of sending; (iii) in embodiments where a central mail server is used, the use of session keys, key renewals, or required check-ins to enable central server control of message access while permitting storage of the message on the recipient""s computer, or retention by the central server of parts of the electronic mail package, such as the message wrapper, handling and encryption key information, and/or portions of the message, with storage of the remainder of the message on the recipient""s computer; and (iv) in embodiments that require handling of forwarded electronic mail message by a central mail server, the addition of message tracking and compilation of lists including the identities of individuals or groups to whom the message has been forwarded, and information on handling of the message by those to whom the message has been sent or forwarded.
2. Description of Related Art
The following description of xe2x80x9crelated artxe2x80x9d consists of seven sections (i)-(vii). The first section begins with a general description of the properties of electronic mail that serve to define the context of the invention. The second section is a discussion of a prior art system that purports to provide a framework for controlling distribution of electronic documents in general, known as the xe2x80x9cvirtual distribution environmentxe2x80x9d (VDE) and disclosed in U.S. Pat. Nos. 5,892,900, 5,910,987, 5,915,019, and 5,917,912. The third section of this description of related art describes systems specific to electronic mail and that provide controls of such processing or handling functions as forwarding and reply, while the fourth section describes a system, disclosed in U.S. Pat. No. 5,870,548, that provides for cancellation of electronic mail messages after sending. The fifth section of this description of related art discusses a patent related to delivery of an interactive television program in relation to the feature of the invention involving distribution of a viewer applet to facilitate control of expiration date and processing functions. The sixth section summarizes the differences between the prior art and the concepts disclosed in the parent application, and the seventh section discusses the context and specific problems addressed by the improvements disclosed in the present continuation-in-part application.
(i) Definition of xe2x80x9cElectronic Mailxe2x80x9d
Electronic mail can be defined as a system or method for transmitting electronic data or text files from one computer to another based solely on a destination address without reference to the content of the files or, in general, to the route taken to reach the destination address, and in a form that permits the files to be accessed and manipulated at the destination address at the convenience of the recipient.
Electronic mail defined in this manner can be compared to postal mail, in which letters are routed solely to their destination based on addresses written on envelopes, the content of the messages being hidden in the envelopes, and the envelopes being placed in a mailbox for later retrieval at the convenience of the addressee.
Those skilled in the art will appreciate that the above definition is not the only possible definition of electronic mail, and that the systems, methods, and software described in the parent application and in the present continuation-in-part application, hereinafter referred to as xe2x80x9cthe invention,xe2x80x9d are therefore not necessarily to be limited by this definition. Instead, the definition is intended as an aid to understanding the manner in which the invention differs from other types of systems and methods which might, like the present invention, provide for sender controls and a limited lifespan for the transferred files, but which do not have the above characteristics of electronic mail. Examples of conventional file or data transfer systems that do not fall within the definition of electronic mail, but in which control of information is retained by the originator or sender, include video pay-per-view systems that rely on signal scrambling and the use of converter xe2x80x9cboxesxe2x80x9d to unscramble the signal and permit viewing of a video when payment has been received, and shareware or demonstration software downloads that self-destruct after a trial period if the shareware is not registered.
The xe2x80x9cconvenience of the recipientxe2x80x9d aspect of the definition is important because it distinguishes electronic mail from real time electronic data transfers such as the file transfer protocol (FTP), and implies that electronic mail files must be stored somewhere and directly accessible at least once by the recipient at some time following receipt. It is this storage that gives rise to the problem addressed by the present invention, namely the extended life of an electronic mail message. While storage is an essential aspect of electronic mail, it will be appreciated that the files do not need to be stored in plain text form, and that the local storage need not be on the recipient""s computer or even on a network server such as an IMAP server.
Another important aspect of the definition of electronic mail is that the files transferred are data or text files that contain information, rather than executable programs. It is a trivial matter to program self-destruction into an executable program, but a data or text file cannot be deleted without the aid of an external program, which in conventional electronic mail systems is entirely under the control of the recipient.
A third important aspect of the definition of electronic mail is that the electronic mail messages are relayed through a network of intermediate hubs based solely on the destination address, much as envelopes are handled by a conventional postal mail delivery system. The contents of an electronic mail object do not affect its ability to be delivered anymore than does the content of an envelope, and thus the data fields or contents of an electronic mail object can be formatted in any desired manner (with the exception of certain fields reserved for the writing of routing or tracking information that can be used for debugging). In particular, it is possible to insert flags that cause actions to be performed at the receiving end of the transmission, and that are unique to the sending and receiving software, without requiring new data structures or substantive revision of the conventional electronic mail protocols, and without affecting the transmission. In the case of Simple Mail Transfer Protocol (SMTP) transmission, these flags can be included as extensions of the destination address permitted by SMTP, or as an internal message header that is treated by SMTP as text or data and that is recognized only by the receiving software.
The broad definition of electronic mail given above can be implemented in numerous ways, and the present invention is intended to apply to all such implementations. The most common implementation is currently SMTP, which determines how electronic mail objects are routed to a destination address, and its related protocols, the Post Office Protocol (POP) or Internet Mail Access Protocol (IMAP), which set up xe2x80x9cmailboxesxe2x80x9d at the destination address, either locally or on a mail server, following transmission by SMTP. The invention is of course explicitly applicable to electronic mail sent via SMTP. In addition, messaging systems such as Lotus Notes(trademark) may be considered to be within the definition of electronic mail for purposes of the invention.
(ii) xe2x80x9cVirtual Distribution Environmentsxe2x80x9d and the Concept of Control
In order to limit the lifespan of a message as in the invention, it is necessary to exercise some control over the message. As a result, any system that is capable of limiting the lifespan of a message also must be capable of enabling the sender to limit handling of the message, including forwarding, copying, printing, and so forth.
While providing such control is an important feature of the invention, it is not a unique feature. In fact, a system currently exists, at least in the form of a patent specification, which in theory provides all of the control necessary to achieve virtually any desired handling or lifespan limitations on any type of transferred file. The system is known as the Virtual Distribution Environment (VDE) and is disclosed in U.S. Pat. Nos. 5,892,900, 5,910,987, 5,915,019, and 5,917,912, all entitled xe2x80x9cSystem and Methods For Secure Transaction Management and Electronic Rights Protectionxe2x80x9d (the VDE patents). The problem with VDE as a solution to the problem of message lifespan is that, in addition to not suggesting the concept of enabling the originator of an electronic mail file to control its lifespan, the controls implemented by VDE are too complex to be implementable through conventional mail protocols such as SMTP.
In general, there are three ways that control of a transferred file might be retained by the originator. The first, used for pay-per-view systems, is to prevent any copying or recording of the files, so that the files can only be viewed as they are being broadcast or downloaded. The second, used in the case of executable software downloads, is to include self-destruct instructions in the program instruction set. In the case of non-streaming, non-executable files, however, a third method is required. This is the method used by the presented invention, and is also the method implemented by VDE. In its most general form, this third method of transferred file control involves encryption of the files so that they can only be processed by software designed to implement the desired controls. The software that decrypts the files can be programmed to destroy the files at a desired date or upon the occurrence of a particular event, no matter how often the files have been copied or re-transmitted.
While the system and method described in the VDE patents thus utilizes the same general principle as the present invention, namely retaining control of files distributed over an open network by encrypting the files and utilizing software at the receiving end to exercise control over the files, including destruction of files (mentioned, for example, in col. 169, lines 61 et seq. of U.S. Pat. No. 5,917,912), and even protection of electronic mail (col. 278, lines 58 et seq. of U.S. Pat. No. 5,917,912), the details of the system and methods described in the VDE patents are substantially different than those of the present invention. Instead of utilizing existing communications protocols, VDE requires revision not only of the file origination, transmission, and receiving programs, but also xe2x80x9ccomponent, distributed, and event driven operating system technology, and related communications, object container, database, smart agent, smart card, and semiconductor design technologiesxe2x80x9d (Col. 8, lines 1-7 of U.S. Pat. No. 5,917,912). As a result, even though the VDE can be made to perform virtually any desired control function it is simply not practical in the context of electronic mail.
