The Security of Data Deletion

Thousands of articles have called the December attack against Sony Pictures a wake-up call to industry. Regardless of whether the attacker was the North Korean government, a disgruntled former employee, or a group of random hackers, the attack showed how vulnerable a large organization can be and how devastating the publication of its private correspondence, proprietary data, and intellectual property can be.

But while companies are supposed to learn that they need to improve their security against attack, there’s another equally important but much less discussed lesson here: companies should have an aggressive deletion policy.

One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. Memos we used to read and then throw away now remain in our digital archives. Big data initiatives mean that we’re saving everything we can about our customers on the remote chance that it might be useful later.

Everything is now digital, and storage is cheap—why not save it all?

Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company. They published old documents. They published everything they got their hands on.

Saving data, especially e-mail and informal chats, is a liability.

It’s also a security risk: the risk of exposure. The exposure could be accidental. It could be the result of data theft, as happened to Sony. Or it could be the result of litigation. Whatever the reason, the best security against these eventualities is not to have the data in the first place.

If Sony had had an aggressive data deletion policy, much of what was leaked couldn’t have been stolen and wouldn’t have been published.

An organization-wide deletion policy makes sense. Customer data should be deleted as soon as it isn’t immediately useful. Internal e-mails can probably be deleted after a few months, IM chats even more quickly, and other documents in one to two years. There are exceptions, of course, but they should be exceptions. Individuals should need to deliberately flag documents and correspondence for longer retention. But unless there are laws requiring an organization to save a particular type of data for a prescribed length of time, deletion should be the norm.

This has always been true, but many organizations have forgotten it in the age of big data. In the wake of the devastating leak of terabytes of sensitive Sony data, I hope we’ll all remember it now.

This essay previously appeared on ArsTechnica.com, which has comments from people who strongly object to this idea.

Slashdot thread.

Tags: data destruction, data protection, data retention, essays, hacking, Sony

Posted on January 15, 2015 at 6:12 AM • 80 Comments

Comments

David Penfold • January 15, 2015 6:21 AM

But records lifecycle management is seriously dull.

Thoth • January 15, 2015 6:44 AM

@Bruce Schneier
Data deletion in an aggressive manner really depends on what is meant by aggressive. We know that data deletion by removing pointers in a filesystem is not enough and a full wipe of the storage media may proof otherwise useful.

SSDs are known to have tricky memory management algorithms that may not write data on the same place again and a full wipe on an SSD might not always yield results.

So how about disk platters ? It would be easier to wipe data on a more specific location but there are many academic reports on how they could recover some data fragments despite wiping the disk platters.

The best way to “wipe” a data is to simply encrypt it and lose the keys. The reason is you have a tiny key with smaller surface area and you have the content data with a larger surface area. Which would be easier to process/wipe ? Naturally losing the keys would be much more preferrable and to add one more step on the scheme, it would be better if a KEK is used (passwords, separate keys …) to protect the data encryption key. The KEK could be stored on a physical (and separate) security module to do the job or for the more paranoid, you could use a PBE to get things done.

Caching also comes into play and that’s another problem that is hard to tackle if you don’t have full access of the OS to prevent caching the wrong things.

Permanent physical destruction of tiny and crucial key materials in a tiny surface area would be much more useful than destroying a huge surface area of plaintext data. One example is to have a dedicated memory chip the size of a small coin and when you don’t need it, you take a drill and destroy it’s material. This way, without the encryption keys, the data on the disk platters or SSDs are considered gone forever.

A • January 15, 2015 7:48 AM

Not to save everything? Tell that to the NSA!

AlanS • January 15, 2015 8:01 AM

@Bruce

I agree with your general argument about deleting as much as one can as soon as one can but this is not necessarily an easy thing to accomplish in practice. There are lots of laws requiring retention of data for various lengths of time and you can get into a lot of trouble for deleting stuff that should of retained. So data retention/destruction policies often tend to be quite lengthy and complicated. And to actually make it happen you have to come up with a scheme for tagging everything so you know what can be deleted when and it can be readily retrieved for deletion. So to get it done a company of any size has to hire lawyers and records managers and invest in records management technologies. It costs money to do it properly and like other aspects of risk management that people involved in information security think are important it often loses out in investment trade-offs made at the senior management level, rightly or wrongly, at least until there a catastrophic failure occurs and sometimes not even then. Sony’s had multiple security failures over the years. History tends to suggest they have trouble learning from their mistakes and making meaningful procedural changes.

Peter A. • January 15, 2015 8:23 AM

@Thoth: your comments are valid, but a bit tangential.

Bruce refers to deleting unneeded data so it is not available for normal retrieval any more – so a hacker or disgruntled employee cannot access it in a regular way like logging into her account and dumping everything onto an USB stick, or exfiltering it in some other way. Your comments refer mostly to getting rid of decommissioned storage devices, which as a separate management problem.

Reading previous contents of a deleted file is impossible for an ordinary user on most modern systems. While it may be achieved in some cases by a privileged user, for example by reading an unlinked but not zeroed blocks using direct access to the underlying storage device driver, in other cases like getting to the relocated blocks of SSD or scanning magnetic residues of previous writes to a disk platter it requires physical access to the device and special access methods not normally available from within a running OS. So much less of a worry for the data retention policies, but a matter to think of while drafting decommissioning procedures.

Andrew • January 15, 2015 8:50 AM

The term “data wiping” is more appropriate in this context…

Thoth • January 15, 2015 9:05 AM

@Peter A.
Although the encryption I mentioned as a form of “wiping” would “delete” the data by losing the appropriate keys, it could also be served as encrypted archive which in a way would also not only deter someone digging through old disks archives but also preventing them from knowing what’s inside the data. The bad thing is key management has always been another pain to settle.

John Campbell • January 15, 2015 9:23 AM

When I worked for (company name redacted) one of the yearly “certification” classes was the document handling sign-off where data retention policies were explained.

I recall that, unless there’s a likelihood of subpoena, all e-mails older than, IIRC, 90 days, needed to be deleted from the server.

Now, as a user, there are a couple of different e-mail streams.

Some are exceptionally short-lived in relevance (or interest, for that matter) which hang around because deleting this stuff takes some time and effort. Let the auto-harvester get ’em.

Some you want to hang on as “easily findable reference material”; If you keep ’em in an e-mail system you do so because they are easier to find; These you want to hang on to despite deletion policies simply because the e-mail interface makes for convenient access to “occasionally useful references”. Sadly, no two people would have “the same” non-email-semantic structure to retain this outside of an e-mail system. These have a tendency to annoy the e-mail system managers.

Finally, the e-mails NO ONE WANTS TO LOSE are the items that CYA (“Cover Your Neck”) so that you can whip it out when someone tries to blamestorm in your direction.

I have to agree that we need a “good” deletion policy.

What I liked about Loathed Notes, years ago, was a special “trick” that allowed you to place your e-mail into a local archive (and, yeah, it could be lost) off of the central system. Another tool to archive attachments was even more useful.

E-mail applications provide a nice common paradigm that allows us to feel our records are kind-of organized (even when we’re actually pretty chaotic) and diving into our historical trail (the “data shadow”) is, sometimes, easier to deal with.

But, then, I’m left-handed. I like to think my directory structures are sane, organized and make it easy for me to find what I need… but, like anyone else, there are times expediency conflicts with being organized.

I will grant that I find people who DO NOT ORGANIZE their windows desktop very very annoying.

vas pup • January 15, 2015 9:50 AM

@Bruce: The problem is wider and included e.g. shredding papers after particular time (when contractor is doing shredding company’s security representative should be psychically present during actual process to be sure that it was destroyed and nobody apply the idea what is in the kind of garbage can that is not protected); what about backup tapes/other media/cloud storage when you have to trust that they will follow your order/contract and not pass them to competitors/gov/organized crime; what about security tapes of retail store/bank/etc., library records. When you have your own written policy on retention of any records/audio/video/etc. and there are no compliance requirements established by gov for the same purpose, and policy is not strongly implemented, ANYTHING retained could be “subpoened” and with ‘five lines of text written by the hand of the most honest man…” the case could always be cooked not in your favor. Conclusion: you could not selectively delete something unfavorable, but you have to set expiration date and policy for deletion (each media – own policy) of the ALL data of particular type. Then, nobody has any ‘meet’ (data) to cook ‘dish’ (case criminal of civil) against your company and particular employee. Same applies to security/access logs to data regardless of media. When data is stored in multiple data bases/servers auto cascade deletion should be implemented – no traces left anywhere.

keiner • January 15, 2015 10:00 AM

Are there any requirements by SEC, just in case they want to see something internal? Just asking…

GreenSquirrel • January 15, 2015 10:05 AM

This risks a bit of an end of history…

Deleting un-needed data is sensible but then we hit the risk about what is needed and what isnt.

The fact data recovery companies exist and make massive profits from organisations who have accidentally deleted something they really wish they had kept shows that records management is a really fdisk’ed discipline.

From a historical view, this also risks losing the things future generations always find interesting – weird minutiae about life in the past. If we keep aggressively deleting everything we dont have an immediate obvious need for, what do we leave the future?

The fact is, I sit on the fence here and, personally, I tend to archive almost all my work emails simply because that one day in the future when I need to prove that person X said Y, I want the evidence.

NobodySpecial • January 15, 2015 10:23 AM

@AlanS then that is even more of a reason to have a data deletion policy.
If you are required to keep certain documents for a certain period then relying on them being in Mr X’s email or Ms Y’s Document folder is a disaster.

Have an HR/Accounting/Regulatory email accounts and CC documents to be kept to them. Then have read access to those accounts more carefully controlled.

Anonymous Cow • January 15, 2015 10:30 AM

I still have an email I sent in 2007 in my archive. Why? Because I advised my client against their choice of action. They went and did it anyway. So if I get sued I can retrieve this email and say ‘I told you so!’

This is an example why blanket deletion policies should not be considered. Any deletion policy should delineate time periods for both deletion and retention along with subject matter.

Nick P • January 15, 2015 10:43 AM

Here’s a summary of opposing points in the comments that he referred to:

A number of commenters, especially in tech industry, say their old emails regularly help them out at work.
Basic data retention laws.
A lawyer pointing out the business is in good shape if it keeps records at least 3 years with a clear retention policy. Says that can save you huge amounts of money in discovery process.
A few commenters said it’s hard to make claims before a judge if you’re missing the context of the situation. Which you deleted.
One guy said 1+ yr old emails are useful when a project fails and you need to point out in the correspondence why it was the managers fault.
A few said they move oldest stuff to an offline disk that they can search through whenever. Otherwise, it’s not connected to the network.

On the positive side, one commenter said an email deletion policy forced them to put critical information in the actual documentation. It improved dramatically as a result.

So, the case against his proposal seems stronger than the case for it. I’d say keep stuff at least 3 years, have a clear policy on data retention, and keep older stuff offline. You might even put that stuff on an air gapped machine if you’re extra paranoid.

R. J. Brown • January 15, 2015 10:43 AM

The advantage of the cryptographic delete (deliberately “loosing” the keys to encrypted data) is that you can delete data that is off-line. How else can you quickly and easily delete stuff on old backup volumes stored in a locked vault off-site?

vas pup • January 15, 2015 10:53 AM

Recent move in Germany on data retention period: http://www.bbc.com/news/world-europe-30828197

vas pup • January 15, 2015 11:00 AM

@Anonymous Cow • January 15, 2015 10:30 AM:”Any deletion policy should delineate time periods for both deletion and retention along w i t h s u b j e c t matter.” That is absolutely right for personal/non-corporate data in particular. Security (and deletion of data policy) is always trade off, i.e. there is now ‘golden’ policy. Brain should be always applied for policy interpretation. Thank you.

Sancho_P • January 15, 2015 11:00 AM

@ Thoth (and R.J. Brown)

“The best way to “wipe” a data is to simply encrypt it and lose the keys.”

OMG you are only seconds away from jail – as I am.

Last night I woke up in cold sweat as I was obviously still chewing on a comment of @ Clive Robinson regarding a judge could send you to jail if you can’t decrypt what is deemed to be in your possession / yours.

I basically knew that fact, but until when I read the posting I was never thinking about several drives in my possession where I could not present the content.
And for most of them I would not even know the content.
Some are encrypted, others proprietary formatted (from PVR’s) and some may have a format I was “inventing” years ago and do not remember at all.

So let’s swiftly reformat all our unused drives …

Sancho_P • January 15, 2015 11:02 AM

By the broad inception of PC’s the “no policy” generation was born.
We can’t go back in time and push the genie back into the oil lamp.
Business goes from nano to terra, what remains is the word “should”.

Yes, to have a clear “should” would be wise.

David T. Macknet • January 15, 2015 11:35 AM

Information retention & deletion is paradoxical in some ways, as the most “high quality” digital objects are both more likely to be deleted and more likely to be kept. Selecting for retention and selecting for deletion are both subject to cognitive errors (comparison effects, contrast effects, etc.) which contribute to the problem.

Having a retention policy and someone outside of the immediate parties doing the deletion would seem to be part of the solution. Archivists and Records Managers, however, are equally likely to violate the records management policies of a given organization.

Additionally, people keep or delete information in the workplace using the same reasons they give for doing so in the home environment – there isn’t a significant difference between what they decide to do in either environment. This means that workplace documents are subject to deletion for emotional reasons (they were offensive or embarrassing) or are subject to retention for equally emotional reasons (they’re proud of their work, they want to refer to the objects later, etc.).

In the US, we have much less of a tradition of active records management as compared to the UK and Commonwealth countries, but even there, retention and destruction are a challenge. This is found particularly in companies which engage internationally, as they tend to be infected with the “keep everything” mentality found in the US.

I don’t have solutions, but http://theses.gla.ac.uk/3286/ is my PhD thesis on the subject (“Decisions to delete: subjectivity in information deletion and retention”). I think, though, that unless retention / deletion scheduling is built into the digital object at the time of its creation, we’re not going to see adequate destruction of documents, full stop. Until the OS companies get onboard with the idea, it’s not going to happen in any meaningful manner.

Nick P • January 15, 2015 11:42 AM

@ Sancho_P

Not really. You just need to show that you have a consistent policy of encrypting things, storing the keys on paper, and destroying the paper once something is no longer in use. You can cite all kinds of expert testimony on how easy things are to hack, how stuff isn’t really deleted when you hit delete, and so on. You then cite a paper by professionals that recommended encrypting stuff and just deleting the keys. Show how it works better than most strategies. Show many businesses do the same with secure document management solutions.

The trial won’t be over in a few minutes. Yet, with time and explanation, you should be able to show that whatever the prosecution is talking about is something you deleted in the way you always do with everything. You can also show very good reasons for doing it. It only gets suspicious if you deleted it right as they kick in the door or right after a search warrant was issued for it.

SoWhatDidYouExpect • January 15, 2015 12:03 PM

The ability to keep “old” data, or electronic “stuff” if you like, presents a conundrum. At my former day job, many years ago, we had data retention polocies, and every year, each employ was required to certify by action and signature, that they followed the policy (the signature was required such that if there was a failure of the action, you could be held accountable).

Yet, in the major online ERP system, business management would not delete “old” data, feeling that it was essential for the business that such data be kept. Whether the motive was CYA or their ego, that significantly increased the cost of doing business over time, though computer power, in terms of speed, memory, and storage space, kept up to pace for a time, it is unknown if the issue has been addressed.

There is more to the question that just the stuff that was of memory retention in a past age.

Daniel • January 15, 2015 12:16 PM

Of course, I’ve been preaching this for years under the rubric of content retention. The quote I found most telling from the Arstechinca comment section was this one:

We have the opposite at work, a data retention policy requiring us to keep everything for a certain period of time (6 months or 3 years mattering on the data) which means we practically never delete anything . (emphasis added).

So what this person means is that they have a content retention policy that they don’t actually follow. It’s supposed to be deleted by their own rules after six months or 3 years but it’s not. So they don’t even follow their on policies and yet Bruce Schneier is now a retarded idiot for pointing out to them the security problems with not following their own policies…..niiiice.

And this is tagged as a “Reader Fav”. No wonder I don’t read that site regularly.

Anura • January 15, 2015 12:21 PM

I worked at a bank where the policy was to delete old emails after three months. There were maybe one or two things per year that I looked for after they were deleted, and even then they weren’t that important. Keeping emails for more than three to six months would just be a waste.

Bernie • January 15, 2015 12:22 PM

I am a big fan of both Bruce and Ars Technica. The thing to keep in mind about the comments on Ars is that they are by a certain group of people, not your average Joe. They tend to be intelligent and technically savvy. In other words, they are more likely to use old records, whereas many (most?) average people don’t know how to even search through their old email. That should provide some useful context for the comments on Ars.

I think Bruce’s article is just opening the door to an important discussion. For example, if a company has a records deletion policy, will that make employees more likely to send emails & documents to their own personal email, file server, etc., one that is possible less secure than at the company?

Daniel • January 15, 2015 12:31 PM

@Nick P

You summary is a nice summary of the comments but those comment are not a representative sample of the arguments pro and con. One thing that both bemuses me and amuses me is the following truth. In real life if a person collects garbage after garbage for years and years we call them hoarders and we treat it as a mental disease.

https://en.wikipedia.org/wiki/Compulsive_hoarding

Yet if that same mental disease manifests itself on-line in terms of digital hoarding then it’s not a mental defect anymore. Now it’s “sound business practice” or “terrorism prevention”.

No one is arguing that there should be no data retention. What we are arguing, however, is the old ethical manta that just because one can doesn’t mean on should. But because the hoarding behavior is easy when it comes to data and is out of sight people ignore the problem until it explodes in their face.

The arguments from the Arstechnica people sound exactly like the crazy cat lady with 50 cats who screams, “but Iz loooooves them all!” when the men in white coats comes to take her away.

Nick P • January 15, 2015 1:07 PM

@ Daniel

Interesting point about hoarding physical vs digital items. Far as representative, I’ll create a new list and maybe recommendation if you can give me a representative dataset on the topic listing the pro’s, con’s, and how often they apply in the real world. Meanwhile, a number of points I presented were the actual experience of people in the real world. Sony is the one counterpoint but wasn’t following any security practices at all. So a weak counterpoint.

People could start with a list of reasons to compulsively delete everything except a few, key pieces of data.

Nate • January 15, 2015 2:00 PM

Businesses have become Hoarders of “data” for the sake of data. What does a hoarder always say? “Well I might need it someday!” Someday never comes. And for those believing in analyzing this “big data” – Just Stop. There’s no signal hidden in that noise.

vas pup • January 15, 2015 2:31 PM

@Sancho_P • January 15, 2015 11:00 AM “a judge could send you to jail if you can’t decrypt what is deemed to be in your possession / yours”.
That concept required good Constitutional Law lawyer (ACLU is fine as well) to challenge such practice in US as violating 5th Amendment of US Constitution up to SCOTUS. At least Justice RBG was with ACLU and could provide right angle during hearing. You as d e f e n d a n t in criminal case, are NOT required by Constitutional Law to be cooperative in ANY way with Judicial authority, not only to remain silent and not testify against yourself, but i.e. show the place where you (not you – but real criminal I mean) hide the body of murdered person, provide ## of your bank accounts (criminal case only), provide authority with the key to the safe and/or decrypt your data. The burden of proof is on the prosecutors, and that is their responsibility using court order/warrant/subpoena to find and present to court as evidence dead body, account ##, break into your vault and open safe deposit box in the bank or access storage area, decrypt/recover your data with assistance of their IT forensic unit. The onus probandi (aka burden of proof) in civilized country with rule of law is on AUTHORITIES, not defendant, BUT defendant could be granted immunity by court/prosecutors of usage information recovered by providing keys (to vault or encrypted file), guarantee not to ask court for death penalty (when dead body location is provided by defendant), i.e. cooperate in return of something substantially good for defendant, and do that by defendants’s own will(not by water boarding) or threats. In civil case that is quite opposite, you have to provide Judge with requested information, keys or be in contempt of court.
Any other opinion based on Law is highly appreciated.

Anura • January 15, 2015 2:41 PM

@Nick P

I entirely agree on the documentation. As a developer, I strongly believe I should not do anything without clear specifications for what I’m doing, with the business signing off. That should contain the justifications for the change as well.

But beyond email, there are other things to be concerned about: customer information. Honestly, I don’t see any businesses deleting things like old sales records. Credit card information shouldn’t be stored in the first place (I once worked for a company with 10 years worth of credit card numbers). I just don’t see a realistic solution to this problem.

What I would love is a way to be able to buy something online without the store having access to my information. For example, payment informaiton is encrypted with my bank’s public key, preventing the online store from seeing the details, and shipping information is encrypted with the shipping company’s public key where boyh the shipping company and the bank abides by strict privacy and data retention policies. I’d wager that most credit card numbers are stolen from ecommerce websites with poor security in place.

salientguy • January 15, 2015 2:45 PM

The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company.

