vanish: increasing data privacy with self-destructing data · 2009-08-19 · how can ann delete her...
TRANSCRIPT
![Page 1: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/1.jpg)
Vanish: Increasing Data Privacy with
Self-Destructing Data
Roxana Geambasu
Yoshi Kohno
Amit Levy
Hank Levy
University of Washington
![Page 2: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/2.jpg)
Outline
Part 1: Introducing Self-Destructing Data
Part 2: Vanish Architecture and Implementation
Part 3: Evaluation and Applications
2
![Page 3: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/3.jpg)
How can Ann delete her sensitive email?
� She doesn’t know where all the copies are
� Services may retain data for long after user tries to delete
Motivating Problem: Data Lives Forever
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
3
Ann CarlaSensitive
emailISP
Sensiti ve
Sensti ve
Sensiti ve
Sensiti ve
Sensti ve
Sensiti ve
Sensiti ve
Sensti ve
Sensiti ve
Sensiti ve
Sensti ve
Sensiti ve
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
![Page 4: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/4.jpg)
Archived Copies Can Resurface Years Later
4
ISP
Some time later…Subpoena,
hacking, …
Sensiti ve
Sensti ve
Sensiti ve
CarlaAnn
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
Retroactive attack on archived data
Sensiti ve
Sensti ve
Sensiti ve
![Page 5: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/5.jpg)
The Retroactive Attack
5
Time
User tries to delete
Copies archived
Retroactive attack begins
Upload data months or years
![Page 6: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/6.jpg)
Subpoena, hacking, …
Why Not Use Encryption (e.g., PGP)?
ISP
Sensiti ve
Sensti ve
Sensiti ve
Sensiti ve
Sensti ve
Sensiti ve
CarlaAnn
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
6
![Page 7: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/7.jpg)
Subpoena, hacking, …
Why Not Use Encryption (e.g., PGP)?
ISP
Sensiti ve
Sensti ve
Sensiti ve
Sensiti ve
Sensti ve
Sensiti ve
CarlaAnn
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
7
![Page 8: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/8.jpg)
Why Not Use a Centralized Service?
8
Backdoor agreement
ISP
CarlaAnn
Centralized Service
“Trust us: we’ll help you delete your data on time.”
![Page 9: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/9.jpg)
Why Not Use a Centralized Service?
9
Backdoor agreement
ISP
CarlaAnn
Centralized Service
“Trust us: we’ll help you delete your data on time.”
![Page 10: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/10.jpg)
The Problem: Two Huge Challenges for Privacy
1. Data lives forever
� On the web: emails, Facebook photos, Google Docs, blogs, …
� In the home: disks are cheap, so no need to ever delete data
� In your pocket: phones and USB sticks have GBs of storage
2. Retroactive disclosure of both data and user keys has become commonplace
� Hackers
� Misconfigurations
� Legal actions
� Border seizing
� Theft
� Carelessness10
![Page 11: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/11.jpg)
The Problem: Two Huge Challenges for Privacy
1. Data lives forever
� On the web: emails, Facebook photos, Google Docs, blogs, …
� In the home: disks are cheap, so no need to ever delete data
� In your pocket: phones and USB sticks have GBs of storage
2. Retroactive disclosure of both data and user keys has become commonplace
� Hackers
� Misconfigurations
� Legal actions
� Border seizing
� Theft
� Carelessness11
![Page 12: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/12.jpg)
The Problem: Two Huge Challenges for Privacy
1. Data lives forever
� On the web: emails, Facebook photos, Google Docs, blogs, …
� In the home: disks are cheap, so no need to ever delete data
� In your pocket: phones and USB sticks have GBs of storage
2. Retroactive disclosure of both data and user keys has become commonplace
� Hackers
� Misconfigurations
� Legal actions
� Border seizing
� Theft
� Carelessness12
![Page 13: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/13.jpg)
The Problem: Two Huge Challenges for Privacy
1. Data lives forever
� On the web: emails, Facebook photos, Google Docs, blogs, …
� In the home: disks are cheap, so no need to ever delete data
� In your pocket: phones and USB sticks have GBs of storage
2. Retroactive disclosure of both data and user keys has become commonplace
� Hackers
� Misconfigurations
� Legal actions
� Border seizing
� Theft
� Carelessness13
![Page 14: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/14.jpg)
Question:
Can we empower users with control of data lifetime?
Answer:
Self-destructing data
14
Time
User tries to delete
Copies archived
Retroactive attack begins
Upload data months or years
![Page 15: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/15.jpg)
Question:
Can we empower users with control of data lifetime?