The impracticality of the systems disclosed in the VDE patents is explained at length in a later patent by the same assignee, U.S. Pat. No. 5,920,861, which compare VDE to a xe2x80x9cblank canvasxe2x80x9d on which the xe2x80x9cmaster painterxe2x80x9d can create his or her masterwork (col. 3, lines 1-12 of U.S. Pat. No. 5,920,861), but which is not suitable for use by the average end user. To solve the ease-of-use and interoperability problems, the later patent proposes to implement the generic template structure of the xe2x80x9cvirtual distribution environmentxe2x80x9d by creating a specific machine readable data structure. This solution to the problem is exactly opposite the solution provided by the present invention, which is to provide an applications level program that is completely compatible with existing protocols. This is possible because the present invention, unlike the VDE system, seeks to provide specific control functions such as the specification of an expiration date for a message, in a specific context, namely electronic mail. It designed to work within existing communications structures, and in particular within existing SMTP, POP, and IMAP formats, while providing a simple user interface that will be as familiar to the average electronic mail user, and as easy to use, as existing electronic mail programs.
(iii) Control in the Specific Context of Electronic Mail
While the VDE concept provides a framework by which sufficient control of electronic mail could be achieved so as to enable a sender to limit the lifespan of the electronic mail, the complexity of the VDE system and the skill required to implement and use the system makes the system unlikely to have any practical application to electronic mail as defined above.
On the other hand, those systems described in prior patents that are specifically directed to the concept of enabling originator control of electronic mail messages, for the most part to ensure that a message will be read or forwarded rather than to limit the lifespan, do not provide for a sufficient level of control, at least of messages sent over an open network, to ensure that all incarnations of a message will in fact be expunged. While it might seem that the advantages of providing sufficient control of electronic mail to ensure that messages can be made to expire at a time, date, or upon the occurrence of an event selected by the originator might have been grasped by designers of the prior systems, there are reasons why the advantages were in fact not apparent to such designers.
First, since electronic mail has been designed to be analogous to postal mail and postal mail has no function analogous to message expiration, except for the use of disappearing ink, it is likely that the concept of enabling the originator of a message to control the expiration and limit use of the message was simply not considered. The expiration of messages has previously been the province solely of fiction, exemplified by the self-destructing tape recorder in the opening scene of the television show Mission Impossible, and not as a way to give any sender of a message control of the lifespan of the message.
Second, the systems and methods disclosed in the prior patents are for the most part intended solely to force a response from the recipient, or facilitate distribution and forwarding of a mass mailing, with no consideration of what happens to the message after the response is made or the message is forwarded, and no provision for limiting either the lifespan or the use of a message once an appropriate response has been made.
For example, U.S. Pat. No. 5,325,310 discloses a system which prevents deletion of an electronic mail message until it has been viewed and/or forwarded, while U.S. Pat. No. 5,878,230 discloses a system designed to force a reply or forwarding, and U.S. Pat. No. 5,125,075 is one of several patents that disclose systems for controlling routing and access to electronic mail xe2x80x9ccirculars.xe2x80x9d It is not surprising that systems designed to ensure that an electronic mail message is read and disseminated in a desired manner have not provided for expiration of the messages being disseminated.
The only systems that actually provide for a limited message lifespan are those that automatically delete files after a predetermined period of time in order to clear space on a disk drive. These systems do not provide for originator control of the lifespan of the message, and in particular one that is to be sent over an open network rather than being retained on a local area network server. An example of this type of system is disclosed in U.S. Pat. No. 5,598,279, which describes a local area network server that provides for timed destruction of electronic mail and other files to save space on the server, but without the inclusion of an end-user interface that permits the originator of the electronic mail to select an expiration date, or any controls that would make such an interface possible.
(iv) Cancellation of an Electronic Mail Message-U.S. Pat. No. 5,870,548
The one patent that in a sense involves originator control of the lifespan or expiration of electronic mail messages is U.S. Pat. No. 5,870,548. However, the lifespan control provided by the system disclosed in this patent is in the form of the ability to cancel messages, rather than to select a lifespan prior to sending the message. As with the forwarding or response requiring systems, implementation of the cancellation message is left to the recipient, and no provision is made for dealing with of copies of the original message that have already been forwarded.
U.S. Pat. No. 5,870,548 can be fairly said to represent the current wisdom in the art of electronic mail handling. Basically, the view has generally been that xe2x80x9conce the message is submitted to the Internet, it cannot be directly altered, canceled, or retracted by the originating programxe2x80x9d (U.S. Pat. No. 5,870,548, col. 1, lines 37-39). The solution proposed in U.S. Pat. No. 5,870,548 is simply to send a follow-up xe2x80x9caction messagexe2x80x9d to the recipient, asking for cancellation. The problem is that by the action message has been sent, the original message might have been copied or forwarded and therefore out of control of the original recipient, even if the recipient were to cooperate and cancel the message.
