Vanish: Now You See Data, Now You Don't


Did you ever wish that you could control the lifetime of your data on the Web? What if you wanted e-mail to self-destruct after a certain time period? A friend of mine sent me information on a product being researched and said I just had to check it out. I am not an easy person to impress, but I was salivating when I finished reading what this product could do.


I assume I have your attention. The University of Washington has developed a product called Vanish, which, simply put, lets information expire. Virtually any information can be set to expire, including e-mail, Facebook posts, blog posts, chat messages and even documents. Not even the content developer can recover the content. The product works by encrypting the data using a key that the user does not even know, and then divides the key into many parts and distributes them over a peer-to-peer network. As new systems join the network and older systems leave the network, the key is eventually lost.


You might be asking, "Why not just use encryption to protect my data?" Remember, a hacker could steal your passphrase with a keylogger. In the case of eDiscovery, you might be required by law to give up your passphrase.


This is a double-edged sword for a security professional. On one hand, we have information that expires and leaves no trace. So we can imagine a world with no more incriminating e-mail or blog posts that can hang your company, or its executives, in a courtroom. On the other hand, you could lose data that can save you, as well. Let's say you had an e-mail that proved you did nothing wrong. That data could be erased also.


However, we live in a world where various retention requirements do in fact exist, and serious questions are raised by such a product. Interestingly, the early coverage of Vanish is full of breathless wonder at the possibility of being released from the tyranny of data that will never die. Domain-b.com quotes one of the researchers saying that the technology is "ahead of the law." Of course, that situation is nothing new for emerging technologies, but doesn't mean that regulations and laws governing data management and retention somehow no longer apply.


And on that note, I am going to turn the topic over to Lora Bentley -- be sure to check her Governance and Risk blog for follow up coverage of the legal ramifications of the use of a tool like Vanish.