Privacy Blog #1: Complete Delete

Some thoughts on deleting and data privacy risks associated

Case Study
Complete Delete: In Practice, Clicking ‘Delete’ Rarely Deletes. Should it?

Many believe that once they delete a file, photograph, or data it is gone forever; it cannot be recovered. However, that is not quite the case. Instead, this information can be recovered pretty easily. Partly because the data or file may be copied to multiple locations, not just one. It might also be that even deleted copies are rarely overwritten on storage, which allows for forensic tools to be used on the content. Modern systems proactively make copies to improve performance and help limit errors. It has now come to a time where designers of these systems must implement systems that never delete data or have systems that leave remote backups as an option, while deleting local copies. Understanding the two options allows for progress to be made and ensures that people and organizations are protected. Engineers and product managers are the solution; they must understand the privacy concerns and security risks that are posed by having residual information. The concerns and risk are not fully understood by the public because of the common misconception that once data is deleted, it is gone without any way to retrieve it. This may cause hopelessness or it may ease anxiety, no matter the feelings caused by this, it is crucial that the facts be understood and known. Simson Garfinkel dives deeper into this topic, addressing the discrepancies between a user’s use of “delete” and the reality that includes data remanence. Tracing data from its “birth” when it is created to when it “dies” when deleted and even after, Garfinkel shows why a single command rarely results in immediate removal of all instances. Ultimately, Garfinkel’s analysis shows the ethical conflicts that engineers and designers balance with user privacy and the requirements of law enforcement. So what is the correct approach for informing users, while also balancing law enforcement’s requirements? There may not be one correct approach. With that being said, a few ideas that come to my mind include transparency, explicit warnings, and more. To start, a transparent disclosure of the specific deletion policy would allow for users to understand just what occurs in the deletion process. More specifically, this could look like the user interface showing and informing the user of the specific blocks that hold the data are not being overwritten. Something similar could occur for local and global data. When it comes to an explicit warning, an idea may be to show the online and offline backup status so that the deletion occurs only if the backup drive is online. If the drive is offline, then it cannot be deleted and the user would be alerted of such. Another idea and one that I really like would be to simply alert the user of any software such as iCloud, OneDrive, DropBox, or GoogleDrive, that would automatically copy data. The user would be notified that these services do not automatically erase photos when the photos are deleted locally on the phone. With this type of notification, the user would know to delete those as well, if wanted. Because there is so much user data now, another idea would be to have systems focus on drawing attention to either sensitive or archived information that may be forgotten. This could look like reminders or warnings, but classifying images may be a solution. However, this may also pose other risks and could be seen as an invasion of privacy. It is true that the goal of deleting information and of information permanence are in conflict with one another, it’s a type of paradox that is seen with information being hard to delete and hard to retain. Understanding this is vital, but that’s not to say that there aren’t advantages for each side. When it comes to deleting information, key advantages are that control and privacy are given to the user. Users know best what they do and don’t want others to see, giving them control of their own data and the ability to kind of manage their own privacy/security risk might be beneficial. On the other hand, that would make it much harder for the proper law enforcement to access information that they may need to help assist them in investigations. Which leads into the advantages for the information permanence, law enforcement is able to access the information they need much easier. It may also be helpful when people simply did not mean to delete their information but are unable to retrieve it locally. An example of this retrieval is seen oftentimes in rental cars. Rental cars commonly have an “infotainment system” which helps the car to remember and display names and address books of telephones recently paired with the car. Some systems perform a reset to make all records appear to vanish, but this is rarely done between rentals. This clearly has some privacy issues for each person that rents the car because each person is able to see who was there before them, which the person who rented before did not necessarily consent to. A reset is rarely done simply because even if the files are removed, the directory does not overwrite the physical data. The data then continues to be remnant until given another purpose and overwritten with new data. To better improve this system, the system could be designed to execute a mandatory, irreversible deletion once the end of a rental period occurs. This could be integrated into the vehicle and the rental system so that when the car is returned, a secure deletion occurs. Another option includes utilizing cryptographic erasure. This type of ensure means that all sensitive data would be encrypted with a file-specific key. I know Apple’s file system does this and encrypts every user file. I think this is a really great solution and could solve a lot of the problems that could possibly arise. However, this would require every file accessed to be centrally managed and then have that specific key be the one that once deleted, is inaccessible. However, this would ensure that the system’s data is deleted altogether, rather than just overwritten. Cryptographic erasure can be used for digital photographs, but the image must be encrypted as soon as it is taken and can be decryptable with approved tools. Something interesting to think about with the cryptographic erasure of images is whether or not it’s possible for these types of images to be edited or put onto electronic websites. It could be possible, but might have strong barriers that would need to be broken down. The tools to edit, crop, or touch up these photos would need to work within the encryption and decryption framework. More specifically, this means that the editing software would need to obtain a decryption key, this way the photo could be accessed and edited. After the editing would be completed, the image would need to be re-encrypted so the application would need to be able to perform this task as well. Depending on how much editing were to occur, a new version of the file might be created. If this were the case, the new file and the old file would need to be held together so that if one were to be deleted, both would be deleted. When considering adding a protected image into a public website, these challenges become harder to address but stay in the same realm of encryption and decryption. A problem with sharing the image would also become a challenge that would need to be resolved. After some thorough thinking on this topic and the ethical challenges that arise with it, I have some questions to leave you with. Who bears the primary responsibility of ensuring that a global and complete delete is implemented? How should system designers weigh the two sides of this dilemma? Is it their responsibility to ensure that the user’s desire for complete deletion is met even if it means that the legal obligation is brushed to the side? If there was a way to algorithmically sort which photos should be deleted globally or locally, is that an invasion of privacy or is that meeting the needs of both the law and the public? These questions really left me with a lot to think about and addressed much of the root concerns that I had while thinking about both sides of this ethical conflict. I think they’re important because they encourage you, as the reader, to think about the very sole cause of this problem: the paradox. This paradox is really challenging because it’s not so much about what side is right and what side is wrong, but rather which side would do more good if addressed more thoroughly. Both sides must be addressed, but at the same time one must take precedence over the other. Overall, I think this is a really important ethical conflict to address. I know I’ve seen the way that this sort of thing affects the public, as well as the law enforcement applications. My parents sometimes struggle to understand exactly what technology looks like on the “inside”, not strictly from what they see. My mom has been so nervous after deleting a photo, not fully realizing that it is possible to recover. A couple summers ago, I worked at a legal clinic which allowed me to see the way that this sort of thing is used in investigations and the benefits that come from having access to what may have previously been “deleted”. I think that addressing this and educating the public on this would be greatly beneficial because it can be a serious risk to them that they deserve to know about and be aware of.