I recently had the honour of being among a team of storage managers from large companies around the UK. Discussions centred mainly around virtualisation and maximising utilisation rates, bringing together disparate vendors' kit as a single resource pool and how to manage data growth as voice and video are brought in to the mix …
PGP Encryption for mail, web pages and webmail
Encryption would be a better solution, if you encrypted that email you don't rely on all the servers wiping their copies so data disposal isn't an issue.
What I'd like to see is something like Mozilla Thunderbird include public key exchanges by default. Your public key, (or a URL to collect it from the mozilla site if the key is too unwieldy) would be attached to every outgoing email and if a Thunderbird receives an email with key attached, then it is automatically added to your key ring and communications with that email address are then always sent encrypted with that key.
Of course an attacker could do a man in the middle attack during that first key exchange. But so what? For a man in the middle attack to work, they would have to intercept that first key exchange, and every single email exchange from then on (to decrypt/recrypt) until some future time when they actually get to a point they want to do the snooping.
The desire to intercept a communication will likely occur at a later date than the key exchange itself. No-one can see into the future, and no-one can travel back in time and intercept the key exchange done in the past.
Suppose the keyring is stored on a flash key, then an attacker would have to intercept every email from every machine you use and every IP address. A complete non starter.
Firefox could add the same feature and use the same keyring. e.g. If a web field is tagged as
then that section is encrypted with your public key, and the message is decrypted and the decrypted version shown instead.
If you don't understand why you would go to such lengths, then you have never pissed off the company sysadmin.
What happened to honesty?
A lot of your arguments seem to revolve around corporate deniability - I find this a bit ethically dubious. There is a reason you can get a court order to recover email, phone records, minutes and the like - it is to stop companies doing illegal things. What you seem to be saying isn't "stop doing those things" but "here, you can hide the evidence like this".
For some information, like confidential analysis work, secure deletion is essential. Not because it may be discovered in a court case, but because it may be stolen or inadvertently left open to the world.
There is enough corporate crime - at least knowing any documentation is up for grabs keeps companies like Intel on their toes. Don't help to give the impression that deleting evidence is normal business practice and should be facilitated.
Nice idea, shame it's impossible?
Even if you've got "secure delete" in one location, someone else in some other location won't have it. Either this "secure delete" is going to have to be so pervasive it's impossible to manage/use or it's going to be no good what so ever.
It could be thwarted by something as simple as a tape backup that fired off while your data wasn't deleted. Tape goes off site for security, how do you delete from it now?
Maybe you've deleted it from the server securely and all the offsite tape backups, archive logs, caches, etc. have been flushed but you didn't realise that because it was in an email there is now a copy in your internet cache directory locally...
Is this "server side" secure delete function going to have the power to clean files off client PCs, even when they've only connected briefly to retrieve their email and are now off the network?
Maybe you've securely deleted every "official copy", but someone was snooping the network when you saved the file and saved the snoop output somewhere for problem analysis.
Perhaps a mirrored disk failed after data went on, was replaced, then the secure delete happened. That disk still contains your data and for the price of a good disk recovery service will be perfectly visible. OK so it will probably be destroyed but at the instant that you press delete thinking it's deleted everywhere, it isn't. There is a window of opportunity that could be exploited.
Basically, if you type something into a computer you should expect it to be retrievable by someone at some stage. It may well be beyond the "hassle horizon" for you to do it if you loose a file, but if there are £millions at stake, then suddenly the "hassle horizon" is a lot further away.
Where Laws are Needed
The unresolveable problem with secure deletion is that there are two conflicting requirements. Sometimes you want to be able to get things back easily; other times you'd rather you couldn't get at them than anybody else could get at them. You can't have it both ways: if there's a way that you can recover data, then so can someone else. (It occurs to me that on a non-toy OS, /etc and most of /usr and /home fall squarely into the former category whereas /tmp and much of /var fall into the second category. Can anyone say per-filesystem defaults?)
Surely a better idea would be to pass a law stating that anyone who *acquires* any kind of used storage device should be bound to secrecy in respect of its contents (unless specifically authorised)? Anyone who buys a used disk drive with intent to put it into service should first perform a write test on *every* sector anyway (an ideal opportunity to obliterate any remaining data) -- if they don't, they're a bloody idiot.
There are ways to game such a system, but I'm not sure they are really any worse than the system we already have.
corporate deniability - Translated = Liars and criminals go free
corporate deniability = No Justice.
It is amusing to watch the discussion on how to conduct criminal activities without getting caught.
Just what we need, companies like Enron with a trillion in the bank and all the trails erased. Grow a brain!
Corporations will always try to steal, being able to follow the electronic trail is what puts criminals in jail.
You don't wan't to see it in court, don't write it. PERIOD!!!!!
Data disposal: Every action leaves a trace
I am wondering whether this is much ado about nothing. While I understand that deleting files isn't as simple as just dragging them to the recycle bin, it seems to me that the theoretical possibility of retrieving data has been exaggerated.
Every action leaves a trace, as the article's title says. The dreadful data I've stored on my hard drive makes its mark, leaves its traces. So do all the other things I store on that disk, even in the same location as the secret data. While *theoretically* it might be possible to reconstruct my secrets from a careful analysis of the magnetic domains, I have yet to see anyone actually accomplish this after a couple of overwrites. Perhaps it *has* been done, but if so, I haven't seen it.
Sure, the various ghosts of the data may remain, but how can you distinguish the faded images from one another?
Assuming it's possible, how practical would it be to reconstruct the data? How much time and effort (= money) would it be worth to get hold of it? Short of serious criminal investigations or national security, there probably aren't many good reasons to try to reconstruct deleted data.
I would think that the problem isn't at all that data can be reconstructed from properly deleted files, but that so often these files are *not* deleted properly.