Answer:
Self-destructing data
15
Time
User tries to delete
Copies archived
Retroactive attack begins
Upload data months or years
Timeout (all copies
self destruct)
![Page 16: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/16.jpg)
Self-Destructing Data Model
1. Until timeout, users can read original message
16
Ann Carla
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
ISP
Sensitive
self-destructing
data (timeout)
![Page 17: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/17.jpg)
Self-Destructing Data Model
1. Until timeout, users can read original message
2. After timeout, all copies become permanently unreadable
2.1. even for attackers who obtain an archived copy & user keys
2.2. without requiring explicit delete action by user/services
2.3. without having to trust any centralized services
17
Ann Carla
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
ISP
Sensitive
self-destructing
data (timeout)
![Page 18: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/18.jpg)
Self-Destructing Data Model
1. Until timeout, users can read original message
2. After timeout, all copies become permanently unreadable
2.1. even for attackers who obtain an archived copy & user keys
2.2. without requiring explicit delete action by user/services
2.3. without having to trust any centralized services
18
Ann Carla
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
This is sensitive stuff.
ISP
Sensitive
Goals of Self-Destructing Data
self-destructing
data (timeout)
![Page 19: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/19.jpg)
Outline
Part 1: Introducing Self-Destructing Data
Part 2: Vanish Architecture and Implementation
Part 3: Evaluation and Applications
19
![Page 20: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/20.jpg)
Vanish: Self-Destructing Data System
� Traditional solutions are not sufficient for self-destructing data goals:
� PGP
� Centralized data management services
� Forward-secure encryption
� …
� Let’s try something completely new!
20
Idea:Leverage P2P systems
![Page 21: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/21.jpg)
� A system composed of individually-owned computers that make
a portion of their resources available directly to their peers without intermediary managed hosts or servers. [~wikipedia]
Important P2P properties (for Vanish):
� Huge scale – millions of nodes
� Geographic distribution – hundreds of countries
� Decentralization – individually-owned, no single point of trust
� Constant evolution – nodes constantly join and leave
P2P 101: Intro to Peer-To-Peer Systems
21
![Page 22: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/22.jpg)
Distributed Hashtables (DHTs)
22
� Hashtable data structure implemented on a P2P network
� Get and put (index, value) pairs
� Each node stores part of the index space
� DHTs are part of many file sharing systems:
� Vuze, Mainline, KAD
� Vuze has ~1.5M simultaneous nodes in ~190 countries
� Vanish leverages DHTs to provide self-destructing data
� One of few applications of DHTs outside of file sharing
DHT
Logical structure
![Page 23: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/23.jpg)
World-Wide
DHT
How Vanish Works: Data Encapsulation
Vanish
Encapsulate (data, timeout)
Secret Sharing
(M of N)
k1
k2
kN
.
.
.
k3
k1
k2
k3
kN
Ann
C = EK(data)
L
K
23
![Page 24: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/24.jpg)
World-Wide
DHT
How Vanish Works: Data Encapsulation
Vanish
Encapsulate (data, timeout)
Secret Sharing
(M of N)
k1
k2
kN
.
.
.
k3
k1
k2
k3
kN
Ann
C = EK(data)
L
K
k1
k3
kN
k2
24
![Page 25: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/25.jpg)
World-Wide
DHT
How Vanish Works: Data Encapsulation
Vanish
Encapsulate (data, timeout)
Vanish Data ObjectVDO = {C, L}
Secret Sharing
(M of N)
Ann
C = EK(data)
L
k1
k3
kN
k2
25
VDO = {C, L}Carla
![Page 26: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/26.jpg)
How Vanish Works: Data Decapsulation
26
Vanish
Encapsulate (data, timeout)
Ann
C = EK(data)
World-Wide
DHT
Vanish
Decapsulate(VDO = {C, L})
Carla
.
.
.k1
k3
kNkN
k3
k1
L L
Secret Sharing
(M of N)
VDO = {C, L}
k2k2
Vanish Data ObjectVDO = {C, L}
k1
kN
k3
k2
![Page 27: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/27.jpg)
How Vanish Works: Data Decapsulation
27
Vanish
Encapsulate (data, timeout)
Ann
C = EK(data)
World-Wide
DHT
Vanish
Decapsulate(VDO = {C, L})
data
Carla
Secret Sharing
(M of N)...
k1
k3
kN
data = DK(C)
kN
k3
k1
L L
K
Secret Sharing
(M of N)
VDO = {C, L}
k2k2
Vanish Data ObjectVDO = {C, L}
k1
kN
k3
k2
![Page 28: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/28.jpg)
How Vanish Works: Data Decapsulation
28
Vanish
Encapsulate (data, timeout)
Ann
C = EK(data)
World-Wide
DHT
Vanish
Decapsulate(VDO = {C, L})
data
Carla
Secret Sharing
(M of N)...