IMO this is going to require a human change to adapt to panopticon. Historically we could get away with a small amount of crap, because A) there was less risk someone noticed and B) There was an unwritten amount that you could get away with . Speed Once, probably wont get caught. Flirt with a girl on the way to work once, probably wont get caught. etc. etc. We used to accept that humans do small amounts of bad things and that they’re still ok.

Nowadays we record everything and crucify each exposition. In reality if the actions are causing public/personal embarrassment then they shouldnt have been done. But similarly humans are going to have to wise up that 1) We need to accept that each of us will screw up, we’re not as good as the machines that watch us. and 2) That people arent getting worse, we’re just perfecting the art of catching the things we all do.

tyr • January 15, 2015 4:21 PM

I had occasion years ago to notice a government storage of some
records on 8 1/2 inch by 11 inch paper. The amount stored was
enough to fill a semi truck trailer. I was informed that we had
to keep these to fulfil some legal requirement. Most of those
records were reported lamp outages (light bulb obsolescense) the
action noted was repaired. I suggested they be microfilmed so
the storage space could be recovered. No policy of when anything
could be discarded and highly dubious value as historical or
legal records. Pleas for sanity usually fall on deaf ears.

IT department in a different government planned to issue IBM PCs
and backup the contents of every PC harddisk to their mainframe
while the users went through the usual routine of saving every
backup of every routine job they ever did. When I said they must
be joking, they looked at me like I had 3 heads. The amount of
storage available makes these idiot policies easy to implement
but they aren’t wiser. File maintenance is a PITA but rummaging
through tons of trash for a useful bit is pure insanity.

One thing the afore mentioned did hang onto was obselete comp
viruses which the distributed with every new PC even after being
given F-PROT which easily removed the virus. They wouldn’t run
it because it was unauthorized software.

Ephemera should be treated as ephemeral. If you need e-mail later
move them into another storage and dump the trash mail, male enhance
offers and idle chatter into dev nul. Don’t expect the average
L(user) to do it for you unless you have a big stick to pound them
into compliance with.

If NSA wants to store it all for the kind of later exposure STASI
got we should encourage them to choke on it.

albert • January 15, 2015 4:30 PM

I was surprised at the tone of the comments in Arse Technika. They’re a bunch whiny crybabies. No one is suggesting that project files should be deleted. You’d think someone was trying to cut off an arm. Depending on emails for project information is just stupid. CYA is juvenile. Pissing contests with management never turn out well.
.
And to think, I was one of the guys who championed the paperless office 🙂 !!
.
The whole Sony situation needs to be viewed from an economic point of view, because that’s how corporations view it. I worked for a huge multi-national tech company. They constantly pissed and moaned about IT costs, in dollars as well as useability (like: ‘why do I need long passwords’), and this was even before ‘hacking’ was a major issue.
.
Bruce is absolutely correct about deleting old files, emails, etc. Yes, there are legal data-retention requirements. These can be handled with off-line storage.
.
1. Email is a poor way to handle corporate affairs, most especially, serious ones.
2. Employees, including execs, will almost always choose convenience over security.
3. Employees will always use email and internet access for personal business.
4. Employees will make damaging, libelous, stupid, or otherwise problematic statements in email. (Examples are legion; see facebook or twitter). Not to mention clearly illegal practices.
5. For the CYA crowd, I say this. Keep a paper file for your CYA stuff. It should be small. If it isn’t, you have a serious management problem there that needs to be corrected. I don’t see how old emails are helpful if someone can delete them.
.
In conclusion: data retention issues (and related security) are really a people problem, not a technical one. It’s gonna take education, patience, and self awareness.
.
Unfortunately for Sony (more so for those innocents involved), they’re ‘learning’ the hard way. They seem to be learning on a ‘cat’ level, rather than a ‘dog’ level, so it’s gonna take time. I expect the barbarians will still be waiting at the gates, or inside them. Beware of gifts bearing Greeks.
.
Bruce, you are correct in bringing up this issue. It might not solve the people problem, but it would mitigate it.
.
I gotta go…

JohnT • January 15, 2015 4:32 PM

Getting companies to vigorously get rid of computer data is a cause lost from the start.

In the good old days bc (before computers) major corporations had record retention policies. They set the time limit for keeping manual records.

Basically, it was legal requirements and legal fears. Some records had to be preserved for years. Some records established the corporation’s intellectual property (in those days copyrights and patents, not the insane extensions of nowadays).

A big exception was ephemera, meaning scribbled notes, blackboard markings, etc. These were thrown out in the trash basket and incinerated. No crime, even if these scribbles could have been used by a prosecutor.

Of course, corporations shot themselves in the foot by over classifying trivia. I remember one corporate memo that classified the day’s cafeteria menu as “confidential.” Managers got in trouble if they failed to classify confidential material, so they played safe and classified whatever. There was no corporate enforcement for over classifying.

So, bc was far from perfect. Now with computerized data, retention policies have been abandoned. There isn’t a data center in the world that does not think it must preserve every bit forever. What used to be scribbled notes is now technically no different than the bits comprising legally important memos. Think Ollie North and the PROFS note that nailed him.

So, yes, corporations must establish and enforce vigorous destruction of data. At best, they will establish policies, but fail to enforce them.

Sorry, been there, done that.

Librarian of Babel • January 15, 2015 5:31 PM

I’m a writer much concerned with history, and so I think of old documents and emails as literary property along with being potentially valuable “weird minutiae,” as GreenSquirrel sagely reminds us:

From a historical view, this also risks losing the things future generations always find interesting – weird minutiae about life in the past. If we keep aggressively deleting everything we dont have an immediate obvious need for, what do we leave the future?

Yet the ever-increasing quantity drives me a little nuts; but I’m not tech-savvy -interested enough to deal with it properly. Plus for me electronic filing under “subject headers” is equal to losing things. I sometimes don’t know what the “subject” of a bit of writing is until years later. The only valid metadata would be the content of the document itself.

Badtux • January 15, 2015 5:46 PM

As others have mentioned, data retention policies are not an easy thing to create and enforce. For example, you create a data retention policy for emails that requires deleting them as quickly as regulatory compliance will allow (let’s say 2 years for this particular industry). You want to do this because for one thing old emails can be trawled for lawsuit fodder and emails that no longer exist can no longer be used to create lawsuits against you. But, if a lawsuit has already been filed, any emails referring to the subject of that lawsuit must be retained, even if the lawsuit drags on for years. How do you tag which emails those are and make sure they aren’t deleted? Now scale up to a company the size of Sony Entertainment, which has thousands of lawsuits launched against it each year, and you see that it becomes a near-impossible job. And remember, if you delete an email that might be relevant to one of those thousands of lawsuits you’re in contempt of court for violating the production order and may even be charged with destruction of evidence if it happens to be an action by a federal regulatory body.

Security that is impracticable is not security. A computer locked in a vault with no connections to anywhere outside the vault and only a single completely naked and cavity-searched person allowed to enter the vault and use it is secure, but said computer is of little utility. Practicality has to come into play too, and until the rise of the machines happens and artificial intelligence capable of scanning these millions of emails to make fine-grained decisions becomes the norm, email retention will continue to be a sticky wicket that defies reasonable document retention policies.