Even if cancellation of a message sent by the system of U.S. Pat. No. 5,870,548 could be assured, the system described therein does not take into account the possibility that the message might already have been forwarded by the time the cancellation request was sent to the original recipient. Furthermore, while it might be possible to prevent forwarding, and thereby help ensure cancellation, there are numerous reasons why a sender might wish to permit forwarding of a message and yet have all incarnations of the electronic mail message, rather than just the original incarnation, expire at a particular date or time. For example, the message could contain proprietary data for use by vendors, preliminary test results or draft research papers, or confidential work product to be shown to groups of clients.
In cases where forwarding of the message must be permitted, the ability not only to request cancellation by the original recipient, but also to track subsequent recipients of forwarded messages would be required in order for the system of U.S. Pat. No. 5,870,518 to ensure execution of a cancellation request by the subsequent recipients, which is impossible using existing electronic mail systems designed to transmit electronic mail over an open network.
(v) Distribution of Viewer Applets
An important feature of the present invention concerns distribution of the viewer applet that enables or implements destruction of an e-mail message at a predetermined date, time, or event. The system and method of the invention permits the originator to address the message to any desired recipient equipped to receive electronic mail, whether or not the recipient is in possession of the viewer applet. This is accomplished either by first notifying the recipient that an encrypted message has been received and then sending the viewer applet to recipient upon request, or by attaching the viewer applet to the message and notifying the recipient so that the message can be immediately installed by the user, or even by causing the viewer applet to be installed automatically upon opening of the electronic mail in a manner analogous to a benevolent electronic mail virus.
U.S. Pat. No. 5,877,755 discloses a somewhat similar arrangement in the context of an interactive broadband multimedia system. In its broadest form, the system of U.S. Pat. No. 5,877,755 provides for transmission to a customer of the executable program file that permits use of the interactive system to the customer, and then having the executable program file request downloading of the multimedia data file.
The present invention extends the concept of supplying executable program files that request data or files (which is also the concept behind xe2x80x9cpushxe2x80x9d applets that plug into a web browser) to electronic mail with dramatic results. Whereas in all prior commercial software distribution systems including the system of U.S. Pat. No. 5,877,755, potential users must be identified and persuaded to initiate contact in order to obtain the executable program files, and so forth, the system and method of the present invention can be propagated primarily by the users themselves without the need for advertisements, central mailing lists, and so forth. Each time a user of the system sends an electronic mail message to a non-user and the non-user chooses to read the message, the non-user becomes a participant in the system. From a marketing and distribution standpoint, this aspect of the present invention represents an entirely new paradigm.
(vi) Summary of Differences Between Concept Disclosed in Parent Application and Prior Art
While a number of advantages of controlling of the lifespan of electronic mail messages as described in the parent application should be immediately apparent to those skilled in the art, none of the prior systems discussed above is intended to provide such control, nor are they suitable for use in providing such control. The system described in the VDE patents, i.e., U.S. Pat. Nos. 5,892,900, 5,910,987, 5,915,019, and 5,917,912, provides a potential general framework by which electronic mail messages could be limited, but the requirement for new data structures, hardware, and programming paradigms makes it unsuitable for practical application to an electronic mail system. In contrast, although the system and method of the present invention are not limited to any particular electronic mail protocol, they nevertheless are especially suitable for implementation using existing electronic mail protocols, without requiring new data structures, hardware, or other security features. Furthermore, while the remaining patents discussed above generally provide for sender control in the specific context of electronic mail processing or handling, they do not offer (and do not need to offer) a level of control sufficient to ensure that the electronic mail message will in fact be expunged at a desired date or time, or upon the occurrence of a preselected event, and thus are also unsuitable for implementing the invention. Finally, unlike centralized digital file distribution systems such as the one disclosed in U.S. Pat. No. 5,877,755, the pre-distribution or simultaneous distribution of the viewer applet with the electronic mail message, which enables the message can be read by any electronic mail user, permits the xe2x80x9cinfrastructurexe2x80x9d necessary to implement the system to be self-propagating and thereby create what is effectively not only a xe2x80x9cvirtual distribution environment,xe2x80x9d but a revolution in distribution and marketing that has the potential to do for software, or at least electronic mail software, what Henry Ford did for automobiles or Ray Kroc for hamburgers.
