Communications - August 2008

formation, and the copies of the infor-
mation on tape.
maRGo seLtzeR: It seems that there
are two sides to this. I agree that’s a
nice solution to the deletion prob-
lem, but it concerns me because you
may get the unintended consequence,
which is now you’ve got a key manage-
ment problem. Given my own abil-
ity to keep track of my passwords, the
thought of putting stuff I care about on
an encrypted device where if I lose the
key, I’ve lost my data forever, is a little
scary.
steVe KLeiman: We have a technology
that does exactly that. It turns into a
hierarchical key management system.
Margo’s right. When you care about
doing stuff like that, you have to get se-
rious about it. Once you lose or delete
that key, it’s really, really, truly, gone.
maRGo seLtzeR: And given that my
greatest love of snapshots comes from
that time that I inadvertently deleted
the thing that I didn’t want to, inadver-
tent key deletion really scares me.
steVe KLeiman: That’s why people
won’t do it, right? I think it’ll be done
for very specific reasons with pre-
thought intent that says, “Look, for
legal reasons, because I don’t want to
be sued, I don’t want this document to
exist after five years.”
Today, data ownership has a very
real burden. For example, you have
an obligation to protect things like
your customers’ credit card numbers,
or Social Security numbers, and this
obligation has a real cost. This gives
you a way of relieving yourself of that
burden when you want to.
maRGo seLtzeR: I hear you and I be-
lieve it at one level, but at another
level, I can’t help but think of the
dialogue boxes that pop up that say,
“Do you really mean to do this?” and
we’re all trained to click on them and
say “Yes.” I’m concerned about how
seriously humans will take an abso-
lute delete.
eRiK RieDeL: Margo, you’ve pointed
out a much bigger problem. Today,
one of the key problems within all
security technology is that the usabil-
ity is essentially zero. With regards to
Web page security, it’s amazing what
people are willing to click and ignore.
As long as there’s a lock icon some-
where on the page, it’s fine.
eRic BRe WeR: If we made deletion a

right, this would get sorted out. I could expect business relationships of mine to delete all records about me after our relationship ceased. The industry

maRGo seLtzeR would figure it out. If you project out Given my own 30 years, the amount you can infer given what’s out there is much worse

ability to keep track than what’s known about you today.
of my passwords, maRy BaKeR: It’s overwhelming and
there’s no way to pull it back in. Once
the thought of it’s out there, there’s no control.
^putting ^stuff ^{mache cReeGeR:}^{Now that we all}agree that there should be a way to
i care about on make information have some sort of
_an _encrypted time-to-live or be able to disappear at _some _future _direction, _what _recom-device where if mendations can we make?
i lose the key, i’ve ^maRGo ^seLtzeR: ^There’s ^a ^funda-mental conflict here. We know how to
lost my data forever, do real deletion using encryption, but
for every benefit there’s a cost. As an

is a little scary. industry, people have already demonstrated that the cost for security is too high. Why are our systems insecure? No one is willing to pay the cost in either usability or performance to have true security.

In terms of deletion, there’s a similar cost-benefit relationship. There is a way to provide the benefit, but the cost in terms of risk of losing data forever is so high that there’s a tension. This fundamental tension is never going to be fully resolved unless we come up with a different technology. eRic BReWeR: If what you want is time to change your mind, we could just wait awhile to throw away the key. maRGo seLtzeR: The best approach I’ve heard is that you throw away bits of the key over time. Throwing away one bit of the key allows recovery with a little bit of effort. Throw away the second bit and it becomes harder, and so on.

eRic BReWeR: But ultimately you’re either going to be able to make it go away or you’re not. You have to be willing to live with what it means to delete. Experience always tells us that there’s regret when you delete something you would rather keep.

Mache Creeger ( mache@creeger.com) is a technology industry veteran based in Silicon Valley. Along with being a columnist for ACM Queue, he is the principal of Emergent Technology Associates, marketing and business development consultants to technology companies worldwide.

Cover
CII
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
CIII
CIV

one page

share

print

SlideShow

fullscreen

Click to subscribe to this magazine

Open Article

article text for page

< previous story | next story >

Share this page with a friend
Save to “My Stuff”
Subscribe to this magazine
Search
Help