Sancho_P • January 15, 2015 5:56 PM

@ Nick P

I bet it wouldn’t make it to the trial.
Your family and your lawyer would hammer you until you plea guilty in favor of taking three years without any hearing compared to fight a charge of 126 years against the gov.
Their job is to convict, not to set free – and it doesn’t matter how.
I would not try to sing – sang in court, because it will fail.

@vas pup

AFAIK here it’s not the burden of prove, too.
Why should it be different from a civil case? Isn’t it “knowledge” versus “possession”?
It would be withholding of evidence and has nothing to do with the original case.
When they convince the judge that the murder weapon is very likely in your vault you will be glad to open it or go to jail for contempt of court,
regardless of the original murder / terrorist charge.

The “evidence” may point at someone else, who knows.
Judge: “You have the key – you will open it!”

And you will decrypt (=provide the “evidence”) or go to jail.

Don’t keep what you can’t decrypt or have a very good story, lawyer and money at hand.

Badtux • January 15, 2015 6:11 PM

Regarding the non-lawyer above who said “. You as d e f e n d a n t in criminal case, are NOT required by Constitutional Law to be cooperative in ANY way with Judicial authority” that is completely not true. Whether it is a civil or a criminal action, if ordered to produce evidence by a court, you or your representatives must produce that evidence, or go to jail for contempt of court until such time as you agree to produce that evidence. That has been established under law multiple times since the founding of this nation, all the way back to the initial Judiciary Act of 1787, signed into law by President George Washington (who likely knew a little bit about that Constitution he was involved in writing). Companies which destroy evidence in ongoing cases face severe judicial displeasure, including the judge possibly ruling that the destruction of evidence indicates guilt, which could result in serious penalties.

The only thing the 4th Amendment prohibits is compelling your testimony. It does not address compelling your production of evidence that a court has ordered you to hand over. Papers in a vault or electrons on a disk are not testimony, they are evidence.

Badtux • January 15, 2015 6:12 PM

Err, 5th Amendment. Brain f*rt. Sigh.

Buck • January 15, 2015 7:03 PM

If you’re deleting your own data to protect yourself from lawsuits, you’re probably doing it wrong (or possibly a criminal)…

You never know when you might need to ‘prove’ that a ‘copy’ of a received email is not the same as the one that you sent!

DennisK • January 15, 2015 7:19 PM

@ Buck

The argument for is that people and corporations SHOULD do it[1] to protect themselves from malware.[2]

[1] enforce data retention policy
[2] includes patent trolls

Ole Juul • January 15, 2015 7:49 PM

I can’t help but think that e-mails can’t really be deleted with any surety. Every item in your inbox was sent from somebody who might still have it in their outbox, and it could be in any number of other people’s inboxes through CC or BCC. One’s (or corporation’s) own ideas of data organization or neatness are another matter.

Having large corporate archives available in one fell swoop is obviously a liability and what Bruce is referring to. However, as to matters of embarrassment for individuals, well that’s an age old problem which is probably best solved by developing more personal integrity. That is an issue we all hopefully work on simply as a matter of maturing – some are more successful than others. But could it be that there is a discrepancy between what people allow themselves to say on-line and what they say in public or face to face in a group? If that is the case, then security isn’t the issue.

Thoth • January 15, 2015 8:27 PM

@Encryption as a Secure Deletion
For the security industry, we don’t literally delete the crypto keys. I did mention about key management remember ? What we usually do (especially in the financial sector – where must of my clients are), we tell them to flag the key as expired or archived inside a HSM so that it maybe restored for future legal and audit trails. The danger of simply deleting keys off happily is the auditing part which you need to be very careful when handling customers by telling them to archive the keys in cold storage (encrypted of course).

Current recent trends show a surge of interest in data at rest crypto as part of “archiving” from current requests I am seeing. It complies with data protection laws and also would be useful for archiving.

@Sancho_P
If you are afraid of jail, either way if you manage to produce the key or you did not, it doesn’t change the fact that the current structure is of tyranny. If they want you jailed, they will find ways to get you jailed. If they want you dead, you can’t run nor hide…

One way as Clive Robinson mentioned is to proof that you are not in control of the keys as part 1 of the procedure and part 2 to show that it is forge-able (Clive’s Fleet Broadcast concept) where anyone could have sent anything and somehow passes you.

There is really no other way out in the face of such situations … either you face it and fight it (and know you will go down) or just bow to their request and also suffer as well (whichever the better of two evils).

steven • January 15, 2015 8:31 PM

“How long should I retain this data” scales all the way down to zero – maybe you don’t need to collect or log something in the first place (think of web and mailserver logs). Certainly if your activities are sensitive or high-risk and you care for your users’ well-being.

But a collect-it-all strategy probably looks most appealing to corporations. It’s been extremely profitable for the best at it. Sales or usage data could be a free dataset for some later review. A list of past customers could be leads for follow-up sales. Your copy of an email exchange or recording of a phonecall could be legal evidence in your favour.

Maybe a compromise is to archive off old data to ‘safer’, offline storage; or use asymmetric encryption to the same effect with the key stored offline or 2-factor. That puts it out of harm’s way whilst allowing recovery with some additional (intentional) difficulty.

Separate compartments by age or data type would be helpful later. If you had such a system, it might be practical to keep track of how often you needed to access anything, and determine what cumulative value that storage compartment has given you, to weigh against the operating cost of keeping it. The value probably has some exponential decay, eventually falling below the break-even point.

Nick P • January 15, 2015 8:35 PM

@ Ole Juul

You bring up a good point. I’ll add that email is a store and forward architecture that typically has middlemen. You can’t be sure how many copies are really out there. On top of that, the webmail providers’ business model is typically selling users out to advertisers and governments. What you delete might get deleted or just become invisible to you. This means companies who use services such as Gmail might not be able to delete emails.

Another argument in favor of using privacy-oriented services with contractual requirements on deletion/encryption, secure email appliances (eg Nexor), or just rolling your own mail server.

AlanS • January 15, 2015 9:04 PM

Interesting points about conflicting interests. Aside from the complexities companies have in deciding what needs to be retained or deleted to reduce risk (from hacking, litigation, compliance, etc.) and making it happen at the appropriate time, employer and employee may have different records retention/deletion interests.

Also, not having good RIM policies is bad, but having poor policies or failing to follow them properly can be equally bad. For legal discussion, including discussion of cases including Arthur Andersen and Rambus, see Records Retention: The Need for a Good Corporate Policy.

Also see: Enron’s Auditor Says It Destroyed Documents, which covers some of the activities that ended up reducing the Big Five to the Big Four.

Buck • January 15, 2015 9:21 PM

@DennisK

The argument for is that people and corporations SHOULD do it[1] to protect themselves from malware.[2]

[1] enforce data retention policy [2] includes patent trolls

While I can certainly agree that it’s probably wise to store some of your copies offline, you (and many other commentators) seem to be missing [3] defending innocence or establishing an alibi until after the statute of limitations has passed for any crime you may possibly be wrongfully accused of. In some places, this is an eternity; and remember – these are only ‘copies’…

Dennis • January 15, 2015 9:48 PM

@ Ole Juul

But could it be that there is a discrepancy between what people allow themselves to say on-line and what they say in public or face to face in a group? If that is the case, then security isn’t the issue.