k1
k3
kN
data = DK(C)
kN
k3
k1
L L
K
Secret Sharing
(M of N)
X
VDO = {C, L}
Vanish Data ObjectVDO = {C, L}
k1
kN
k3
![Page 29: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/29.jpg)
How Vanish Works: Data Timeout
� The DHT loses key pieces over time
� Natural churn: nodes crash or leave the DHT
� Built-in timeout: DHT nodes purge data periodically
� Key loss makes all data copies permanently unreadable
29
World-Wide
DHT
Vanish
Secret Sharing
(M of N)...k1
k3
kN
data = DK(C)
L
KX
kN
k3
k1
29
X
X
![Page 30: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/30.jpg)
Outline
Part 1: Introducing Self-Destructing Data
Part 2: Vanish Architecture and Implementation
Part 3: Evaluation and Applications
30
![Page 31: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/31.jpg)
Evaluation
� Experiments to understand and improve:
1. data availability before timeout
2. data unavailability after timeout
3. performance
4. security
� Highest-level results:
� Secret sharing parameters (N and M) affect availability, timeout, performance, and security
� Tradeoffs are necessary
31
In the paper
Discussed next
![Page 32: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/32.jpg)
Threat Model
� Goal: protect against retroactive attacks on old copies
� Attackers don’t know their target until after timeout
� Attackers may do non-targeted “pre-computations” at any time
� Communicating parties trust each other
� E.g., Ann trusts Carla not to keep a plain-text copy
32
Pre-computation
Time
Copies archived
Retroactive attack begins
Upload data months or yearsTimeout
![Page 33: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/33.jpg)
33
Attack Analysis
Retroactive Attack Defense
Obtain data by legal means (e.g., subpoenas)
P2P properties: constant evolution, geographic distribution, decentralization
Gmail decapsulates all VDO emails
Compose with traditional encryption (e.g., PGP)
ISP sniffs traffic Anonymity systems (e.g., Tor)
DHT eclipse, routing attackDefenses in DHT literature (e.g., constraints on routing table)
DHT Sybil attackDefenses in DHT literature; Vuze offers some basic protection
Intercept DHT “get” requests & save results
Vanish obfuscates key share lookups
Capture key pieces from the DHT (pre-computation)
P2P property: huge scale
More (see paper)
![Page 34: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/34.jpg)
34
Attack Analysis
Retroactive Attack Defense
Obtain data by legal means (e.g., subpoenas)
P2P properties: constant evolution, geographic distribution, decentralization
Gmail decapsulates all VDO emails
Compose with traditional encryption (e.g., PGP)
ISP sniffs traffic Anonymity systems (e.g., Tor)
DHT eclipse, routing attackDefenses in DHT literature (e.g., constraints on routing table)
DHT Sybil attackDefenses in DHT literature; Vuze offers some basic protection
Intercept DHT “get” requests & save results
Vanish obfuscates key share lookups
Capture key pieces from the DHT (pre-computation)
P2P property: huge scale
More (see paper)
![Page 35: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/35.jpg)
Attack Defense
Obtain data by legal means (e.g., subpoenas)
P2P properties: constant evolution, geographic distribution, decentralization
Gmail decapsulates all VDO emails
Compose with traditional encryption (e.g., PGP)
ISP sniffs traffic Anonymity systems (e.g., Tor)
DHT eclipse, routing attackDefenses in DHT literature (e.g., constraints on routing table)
DHT Sybil attackDefenses in DHT literature; Vuze offers some basic protection
Intercept DHT “get” requests & save results
Vanish obfuscates key share lookups
Capture key pieces from the DHT and persist them
P2P property: huge scale
More (see paper)
Retroactive Attacks
Capture any key pieces from the DHT (pre-computation)
P2P property: huge scale
Vanish
Secret
Sharing
(M of N)
k1k2
kN
...
k3K Direct put
Replication
� Given the huge DHT scale, how many nodes does the attacker
need to be effective?
� Current estimate:
� Attacker must join with ~8% of DHT size, for 25% capture
� There may be other attacks (and defenses)
![Page 36: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/36.jpg)
Vanish Applications
� Self-destructing data & Vanish support many applications
Example applications:
� Firefox plugin
� Included in our release of Vanish
� Thunderbird plugin
� Developed by the community two weeks after release ☺
� Self-destructing files
� Self-destructing trash-bin
� …
36
![Page 37: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/37.jpg)
37
� Encapsulate text in any text area in self-destructing VDOs
Firefox Plugin For Vanishing Web Data
![Page 38: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/38.jpg)
38
� Encapsulate text in any text area in self-destructing VDOs
Firefox Plugin For Vanishing Web Data
![Page 39: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/39.jpg)
39
� Encapsulate text in any text area in self-destructing VDOs
Firefox Plugin For Vanishing Web Data
![Page 40: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/40.jpg)
40
� Encapsulate text in any text area in self-destructing VDOs
Firefox Plugin For Vanishing Web Data
Effect:
Vanish empowers users withseamless control over the lifetime
of their Web data
![Page 41: Vanish: Increasing Data Privacy with Self-Destructing Data · 2009-08-19 · How can Ann delete her sensitive email? She doesn’t know where all the copies are Services may retain](https://reader034.vdocuments.net/reader034/viewer/2022042017/5e751b835f85050bd5705cd1/html5/thumbnails/41.jpg)
Conclusions
� Two formidable challenges to privacy:
� Data lives forever
� Disclosures of data and keys have become commonplace
� Self-destructing data empowers users with lifetime control
� Vanish:
� Combines global-scale DHTs with secret sharing to provide self-destructing data
� Firefox plugin allows users to set timeouts on text data anywhere on the web
� Vanish ≠ Vuze-based Vanish
� Customized DHTs, hybrid approach, other P2P systems
� Further extensions for security in the paper 41
http://vanish.cs.washington.edu/