[liberationtech] Auto expiring document/files & 'rights to be forgotten'

Thu Jan 26 12:04:52 PST 2012

Todd Davies writes:

> A medical patient whose daily
> life is monitored might produce reams of data every day, for
> example, and the patient might want the data to "expire" after some
> time has elapsed. If these data are stored on private servers
> accessible only to a few people (patient, doctor...), and access is
> restricted to a controlled environment such as the medical
> providers' facility, it could be made very unlikely that they will
> leak past the expiration date.

I think one of the most useful ideas along these lines for some threat
models is Keypad

http://www.cs.washington.edu/homes/roxana/acads/projects/vanish/eurosys2011keypad.pdf

which, at least in its basic form, is a discretionary, not mandatory,
access control system which can fail safe with respect to various
security policies.

The idea is that users voluntarily accept the encryption of documents
they use with keys controlled by a server, because the users
recognize the sensitivity of the documents and the severity of
some threats, especially the physical loss of control of the users'
devices.  This seems extremely sensible in the case of, say, a
doctor's laptop containing patient data, or an activist's or
journalist's or researcher's laptop containing sensitive information
about victims of war crimes.

In the Keypad scheme, if the device is lost or stolen, a server
operator can turn off that device's access to decryption keys, so
the documents that are on it can no longer be read.  (The server
operator can also tell which documents, if any, the thief succeeded
in reading.)  If the device is recovered or turned out not to have
been stolen at all, the access can be re-enabled easily.

A difference between Keypad and DRM as usually conceived is that
Keypad doesn't include any tamper-resistance or anti-circumvention
or (probably) technical measures against exporting data from the
system.  The idea, again, is that users are assumed to cooperate with
the system because they broadly agree with its security goals, and
because they believe that data in the system gets a kind of protection
that's important to them.  (It might also be the policy of, say, a
hospital that employees should cooperate with the system, but it is
still basically a discretionary access control.)

You could use Keypad to create a default where documents automatically
expire after a certain period, and technical means of implementing
this.  Users would be able to work around the expiration by exporting
the documents beyond the control of Keypad, but, as many people have
said in this thread, there is really no way to stop people from doing
that under normal civilian conditions.  (Some military organizations
do try, by, for example, forbidding people from even _possessing_ a
camera, audio recorder, flash drive, or other electronic or recording
device in the presence of systems where classified information is
processed.)

The main disadvantage for the Keypad approach seems to be that it
requires a very high level of network connectivity to work in its
safest configuration, which is plausible in a hospital and not so
plausible in a rural environment.

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107