The discrepancy is likely a result of the difference of what people say in private (presumed privacy) vs. public. What they said in email they probably presumed private.

Daniel • January 15, 2015 10:35 PM

@Librarian of Babel, Green Squirrel.

What do we leave to posterity if we aggressively delete all the data? The field of anthropology, that’s what we leave.

The point is that for 2000+ years historians and anthropologists have been working from pieces and fragments. We only find that weird minute interesting because in many cases it is the only clue we have got to what happened. Yet despite the paucity of the historical record historians have been just fine since Homer. They’ll do what everyone else does in the absence of evidence–they invent it.

Ole Juul • January 15, 2015 10:51 PM

@Dennis
The discrepancy is likely a result of the difference of what people say in private (presumed privacy) vs. public. What they said in email they probably presumed private.

Of course. I knew the answer when I posed the question. I remember when the internet started taking off and the “anonymity problem” was frequently discussed. It was identified as a serious psychological dysfunction right off the bat. In fact to many it was the defining difference between Fidonet and the internet. Despite all the stories of regret and remorse we’ve heard over the last 20 years, many people still don’t get it. You can’t make rules for that sort of thing. From a corporate perspective it might be worth giving some basic training in computer and networking functions. But for the dysfunction of misunderstanding anonymity and personal responsibility, the only solution may be to screen employees on the basis of maturity.

IM • January 15, 2015 11:32 PM

How does this extend to IaaS & SaaS? What about mobile apps? You may also have an aggressive policy however the weakest link in the chain is the human. How do you ensure emails are not copied offsite or documents stored in another mediums?

Wael • January 15, 2015 11:59 PM

Sometimes I purge files off my storage to reclaim some space. I delete files or items that haven’t been touched for a long period of time. Shortly after I delete them, almost always, some event happens that makes me realize I need some of the files I deleted. You never know the value of what you have till you lose it… Conversely, you never know the detriment of what you have until someone finds it and you borrow money for bail 😉

Daniel • January 16, 2015 12:11 AM

@Ole Juul

There are two separate problems. One problem is people saying stuff on the internet that they might not say face to face because the think they are anonymous and then later on when they discover they are not they get burned. The second problem is when people say stuff in e-mail that they would say face to face but in the ordinary course of life would be ephemeral. Then they discover the fact their words are kept forever and it comes back to embarrass them later in a different context. I would call the first an “anonymity problem” and the second a “privacy problem”.

These two problems are to some degree in tension. Content retention policies can embolden bad behavior on the internet because the person feels confident that their trolling or harassment will disappear into the ether. The words disappear but the harm lasts. On the other hand not having data retention policies can become a liability when old news gets reborn in a context that the original speaker could never have anticipated. Balancing these types of issues can be tricky but that doesn’t mean we shouldn’t do it.

Figureitout • January 16, 2015 12:12 AM

GreenSquirrel
–Yep, that’s exactly what I think about…So much digital data that’s “stored forever”, can’t even do that really; there’s so much no one would even be sure everything’s being stored correctly and bugs are deleting little bits or writing false data.

In past we rely on written things to “create” history and let our minds fill in the rest.

I liken it to, like a VHS tape or something like that. They’re hardly manufactured anymore, and once the remaining ones decay into death, the data on the tape runs the risk of not being recovered when a certain technology becomes so irrelevant; unlike cave paintings or fossils (we just burn people into ashes). Or if we come across neverending OTP’s or heavily encrypted memory sticks, that data is essentially lost when it’s forgotten unless a plaintext copy is somewhere else.

Once someone’s dead, I don’t think they’ll care about their privacy; there’s some value to seeing personal things to see what life was like, what you thought, etc.

Oh funny story, one time I was digging in the back yard fixing something, (there’s still an old foundation rock from an old home) and I thought I found a rusty musket ball (still don’t know what it is) but it wasn’t magnetic. I also found a bunch of trash wrappers like m&m’s wrapper and chip bag; not as exciting, you know?

Wael • January 16, 2015 12:14 AM

Oh, @Moderator… can you please purge something for me? Crap!

Figureitout • January 16, 2015 12:26 AM

Moderator RE: Wael’s email address
–No, leave it. Unless you follow Bruce’s policy, just delete all the comments in the thread, that’d be hilarious. Bruce just goes crazy and deletes his blog and disappears lol. How many times does he have to put his email in URL field lol, should definitely be a throwaway too. It’s out there. Google’s going to scoop it up and be searchable in a few seconds. Now it’s on archive.org. Wibrahimw@netscape.net Wibrahimw@netscape.net Wibrahimw@netscape.net !!! :p netscape?! WTF?! lol are they even a company anymore…

Wael • January 16, 2015 1:26 AM

@Figureitout,

Second time it happens…

lol are they even a company anymore…

I was using the internet when you were in diapers 😉
You know what I like about you, @Figureitout? You are honest and direct.

Clive Robinson • January 16, 2015 3:08 AM

@ Wael,

Hmm your day to prove “to err is human” 🙂

At least you are not describing some one who is much loved as a spoiled brat, so not quite doing an SPE 🙂

Speaking of SPE there is a game in the UK –and I assume other places as well– of taking Three Letter Acronyms that companies use as names and fitting other more meaningfull words [1].

My thoughts on SPE is “Stupid Pleb Execs” it appears to cover a lot of their bases 0;-)

[1] The one I most remember is from my early engineering days and is technicaly not a TLA, it’s MLRS which officially ment “Multiple Launch Rocket System” but as every engineer will nod knowingly to, it was renamed as “Managment Lack Reason and Sense”… My seconf favourate is GEC Plessey Tech or GPT which when said with a faux French accent sounds to a native French speaker as “I have farted”.

Clive Robinson • January 16, 2015 3:30 AM

@ Figureitout,

Didn’t Netscape get subsumed into “Hey Ho Hell”, the company that put more usless data in “land fill” –via their sign up CDs– than any other in living memory.

I think I’ve still got some some where, they proved rather effective as weapons –when used Frisbee style– to evict crapping cats from the garden.

keiner • January 16, 2015 6:28 AM

@Clive R
YEAH! I have several of those CDs downstairs, AOL 8.0 and stuff like that 😀

AOL is evil? Didn’t know that! I still use some email accounts…

DennisZ • January 16, 2015 7:19 AM

@ Daniel”The point is that for 2000+ years historians and anthropologists have been working from pieces and fragments. We only find that weird minute interesting because in many cases it is the only clue we have got to what happened. Yet despite the paucity of the historical record historians have been just fine since Homer. They’ll do what everyone else does in the absence of evidence–they invent it. ”

History has been written by the winners. Now, if you can’t be a winner in life, you can still write your own history. Sounds like a great business idea. For a small price, you buy this persistent storage for an infinity[1] of time. You are who you wrote/film/record yourself to be, conveniently stored for generations to come to know.

[1] good while funding lasts

Wael • January 16, 2015 7:56 AM

@Clive Robinson.