(vii) Background of Improvements Described in the Present CIP Application
The first improvement to the concept described in the parent application relates to ease-of-use of the sender""s electronic mail program. As is described in detail below, the electronic mail controls described in the parent application can be implemented as an applications level electronic mail program with its own user interface. Despite the fact that such a program can be made to resemble, subject to any legal restrictions, any popular electronic mail program with any desired additional usability enhancements, it would also be desirable if the lifespan and handling restrictions could be implemented without the need for a separate applications level electronic mail program, i.e., if the invention could be implemented within the sender""s existing electronic mail program. This would save system resources and reduce the learning curve for the sender or originator of the message, and is achieved in accordance with the preferred embodiments described below by providing an electronic mail proxy which creates a window with the desired controls following interception of a send request by the electronic mail program, and/or which modifies addresses in the existing electronic mail program""s address book.
The second improvement relates to the electronic mail xe2x80x9cwrapper,xe2x80x9d by which information concerning the sender and the date the message was sent is added to the electronic mail message. All current electronic mail protocols include such a wrapper. In many cases it is as important to control the future handling of the wrapper information and the association of the wrapper with the message, as it is to control the future handling of the message itself. By using an electronic mail server and/or cooperating viewer applet, the electronic mail wrapper can be stripped or edited in any desired manner before the message is presented to the recipient, or the wrapper can be offered as an optional addition or separately from the main message.
The third improvement relates to the storage of messages on a central mail server. While it is possible for the central server to hold all electronic mail messages having lifespan or other handling limitations and until expiration, it is more efficient to store at least a portion of the message on the recipient""s computer. This can be done by having the viewer applet assume complete responsibility for message handling and expiration, by having the viewer applet retrieve missing portions of the message, the message wrapper, and/or handling and encryption key information each time the message is to be viewed or handled. This can also be done by having the central server retain the keys used by the viewer applet to enable viewing or handling of the message, and transmit the keys to the viewer applet either on a session-by-session basis or on a periodic basis. Alternatively, the viewer applet can simply be required to check-in with the central server to ensure that the clock used by the viewer applet has not been tampered with or malfunctioned. The requirement that the viewer applet retrieve information or portions of the message from the central server each time the message is to be viewed or handled is necessary to ensure monitoring of each transaction involving the message, while requiring less contact between the central computer and the recipient computer is more efficient.
The final improvement, which was briefly disclosed in the parent application but is discussed in greater detail herein, has the most far reaching potential of any of the improvements described in this continuation-in-part application, and relates to a by-product of the manner in which a central mail server is used to control forwarding and handling of messages. The improvement is that, in the embodiments of the invention where a central server is involved, the central server may be used to track all persons to whom the message has been forwarded, no matter how many times the message has been forwarded. This enables the mapping of affinity groups having a common interest in way heretofore considered to be virtually impossible.
Currently, mailing lists are generated by purchasing lists from providers of related services, products, or information, and by compiling lists of persons who inquire about the services, products, or information, visitors to web sites, and even persons who live in a certain area or otherwise are demographically likely to show interest in the service or product offered by the mailer. This process of compiling mailing lists is expensive, captures numerous recipients who are not interested in the services, products, or information to which the mailing is directed, and on the other hand is likely to miss many potentially interested parties. The invention, in contrast, offers the possibility of providing mailing lists based on records of where a message has been forwarded, in effect putting to work the contacts and knowledge of the original recipients of the message to create a self-propagating mailing list limited to those most likely to be interested in the products, services, or information.
For example, the product, service, or information provider might send out an initial e-mailing to potentially interested parties assembled into a conventional mailing list. Only those recipients of this e-mailing who are most interested in the product are likely to forward the information to others, and only to those who they know are likely to be interested in the mailing. It is very likely that a provider could use and be willing to subscribe to a service that is able to track such forwarding of their message. Again, therefore, the invention provides revolutionary advances in marketing and dissemination of information, replacing the old hit-or-miss methods of compiling mailing lists by a much more focused and essentially self-propagating listing which should benefit not only the provider of products, services, and information, but also those who would be interested in the mailing as well as those whose mailboxes are full of xe2x80x9cspamxe2x80x9d and are not likely to be interested in the mailing.
