Thursday, July 23, 2009

Self Destructing E-Mail with Vanish Firefox Plugin

Computing and communicating through the Web makes it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview; a lost or stolen laptop can expose personal photos or messages; or a legal investigation can subpoena the entire contents of a home or work computer, uncovering incriminating or just embarrassing details from the past.

Vanish is a research system designed to give users control over the lifetime of personal data stored on the web or in the cloud. Specifically, all copies of Vanish encrypted data — even archived or cached copies — will become permanently unreadable at a specific time, without any action on the part of the user or any third party or centralized service.

For example, using the Firefox Vanish plugin, a user can create an email, a Google Doc document, a Facebook message, or a blog comment — specifying that the document or message should "vanish" in 8 hours. Before that 8-hour timeout expires, anyone who has access to the data can read it; however after that timer expires, nobody can read that web content — not the user, not Google, not Facebook, not a hacker who breaks into the cloud service, and not even someone who obtains a warrant for that data. That data — regardless of where stored or archived prior to the timeout — simply self-destructs and becomes permanently unreadable.

The technical paper, which will appear at the 18th USENIX Security Symposium in August, describes the concepts behind Vanish in detail. Briefly, as mentioned above, the user never knows the encryption key. This means that there is no risk of the user exposing that key at some point in the future, perhaps through coercion, court order, or compromise. So what is done with the key?

Vanish leverages an unusual storage media in a novel way: namely, global-scale peer-to-peer networks. Vanish creates a secret key to encrypt a user's data item (such as an email), breaks the key into many pieces and then sprinkles the pieces across the P2P network. As machines constantly join and leave the P2P network, the pieces of the key gradually disappear. By the time the hacker or someone with a subpoena actually tries to obtain access to the message, the pieces of the key will have permanently disappeared.

The Vanish prototype uses the Vuze Bittorrent Distributed Hash Table as the underlying P2P network. It supports data timeouts of 8--9 hours by default, though longer timeouts are possible.

No comments: