ABSTRACT
Once data is released to the Internet, there is little hope to successfully delete it, as it may have been duplicated, reposted, and archived in multiple places. This poses a significant threat to users' privacy and their right to permanently erase their very own data. One approach to control the implications on privacy is to assign a lifetime value to the published data and ensure that the data is no longer accessible after this point in time. However, such an approach suffers from the inability to successfully predict the right time when the data should vanish. Consequently, the author of the data can only estimate the correct time, which unfortunately can cause the premature or belated deletion of data.
This paper tackles the problem of prefixed lifetimes in data deletion from a different angle and argues that alternative approaches are a desideratum for research. In our approach, we consider different criteria when data should be deleted, such as keeping data available as long as there is sufficient interest for it or untimely delete it in cases of excessive accesses. To assist the self-destruction of data, we propose a protocol and develop a prototype, called Neuralyzer, which leverages the caching mechanisms of the Domain Name System (DNS) to ensure the successful deletion of data. Our experimental results demonstrate that our approach can completely delete published data while at the same time achieving flexible expiration times varying from few days to several months depending on the users' interest.
- O. Ayalon and E. Toch. Retrospective Privacy: Managing Longitudinal Privacy in Online Social Networks. In Symposium on Usable Privacy and Security (SOUPS), 2013. Google ScholarDigital Library
- J. Backes, M. Backes, M. Dürmuth, S. Gerling, and S. Lorenz. X-Pire!-A Digital Expiration Date for Images in Social Networks. arXiv preprint arXiv:1112.2649, 2011.Google Scholar
- N. Balani and S. Ruj. Temporal Access Control With User Revocation for Cloud Data. In International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2014. Google ScholarDigital Library
- J. Bethencourt, A. Sahai, and B. Waters. Ciphertext-Policy Attribute-Based Encryption. In IEEE Symposium on Security and Privacy, 2007. Google ScholarDigital Library
- M. Bishop, E. R. Butler, K. Butler, C. Gates, and S. Greenspan. Forgive and Forget: Return to Obscurity. In New Security Paradigms Workshop, 2013. Google ScholarDigital Library
- D. Boneh and R. Lipton. A Revocable Backup System. In USENIX Security Symposium, 1996. Google ScholarDigital Library
- C. Castelluccia, E. De Cristofaro, A. Francillon, and M.-A. Kaafar. EphPub: Toward Robust Ephemeral Publishing. In IEEE International Conference on Network Protocols (ICNP), 2011. Google ScholarDigital Library
- C. Conley. The Right to Delete. In AAAI Spring Symposium: Intelligent Information Privacy Management, 2010.Google Scholar
- J. Daemen and V. Rijmen. The Design of Rijndael: AES -- the Advanced Encryption Standard. Springer Science & Business Media, 2002. Google ScholarDigital Library
- E. De Cristofaro, C. Soriente, G. Tsudik, and A. Williams. Hummingbird: Privacy at the Time of Twitter. In IEEE Symposium on Security and Privacy, 2012. Google ScholarDigital Library
- T. Eissa and G.-H. Cho. A Fine Grained Access Control and Flexible Revocation Scheme for Data Security on Public Cloud Storage Services. In International Conference on Cloud Computing Technologies, Applications and Management (ICCCTAM), 2012.Google Scholar
- European Commission. Factsheet on the "Right to Be Forgotten" Ruling, C-131/12. http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf, 2014.Google Scholar
- R. Geambasu, T. Kohno, A. Krishnamurthy, A. Levy, H. Levy, P. Gardner, and V. Moscaritolo. New Directions for Self-Destructing Data Systems. Technical report, University of Washington, 2011.Google Scholar
- R. Geambasu, T. Kohno, A. A. Levy, and H. M. Levy. Vanish: Increasing Data Privacy with Self-Destructing Data. In USENIX Security Symposium, 2009. Google ScholarDigital Library
- R. Gross and A. Acquisti. Information Revelation and Privacy in Online Social Networks. In ACM Workshop on Privacy in the Electronic Society (WPES), 2005. Google ScholarDigital Library
- Huffington Post. Experts Say Facebook Leak of 6 Million Users' Data Might Be Bigger Than We Thought. http://www.huffingtonpost.com/2013/06/27/facebook-leak-data_n_3510100.html, Jun 2013.Google Scholar
- J. Hur and D. K. Noh. Attribute-Based Access Control With Efficient Revocation in Data Outsourcing Systems. IEEE Transactions on Parallel and Distributed Systems, 22(7):1214--1221, 2011. Google ScholarDigital Library