Not only does the invention make it possible to contact the personal contacts of those who have received an e-mailing (i.e., those who follow the xe2x80x9cword of mouthxe2x80x9d generated by a mailing) as it is forwarded from interested parties to potentially interested parties, but the invention also enables the identification of the interested contacts of any of the selected sub-groups of recipients.
It is accordingly a first objective of the invention to provide an electronic mail system and method in which the originator or sender may control the lifespan of the message, so that the message, and all copies of the message anywhere in the world, disappear at the appropriate time.
It is a second objective of the invention to provide an electronic mail system and method in which all versions and copies of the message are caused to be erased at a time or date selected by the originator or sender using a simple electronic mail client that resembles a conventional electronic mail client or that adds the necessary controls to the originator or sender""s existing electronic mail application.
It is a third objective of the invention to provide an electronic mail system and method in which all versions and copies of the message are caused to be erased at a time or date selected by the originator or sender, and which requires only a simple viewer applet that can be distributed to the recipient with the message whose lifespan is to be controlled.
It is a fourth objective of the invention to provide an electronic mail system and method in which all versions and copies of the message are caused to be erased at a time or date selected by the originator or sender, and which also provides sender control of electronic mail processing or handling functions such as forwarding, modification, or printing.
It is a fifth objective of the invention to provide an electronic mail system and method in which all versions and copies of the message are caused to be erased at a time or date selected by the originator or sender, and yet which does not require the establishment by the originator of a virtual distribution environment or network, the system and method instead being set-up either by using a centralized server to automatically distribute the necessary viewer each time a new client receives a message from the server that can only be read by the viewer, or by including the viewer with message, without the need for potential clients to take any action at all other than, optionally, an indication of desire to receive messages originated by software utilizing the principles of the invention.
It is a sixth objective of the invention to provide software for managing electronic mail that enables the originator of the message to set, at the time that he or she composes the message, a self destruct date and time for that email, such that, upon that date and time, and independent, world wide, of the number and types of computers/software that may eventually interact with the message, the number of people who may eventually receive the message, or the number of handling incidents that may eventually impact the message, the message and all of its incarnations will vanish.
It is a seventh objective of the invention to provide software for managing electronic mail that ensures selective sender control of such processing functions as printing, copying, and forwarding, and yet that is relatively simple to implement and that can be used with existing electronic mail protocols.
It is an eighth objective of the invention to provide various methods for establishing an electronic mail system as described above, and in particular for distributing origination and viewer software, in a rapid and efficient manner, so that senders will be able to utilize the controls provided by the invention with messages sent to a large number of potential recipients.
It is a ninth objective of the invention to provide electronic mail software which allows the originator of a message to use an existing electronic mail application for all conventional electronic mail functions, while still enabling the originator to selectively control the expiration date of a message and such processing functions as printing, copying, and forwarding of the message.
It is a tenth objective of the invention to provide an electronic mail system and method which enables control of which portions of the electronic mail wrapper will be deleted or transmitted to the recipient or recipients of the message.
It is an eleventh objective of the invention to provide an electronic mail system and method which tracks information concerning the usage and handling of the message by all recipients or any individual or group of recipients, including without limitation records or information concerning who received the message, who forwarded the message, who modified the message, the electronic mail addresses of all of these entities, and the dates and times of all transactions relating to forwarding and handling of the message.
It is a twelfth objective of the invention to provide records or information on the usage and handling of a message by all recipients of the message or by any defined sub-groups of recipients, and further provides for control or modification of the lifespan and/or handling limitations of messages received by members of any such sub-groups.
In accordance with the principles of several preferred embodiments of the invention, the objectives relating to sender control of the lifespan and handling of messages sent over an open network are achieved by providing an electronic mail system and method in which the viewing of the electronic mail message is possible only through a viewer programmed to execute permitted handling and/or processing functions, and which in which only encrypted versions of the electronic mail are permitted to exist. Unlike the xe2x80x9ccontainersxe2x80x9d of the virtual distribution environment described in U.S. Pat. Nos. 5,892,900, 5,910,987, 5,915,019, and 5,917,912, the electronic mail packages of the present invention can be sent through existing conventional electronic mail distribution channels over an open network such as the Internet employing standard protocols such as SMTP, and a simple user interface that can be used by any electronic mail user, without the need for enhanced or new data structures. On the other hand, unlike the electronic mail cancellation structure of U.S. Pat. No. 5,870,548, access and handling controls to the message are always retained by the originator of the message.
