formation, and the copies of the infor-
mation on tape.
maRGo seLtzeR: It seems that there
are two sides to this. I agree that’s a
nice solution to the deletion prob-
lem, but it concerns me because you
may get the unintended consequence,
which is now you’ve got a key manage-
ment problem. Given my own abil-
ity to keep track of my passwords, the
thought of putting stuff I care about on
an encrypted device where if I lose the
key, I’ve lost my data forever, is a little
steVe KLeiman: We have a technology
that does exactly that. It turns into a
hierarchical key management system.
Margo’s right. When you care about
doing stuff like that, you have to get se-
rious about it. Once you lose or delete
that key, it’s really, really, truly, gone.
maRGo seLtzeR: And given that my
greatest love of snapshots comes from
that time that I inadvertently deleted
the thing that I didn’t want to, inadver-
tent key deletion really scares me.
steVe KLeiman: That’s why people
won’t do it, right? I think it’ll be done
for very specific reasons with pre-
thought intent that says, “Look, for
legal reasons, because I don’t want to
be sued, I don’t want this document to
exist after five years.”
Today, data ownership has a very
real burden. For example, you have
an obligation to protect things like
your customers’ credit card numbers,
or Social Security numbers, and this
obligation has a real cost. This gives
you a way of relieving yourself of that
burden when you want to.
maRGo seLtzeR: I hear you and I be-
lieve it at one level, but at another
level, I can’t help but think of the
dialogue boxes that pop up that say,
“Do you really mean to do this?” and
we’re all trained to click on them and
say “Yes.” I’m concerned about how
seriously humans will take an abso-
eRiK RieDeL: Margo, you’ve pointed
out a much bigger problem. Today,
one of the key problems within all
security technology is that the usabil-
ity is essentially zero. With regards to
Web page security, it’s amazing what
people are willing to click and ignore.
As long as there’s a lock icon some-
where on the page, it’s fine.
eRic BRe WeR: If we made deletion a
right, this would get sorted out. I could
expect business relationships of mine
to delete all records about me after
our relationship ceased. The industry
maRGo seLtzeR would figure it out. If you project out
Given my own 30 years, the amount you can infer
given what’s out there is much worse
ability to keep track than what’s known about you today.
of my passwords, maRy BaKeR: It’s overwhelming and
there’s no way to pull it back in. Once
the thought of it’s out there, there’s no control.
putting stuff mache cReeGeR: Now that we all agree that there should be a way to
i care about on make information have some sort of
an encrypted time-to-live or be able to disappear at some future direction, what recom-
device where if mendations can we make?
i lose the key, i’ve maRGo seLtzeR: There’s a funda- mental conflict here. We know how to
lost my data forever, do real deletion using encryption, but
for every benefit there’s a cost. As an
is a little scary. industry, people have already demonstrated that the cost for security is too
high. Why are our systems insecure?
No one is willing to pay the cost in either usability or performance to have
In terms of deletion, there’s a similar cost-benefit relationship. There is
a way to provide the benefit, but the
cost in terms of risk of losing data forever is so high that there’s a tension.
This fundamental tension is never
going to be fully resolved unless we
come up with a different technology.
eRic BReWeR: If what you want is
time to change your mind, we could
just wait awhile to throw away the key.
maRGo seLtzeR: The best approach
I’ve heard is that you throw away bits
of the key over time. Throwing away
one bit of the key allows recovery with
a little bit of effort. Throw away the
second bit and it becomes harder, and
eRic BReWeR: But ultimately you’re
either going to be able to make it go
away or you’re not. You have to be
willing to live with what it means to
delete. Experience always tells us that
there’s regret when you delete something you would rather keep.
Mache Creeger ( firstname.lastname@example.org) is a technology
industry veteran based in Silicon Valley. Along with
being a columnist for ACM Queue, he is the principal of
Emergent Technology Associates, marketing and business
development consultants to technology companies
© 2008 ACM 0001-0782/08/0800 $5.00