- Internet Live Stats. Total Mumber of Websites. http://www.internetlivestats.com/total-number-of-websites/, Aug 2015.Google Scholar
- B. Krebs. Online Cheating Site AshleyMadison Hacked. http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/, Jul 2015.Google Scholar
- M. Kührer, T. Hupperich, J. Bushart, C. Rossow, and T. Holz. Going Wild: Large-Scale Classification of Public DNS Resolvers. In ACM SIGCOMM Internet Measurement Conference (IMC), 2015. Google ScholarDigital Library
- M. Madejski, M. L. Johnson, and S. M. Bellovin. The Failure of Online Social Network Privacy Settings. Technical report, Columbia University, 2011.Google Scholar
- C. D. Marsan. 15 Worst Internet Privacy Scandals of All Time. http://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html, Jan 2012.Google Scholar
- Mashable. 98,000 Hacked Snapchat Photos and Videos Posted Online. http://mashable.com/2014/10/13/the-snappening-photos-videos-posted, Oct 2014.Google Scholar
- P. V. Mockapetris. RFC 883, Domain Names -- Implementation and Specification. 1983. Google ScholarDigital Library
- S. K. Nair, M. T. Dashti, B. Crispo, and A. S. Tanenbaum. A Hybrid PKI-IBC Based Ephemerizer System. In New Approaches for Security, Privacy and Trust in Complex Environments, 2007.Google Scholar
- P. Papadopoulos, A. Papadogiannakis, M. Polychronakis, A. Zarras, T. Holz, and E. P. Markatos. K-Subscription: Privacy-Preserving Microblogging Browsing Through Obfuscation. In Annual Computer Security Applications Conference (ACSAC), 2013. Google ScholarDigital Library
- R. Perlman. File System Design With Assured Delete. In IEEE International Security in Storage Workshop (SISW), 2005. Google ScholarDigital Library
- R. Perlman. The Ephemerizer: Making Data Disappear. Journal of Information System Security (JISSec), 1:51--68, 2005.Google Scholar
- C. Pöpper, D. Basin, S.vCapkun, and C. Cremers. Keeping Data Secret Under Full Compromise Using Porter Devices. In Annual Computer Security Applications Conference (ACSAC), 2010. Google ScholarDigital Library
- S. Reimann and M. Dürmuth. Timed Revocation of User Data: Long Expiration Times From Existing Infrastructure. In ACM Workshop on Privacy in the Electronic Society (WPES), 2012. Google ScholarDigital Library
- D. Rosenblum. What Anyone Can Know: The Privacy Risks of Social Networking Sites. IEEE Security & Privacy, (3):40--49, 2007. Google ScholarDigital Library
- The Register. iCloud Fiasco: 100 Famous Women Exposed Nude Online. http://www.theregister.co.uk/2014/08/31/jlaw_upton_caught_in_celeb_nude_pics_hack, Aug 2014.Google Scholar
- Wisemetrics. Your Tweet Half-Life Is 1 Billion Times Shorter Than Carbon 14's. http://blog.wisemetrics.com/tweet-isbillion-time-shorter-than-carbon14/, Mar 2014.Google Scholar
- S. Wolchok, O. S. Hofmann, N. Heninger, E. W. Felten, J. A. Halderman, C. J. Rossbach, B. Waters, and E. Witchel. Defeating Vanish With Low-Cost Sybil Attacks Against Large DHTs. In ISOC Network and Distributed System Security Symposium (NDSS), 2010.Google Scholar
- L. Zeng, Z. Shi, S. Xu, and D. Feng. SafeVanish: An Improved Data Self-Destruction for Protecting Data Privacy. In International Conference on Cloud Computing Technology and Science (CloudCom), 2010. Google ScholarDigital Library
Index Terms
- Neuralyzer: Flexible Expiration Times for the Revocation of Online Data
Recommendations
Verification of stored security data in computer system
ACIIDS'10: Proceedings of the Second international conference on Intelligent information and database systems: Part IThe security data must keep security in the computer system. We encrypt these security data to produce encrypted security data. When we need, we decrypt these encrypted security data to produce original security data. We set encryption data table and ...
A data masking technique for data warehouses
IDEAS '11: Proceedings of the 15th Symposium on International Database Engineering & ApplicationsData Warehouses (DWs) are the enterprise's most valuable asset in what concerns critical business information, making them an appealing target for attackers. Packaged database encryption solutions are considered the best solution to protect sensitive ...
Universally anonymizable public-key encryption
ASIACRYPT'05: Proceedings of the 11th international conference on Theory and Application of Cryptology and Information SecurityWe first propose the notion of universally anonymizable public-key encryption. Suppose that we have the encrypted data made with the same security parameter, and that these data do not satisfy the anonymity property. Consider the situation that we would ...
Comments