Thus, in its broadest form, the invention involves controlling access to the electronic mail message by permitting the message to be viewed and manipulated only by a viewer program or applet responsive to the commands set by the originator of the message. The commands may be transmitted in the form of message attributes included in a header that forms a part of the electronic mail object, and that normally includes such information as the date the message was created, the time that the message was sent, the sender, a title or name of the message, and other information about the document. Such attributes are commonly referred to as an Interchange Document Profile (IDP). It has previously been known to use space in the IDP to cause a message to be automatically forwarded or resent, or to require a persistent reply, as disclosed for example in U.S. Pat. Nos. 5,878,230 and 5,325,310, but the systems disclosed in these patents cannot be used for purposes of the present invention because they surrender control of the electronic mail to the recipient once the message has been forwarded or replied to.
Those skilled in the art will appreciate that although the invention is designed to enable the originator of a message to set a date, time, or event at which all incarnations of the message will self-destruct, the technology that causes all of the incarnations to be destroyed also permits the originator of the message to cause only some of the incarnations of the message to be destroyed. For example, the originator might wish to permit saving of copies of the message sent to his or her attorneys from the general self-destruction, or the originator might wish to extend or foreshorten the expiration date for certain recipients of the message.
There are currently three principal preferred embodiments of the invention, but the invention is not intended to be limited to any of the preferred embodiments. In a first preferred embodiment of the invention, control of expiration and access to the electronic mail message is achieved by storing the electronic mail message on a designated central electronic mail server, encrypting the message with a public key generated by viewer software at the receiving end, and transmitting the electronic mail message to the recipient whenever viewing is desired by the viewer and permitted by the originator.
In a second preferred embodiment of the invention, the encrypted electronic mail message is stored on the recipient""s computer and access to the message is controlled solely by viewer software also installed on the recipient""s computer. In this embodiment, session keys can still be provided by the central server before viewing of the locally stored message is permitted, either on a session-by-session basis or periodically, or the viewer software can at least be required to check-in with the central server before viewing is permitted so as to ensure that the recipient computer""s clock is accurate and that the message will be expunged upon the occurrence of the selected time, date, or event.
In the third preferred embodiment of the invention, which is added by the present continuation-in-part application, control of expiration and access rights to the electronic mail message is achieved by delivering a stripped version of the message in encrypted form via the designated central mail server to the recipient""s viewer software for storage on the recipient""s computer, and by retaining in the central mail server the message wrapper, handling and encryption-key information, and/or portions of the message, thereby requiring the viewer applet to report back to the central server each time the message is to be viewed or handled to enable the central server to directly control and track each transaction involving the message.
In each of these preferred embodiments of the invention, the encryption system by which message access to the viewer software is limited is preferably a public key/private key cryptosystem. In the first preferred embodiment of the invention, the public/private key pairs include a central server public/private key pair generated by the central server and a viewer public/private key pair generated by the viewer applet, either once or each time a message is to be read, the public key of the central server being used to encrypt the message for transmission from the sender to the central server, and the viewer applet""s public key being transmitted from the viewer applet back to the central server for use in encrypting transmissions from the central server to the viewer applet. In the second preferred embodiment of the invention, the viewer applet""s public key is preferably sent back to the original sender for use in encrypting the transmission. In addition, it is possible even in the first and third preferred embodiments to transmit the viewer applet""s public key back to the sender to ensure that the message is kept private even from the central server.
In the case where a central electronic mail server is provided, distribution of the viewer applet may be accomplished by downloading the viewer applet from the server upon request from the recipient, or automatically with the electronic mail. Alternatively, the software may be transmitted directly from the originator software to a recipient as an electronic mail attachment without intervention of an electronic mail server, the attachment being self-executing upon opening by the recipient. The viewer applet preferably also includes message origination software, which may optionally be activated either freely or upon payment of a registration or subscription fee, or the message origination software may be provided as an upgrade or separate plug-in program distributed through the usual software distribution channels.
