A match made in privacy heaven?

If you read my previous blog post, you’ll note that my company recently launched an Android mobile phone app called 1ncemail. The goal of 1ncemail is to prevent merchants from tracking your purchase while still enabling them to send you your receipt via email. By opening up 1ncemail, you get an email alias that forwards to your regular email but the alias disappears after it is used such that the merchant can’t spam you or sell your email address or more importantly track you across your purchase. This is especially important where the company tracking you might not be an individual merchant but a payment processor (say Square, cough cough).

So fast forward to today where, as an avid user of random password generating security browser plug in LastPass, I had an epiphany. You see LastPass will generate a random string of characters (using constraints you set like upper and lower case, special characters, numbers, etc) to use as your password on a site. LastPass stores the password for you, encrypted with a master password, so you don’t have to remember “O6ff$4dr9#.” Now, I’ve had people suggest to me that 1ncemail provide aliases for use for registering to websites but I rejected it because it didn’t fit the onetime use model of 1ncemail because people need to be able to reset their passwords, get updates, etc. So if you haven’t figured out my epiphany, I’ll spell it out for you:

What if, just imagine if,,,,not only did LastPass provide a unique password (which protects you against security breaches of your password spilling over from one site to the next) but actually also provided a unique email alias. That alias would ONLY be good for that domain and only allow them to send you emails. It wouldn’t prevent tracking of you on their site but it would prevent them from selling your email or providing it to a data aggregator who could cross reference your purchases from one site to another. While you could do this with LastPass now, using mailinator or one of the other random email websites, the process is laborious, akin to generating your own unique passwords. Seemless integration with LastPass would be amazing!

LastPass remembers your passwords so that you can focus on the more important things in life.

So what do you say LastPass? Want to partner up? Now, I’m under no illusion. The geniuses at LastPass may have already considered this and rejected for some reason I haven’t though of or they could just take my idea and run with it. Nothing patentable about what I’m doing with 1ncemail. However, I’d love to partner up with them or at the least get credit if they decide to implement this idea. I’m just excited to use it.

Oh, and LastPass, please start accepting #bitcoin for premium use.


Update: Looks like my idea was proposed 2 years ago. See https://forums.lastpass.com/viewtopic.php?f=7&t=83723&p=277575&hilit=email+alias I thinking i should just create a browser add-on that supports this feature even if not integrated seamlessly with LastPass.


The KnowledgeNet speech in Boca Raton went really well. I got some great positive feedback.  In fact it was suggested that I propose to give the speech (or a similar one) at one of the IAPP’s national conferences. In addition, my preparation for the speech spurred my interested in several areas which I hope to explore, both within this blog and outside of it. 

The first, in trying to develop a simple PbD (Privacy by Design) example, I ran into the issue of protecting emails while still supplying the system with contact information.  Some people use one time email services (like Mailinator).  However, these have several potential downfalls, primary of which the email service can read your email and secondly, for some, you can only get email once.  I’m going to return to this subject when I have some time to do some more investigation.  I know there are other services out there that might fit the bill, I just need to find an innovative solution to this problem. 

Another issue that I found is that privacy professionals really need to be versed in cryptography.  They don’t need to actually know how the cryptography works, they just need to know about the capablities so they can demand those of their product development teams.  Things like zero knowledege proofs, homomorphic encryption, hasing.  I’m going to try and write an e-book about this but I think first I write each chapter (on a different technology as a blog post).

Still another issue that raised its head is the concept of provable audit-ability.  Most auditor just have to take the IT professional’s word that certain information/systems are secure.  Take for example, a developer who makes a backup of production data on an orphan server.  Nobody knows about it except the developer.  Nobody audits the access controls on that box because they don’t even know about it.  How is an audit supposed to find it?  The concept of provable audit-ability goes to proving with mathematical certainty that nobody tampered with or has access without authorization.  It’s doable, if organizations are willing to consider privacy by design rather than privacy by accident.  Currently auditors say “we think we’re secure” but they really don’t know and they can’t know until a breach occurs and it’s too late.

Giving this speech has put a lot on my mind and there are many more blog posts to make in the coming weeks.  Let’s hope I can find time to put the pen to paper, so to speak.