Hmm your day to prove “to err is human” 🙂

Every dog has its day. I’ve been having a week so far 😉

vas pup • January 16, 2015 8:40 AM

Sancho_P • January 15, 2015 5:56 PM:”When they convince the judge that the murder weapon is very likely in your vault you will be glad to open it or go to jail for contempt of court”. They did not need your cooperation and judge should not be their puppet. In you case prosecution could get access to the vault (there is many companies specialized in opening vaults/decryption of files) by requesting court order from Judge and do THEIR job of collecting and presenting to the court all incriminating evidence. If I were judge, I’d warn them: next time prosecutors are going to make ME doing THEIR job, they will be in contempt of court. Judge is not prosecutor in criminal case – we are not in Middle Age Inquisition Trial here (I hope).

George W • January 16, 2015 9:58 AM

Consider the alternative.

I am guilty of leaving all correspondence on my gmail account. Yet, in my recent divorce trial, by providing actual correspondences as evidence allowed the court to rule in my favor in many disputed instances, and impeached the story provided by the opposing counsel.

I am thankful I saved these emails, and that Google has a robust search.

Nick P • January 16, 2015 11:08 AM

@ Wael

I had to work hard (15m-1hr) to get that information. I suggested you work on OPSEC. Now, you’re just giving it away to 250,000+ people for free? I meant work in the other direction of OPSEC! 😛

Nick P • January 16, 2015 11:11 AM

EDIT: It’s also not on archive.org yet. So there’s still hope the comment and this whole tangent can be swept away via Moderation.

JonKnowsNothing • January 16, 2015 12:02 PM

You can actually delete stuff? Wow!

Most stuff I’ve “deleted” wasn’t directly deleted but was lost “forever” due to the change in tech. I just recycled a whole batch of unused 3.5″ floppies. Years ago I jettisoned 8″ floppies for the same reason. I had some photos on a zip-storage-drive and jettisoned the drive before I migrated the photos so those are gone too.

Years back, a startup I was in failed and the assets were auctioned off. A few years afterward I got an email asking if anyone could remember the backup tape format; that was what the buyer actually purchased: all the old backups.

Sure there are loads of data recovery plus the forever data repository site, the NSA never forgets anything, except even they have a constant stream of “decommissioned databases”.

When it comes to deleting stuff – rarely a good idea. Especially if all you are trying to do is avoid “corporate embarrassment”. Sony Execs did say/wrote those things didn’t they?

A very smart guy I knew used to say you have 3 chances to Not Get In Trouble with Text: 1) you have to think it 2) you have to write it 3) you have to push SUBMIT.

An Arabian Proverb

Four things come not back — the spoken word, the sped arrow, the past life, and the neglected opportunity.

When it comes down to history which parts of history will we decide to keep? The one with the women in it or the one without?

ht tp://www.dailymail.co.uk/news/article-2908579/Orthodox-Israeli-newspaper-airbrushes-female-world-leaders-JeSuisCharlie-march-photographs.html

(url fractured to prevent auto-run. remove the space from the header)

BoppingAround • January 16, 2015 4:28 PM

A very smart guy I knew used to say you have 3 chances to Not Get In Trouble with Text: 1) you have to think it 2) you have to write it 3) you have to push SUBMIT.

Or, as those in Communist countries had been saying:

Do no think.
If you think, do not speak.
If you think and speak, do not write.
If you think, speak and write, do not sign.
If you think, speak, write and sign, do not be surprised.

Sancho_P • January 16, 2015 6:06 PM

@ vas pup

As always it’s completely up to the judge, US / EU / NK.

I’ve used the vault example to hide a placative physical object.
Let’s jump to the encrypted HD of your computer – no one but you could crack it.

Probably the outcome depends on why the prosecution think the evidence would be there.

When the prosecution e.g. can testify “We have seen the evidence on his screen by looking through the window, it’s on his HD which is now inaccessible!” then you are screwed.
You won’t have to give them the key, but decrypt the data.

Also see @Badtux above (15, 6:11 PM)
and https://www.schneier.com/blog/archives/2012/02/what_happens_wh.html

But I’d suggest to check again with your local legislation – and hope to get a nice judge!

asd • January 17, 2015 10:20 PM

A company as large as Sony is probably undergoing discover from several lawsuits simultaneously at all times. A standard requirement once a lawsuit is filed is to require retention of anything material to the lawsuit, which would make data deletion a compliance nightmare. Of course just because you’re retaining something doesn’t mean it needs to be easily accessible. Data can be put onto tape or hard drives and then put into a physically secured location without retaining it in a running database for all time.

Figureitout • January 18, 2015 2:09 AM

Wael RE: OT convo
–Thanks, it’s what my friends say (well the few left…can always make new ones too). I don’t have time for fake & malicious people, if you want to make an actual real deep connection, I can. I do enjoy breaking people’s barriers down too, much simpler than making this or that electronic work reliably lol; and it’s not even a “brave prediction” to say I think there’s still some really cool circuits that haven’t been even sniffed yet. Ends up it’s just a part of my personality, seeing what people liked and adjusting to it temporarily (I used to and still get myself in trouble for jokes to make people laugh); just like being friends w/ everyone if I can (not Nick P though, kidding but he pisses me off sometimes :p).

Like when you smile every post and when you expand on physics. 🙂

Speaking of smiles, well when I post something I can find it usually at least next day on google, still google hasn’t crawled this yet, what the hell? lol But, looks like a bunch of scams when I google your email and the first picture was hilarious…That you there? That’s dedication, damn…get back to your bed! http://www.scamdex.com/MHON/A/a/jpgDnAfqkXxG0.jpg

Clive Robinson
–Yep, we did the same thing lol. They used to just give them away at supermarket, we took firecrackers to them and then shattered. I’ve mentioned before, this old computer I got from my granny, opened up the CDROM and there’s a walmart AOL disk, really made me laugh lol; such a worthless disk.

Back to the point

Bruce, instead of an “after the fact” deletion policy; there should be clear “creation” policies. Of course depending on how you want your company to be (let employees roam freely and catch a nice malware), just make separate systems. Think most people do this, until whatever media admins use isn’t actually clean and brings in malware to the critical system-compromising area. I won’t expand on it too much, I’m not getting paid too, and there’s many holes I’m leaving out for brevity; fill in the holes yourself (I found an extremely critical physical vulnerability just randomly yesterday night w/ car repair shops letting customers “drop off” their keys at the shop during off-hours, it’d could be very lucrative criminal business so long as they can take care of the assets; I could even get a memory stick in their computers from outside).

Practically speaking, if people can get over themselves thinking they need an ipad, get a bunch of old cheap laptops (I actually prefer them), remove the sh*t you don’t need like cameras, mics, wifi cards, speakers. Malware potential?–Of course, unless you seal up emanations the malware is contained and can just swirl around not getting back to owner. That can either be dedicated for web browsing or an internal work network. Every port is physically disabled, disk drives removed or you get a live setup.

This sounds harder or less practical than I think it actually is. The point is on an internal server employees can relax and speak freely (don’t get carried away) w/o worrying about this happening, so long as they don’t breach the gap themselves. There will be little knicks here and there, and can be made much harder depending on if employer is willing to push it to limit (EMSEC or external monitoring for wireless penetration), but over all, I believe a strongly hardened internal messaging system. The laptops never leave the premises, they do have a single GPS-like system w/ battery backup.