The message origination software may, in one preferred implementation, have an interface that resembles those of conventional electronic mail programs, but with the addition of buttons that permit setting of an expiration date and, optionally, other handling or processing limitations or rights, such as forwarding limitations or rights, as well as the right to print, and that cause appropriate flags to be toggled or set in the IDP or in a header portion of the electronic mail object.
Alternatively, the message origination software may take the form of a xe2x80x9ccontrol appletxe2x80x9d that creates a window in response to the execution in an existing electronic mail program of the xe2x80x9csendxe2x80x9d command, and which queries the originator as to whether the above-mentioned lifespan or other handling limitations are desired. If the originator indicates that controls are desired, the control applet prompts the user for necessary information such as an expiration date, and proxies the message to the central mail server in the case of the first and third embodiments, or encrypts the message after an exchange of keys and sends the message directly to the recipient""s computer in the case of the second embodiment. The trigger for creating the window may be an intercepted send command, in which case the control applet may include a shim positioned between the originator""s existing electronic mail program and the SMTP stack.
Instead of or in addition to the inclusion of a control applet as described above, the lifespan and handling controls of the invention may be implemented by modifying the message originator""s address book so that all of selected outgoing messages are automatically proxied to a central mail server for encryption, sending, and future handling of the message. Control options may be selected through a dialog box at the time the user enters recipient information, as part of the address book set-up, or as part of a separate program that permits selection of control options and automatically modifies all or selected addresses already in the address book.
In each version of the message origination or message control software, it is possible to include a message cancellation feature or xe2x80x9coopsxe2x80x9d button that allows immediate cancellation or deletion of a message after sending, or cancellation of a message before the designated expiration date, time, or event, by sending a cancellation message to the central server or recipient""s viewer applet.
Upon the date, time, or event at which message expunging is to occur, the invention provides for triple erasing of the message by the central server, in the case of the first preferred embodiment, or by the viewer applet, in the case of the second preferred embodiment. In addition, either embodiment but particularly in the case of the second preferred embodiment, expunging of the message can be accomplished by triple erasing such encryption keys as to render its encryption impossible. If the first preferred embodiment of the invention is utilized, then triple erasing the message will ensure that the sent message is completely expunged from the face of the earth since the central server maintains the only copy of the message. On the other hand, while the second and third preferred embodiments of the invention may not necessarily prevent copies of the encrypted electronic mail object from being made, erasing of the decryption key or setting of the viewer so that it will no longer decrypt the electronic mail object ensures that the xe2x80x9cmessage,xe2x80x9d as opposed to the mail object, is still effectively expunged from the face of the earth.
In addition to providing lifespan or handling limitations, the system and method of any of the above embodiments of the invention may be arranged to also enable selection of which portions of the electronic mail wrapper are to be deleted or transmitted to the recipient. When either the central server or viewer applet receives a message, it can transmit as much or as limited a record of the wrapper to the recipient as may be determined by the central server or viewer applet, allowing the central mail server to, by way of example, strip the date the message was sent or some or all of the sender data from the sent message before delivery to or viewing by the recipient.
In an especially useful extension of the concept of the first and third principal embodiments of the invention, both of which involve the use of a designated central mail server to provide encryption functions and to control future handling of messages, the central mail server can be arranged to track transactions involving a message and compile records of the transactions. If desired, the records of all transaction information about the usage and handling of the message, referred to hereinafter as the message completion space (MCS), can also be divided into subspaces, and information gathered with respect to the entire MCS or selected subspaces, such as the subspace of all recipients with a particular electronic mail address domain, the group of persons to which a particular recipient has forwarded a message (which may be referred to as an xe2x80x9caffinity groupxe2x80x9d for that recipient), the group of recipients who have handled a message in a particular way, the group of recipients who have received an nth level forward, and so forth. In addition, not only can information related to the subspaces be obtained, but control of the messages, including control of message lifespan, handling, and of the message wrapper, can then be directed to versions of the message received by recipients in a particular subspace.
Finally, to protect the privacy of system users, the recipient of a message may be given the opportunity to opt-out of the information gathering process, or be required to opt-in before being included in a tracked affinity group. The latter option is especially advantageous because it ensures that any members identified with an affinity group will already have affirmatively indicated their willingness to be identified with the group.