Problem is being able to email off-site. Custom solutions could be crafted, but it’d be best to just write what you need to say and come on site and…I’m sorry…manually transcribe what you wrote. Stay at your work and do your work there, and leave it there. Sales people are exceptions, they get again their own external network for sales and all sales data stays there only.

The biggest barrier will be the awkward moment bringing this up, beginning the dialogue, otherwise people learn the hard way getting an advanced malware; or worse they bring it in and it swirls and then you don’t know who brought it in.

This is a potential solution (basic OPSEC) if people want to get real and actually deal w/ it, or we can keep using the same insecure sh*t and mindsets not understanding what technology is capable of doing w/ a malicious mind; keep smearing that malware everywhere. Who’s to say it hasn’t already smeared its way in everything?

Jeroen • January 18, 2015 12:10 PM

Nazi Germany used data to identify Jews. IBM provided them computers. At the end of the war evidence of genocide was destroyed. Data makes you accountable. If we could see the private communication within the NSA afterwards it would increase their accountability. Thinking this is a problem is for 2 reasons. 1. You did wrong. 2. Privacy but you are less important than you think you are. Esp once you and your generation passed away. Hence in 100 or so years yes I do hope there is detailed data available about integral secret parts of our society ss we know it today. Including the NSA and yes Sony. Crypto could in theory provide us those 100 years.

Bystander • January 18, 2015 1:31 PM

Some data needs to be kept for a very long time.
Let’s take data related to product certification in some industries.
This is one of the cases where almost everything must be kept.
Some data can be deleted 10y after the product went EOL.
Some data must be kept longer.
This includes e-mails etc.

It is good to have the data as long as necessary, but the date of expiration is not always obvious and sometimes obsolete data can even gain historical significance over the time.
The best way to avoid any embarrassment is to think twice before writing e-mails, posting messages etc. Sometimes it is better to talk face to face if possible.

@Jeroen:
Your example points more towards collection of personal data.
The information on individual religious faith must be recorded before it can be researched.
Not every country invaded by Nazi Germany had this data and it was used (pretty obvious) when it was available.

Fascist Nation • January 19, 2015 4:24 PM

The easiest flag is to just do what I did: Move important emails (contracts, customer contacts) to created folders. Kill off email otherwise. My Dad was better at it “Never read the same message twice.” You read and responded; trash, file, act. Never leave it laying around in a pile to get to eventually.

vas pup • January 20, 2015 4:21 PM

@Badtux • January 15, 2015 6:11 PM and Sancho_P • January 16, 2015 6:06 PM.
Thank you for your inputs. If information in your postings is true, then Judicial Branch is like in Middle Ages Inquisition Trial where Judge was not neutral and basically procedure were mainly one-sided against defendant, i.e. Judge was part of the prosecution. Other thought, if you could be deprived your liberty indefinitely for the contempt of court WITHOUT the right for appeal – then it looks like Soviet Union under Stalin ruling, not the country which considered to be the most democratic. How that is matching Bill of Rights? Due process without appeal? Wow!
There are the following negative elements in current criminal justice system:
entrapment (police phase), plea bargain (prosecution phase), biased toward prosecution Judge (request to defendant to provide incriminating evidence under the threat of contempt of court). Make your own conclusions.
Dear bloggers outside the US and GB, please provide input how that is in your country.

Sancho_P • January 20, 2015 6:26 PM

@ vas pup

All “civilized” countries will react in the same way when you try to hinder the course of justice.
I think it is not that bad as you see it now.

You as defendant have the right to be silent.
That is, you must not say “The evidence is on my hard drive”.

But try to see this example:

a) All in court, prosecution, family of victim, …, including the judge, have reasonable cause to assume, or more, they are convinced that the murder’s name is written onto the drive, and only reading the drive will bring the case to an end.

b) They know that you, suspect in the case, are able to decrypt the drive.

But you say “No, I don’t” – Not more, simply “I don’t”?

You, the small f**@- #!’ole, are now blocking the course of justice, of our society?

Should you go free? Forever? Shake-hand and goodbye?
Would that be justice?
Isn’t your “I don’t” very close to “It was me”?

Mind you, it is not the police just saying “Hey, let me check your hard drive” because they have the feeling that they might find any criminal evidence.
It is the judge who is convinced that the hd holds the final evidence.
You against the judge!

If that is the case then you are screwed anyway.
But you can stop it any day, without appeal, by decrypting the hd – that’s it.

vas pup • January 21, 2015 11:43 AM

@Sancho_P • January 20, 2015 6:26 PM.
Sancho, you missed my main point: Judge in criminal case is NOT part of prosecution and not working for them. Judge should be neutral, and if prosecutors OR defense needs any evidence, they should ask Judge to issue court order which let them collect such evidence from anybody else, except defendant because that is not defendant’s duty to provide ANY incriminating evidence (oral, material, written, etc.) Otherwise – we have Torquemada type of trial. I hope you read ‘Trial’ by F.Kafka – very informative.

Bruce, you have many bodies in Harvard Law school. Could you ask them provide input?

Sancho_P • January 23, 2015 10:53 AM

@ vas pup

Sorry, I was hoping someone would jump in here, I don’t know how to explain better.

Yes, it seems I do not get your main point, you may try to rephrase or start some digging or check here how Leon Gelfgatt was digging his own grave.

Again: Each case is different and it depends where / what / how, + the judge and his mood.
And in case it was lost: My main point is: Do not provoke the judge.

Matthew Slyman • January 30, 2015 4:39 AM

Your article was reproduced on Ars Technica, where I commented as follows…

Commenters have made some fair points; however, have been a little unfair in attacking Scheier’s position without taking the time to fully understand it. The risks of our litigious society and the tendency to make sure we can justify ourselves, have persuaded most business administrators to retain far more data/ old communications than they should. There are risks to retaining information which isn’t required any more. The risks are not just related to attack from outside, but also, insider attacks. For example, by retaining a list of former customers’ contact details (especially, by accumulating contact details en-masse); we increase the risk that an unscrupulous employee will sell these details to an equally unscrupulous marketing firm (few businesses would want to be made into public example of this; and experience tells me that charges could be made to stick if the lawyers were serious about it, and if for example, the company responsible had made a distinctive typo in transcribing the person’s name / contact details). Most of us are being bombarded continually by unwanted “marketing” materiel: we all know that this is a real problem, and yet very few of us are doing anything about it!
Beyond privacy and minimising the attackable surface area of our businesses, further advantages to following Schneier’s advice would include improved discovery (“information retrieval”) of the data we really need. It’s easier to find a particular needle when the haystack is small… So by discarding information we know is useless; we make it easier in general to find the needles we really need! (A good old-fashioned tidy-up works wonders in the real world: it does the same in our digital lives too; and the positive benefits of tidying up are cumulative over time!)

- • June 29, 2021 1:45 AM

@Moderator:

1, Mary Gilmore

Unsolicited advertising.

The Security of Data Deletion

Comments

Leave a comment Cancel reply