Vanishing E-mail and Electronically Stored Information: An E-Discovery Hazard
Last week, there were several articles about Vanish, a technology to automatically render electronic data unrecoverable at a specified future time.[1,2] Vanish was developed by a team at the University of Washington. The goal of Vanish is to enhance privacy by creating data that will automatically self-destruct at a specified time in the future, making protected electronic information immune to future disclosures in any fashion, including in response to legal process.
The technology is interesting in that it is intended to protect online or offline electronic data using an encryption key that is time-based and never in the user's possession. Instead, the time sensitive key is maintained in pieces distributed throughout a peer-to-peer network.
Considered by itself, the concept is seductive. Imagine a world where one’s confidential messages are completely safe from prying eyes of any sort. No longer would months-old embarrassing messages surface at inconvenient moments. Certainly, more than a few executives and political leaders would be appreciative, as is noted in the pre-print of the Vanish paper to be presented at the 18th USENIX Security Symposium.
However, the implications of this technology are a matter of concern and may be grounds to refrain from its use. Although we most frequently encounter stories about those embarrassed or accused as a result of disclosed communications, recovered communications are a double edged sword: they can either implicate or exonerate.
Evidence can be incriminatory or exculpatory. We well know the headlines when someone is indicted and convicted based upon DNA evidence; but we also hear about cases where someone is exonerated because the evidence shows that a crime did not occur or the subject of the investigation was not involved.
The 17-page Vanish paper illustrates the utility of Vanish using a fictional case involving Ann, a woman who exchanges emails with a close friend about problems in her marriage. Ann wants the messages to self-destruct, ensuring that the messages will not become a source of embarrassment. Such control over her own communications is a legitimate concern regardless of the outcome of her marital difficulties. If Ann resolves the difficulties with her husband, the messages could be a source of embarrassment. If the problems are not resolved and Ann becomes involved in a divorce, the messages could be subpoenaed by her husband.
Using the same underlying facts, consider what would happen if Ann were to go missing. The messages might be the only evidence that there were problems between Ann and her husband. These messages might be crucial evidence that would implicate Ann’s spouse in her disappearance, raising the possibility that what otherwise would be a missing-persons investigation could turn into a murder investigation.
In the business world, litigation holds are used to preserve electronically stored information despite the operation of an organization's document-destruction policy. Violations of litigation holds are serious matters. A failure to disclose the existence of backup tapes during litigation between investor Ronald Perelman and Morgan Stanley relating to the 1998 purchase of Coleman by Sunbeam lead directly to a verdict of US$ 1.58 billion against Morgan Stanley. More recently, there have been a string of cases involving sanctions against the parties for failure to comply with preservation and searching of electronically stored information during discovery.
What will happen when a litigation hold covers electronically stored information that utilizes Vanish? The answer would appear simple: Vanish wins: the encryption key expires and the data is rendered unrecoverable. What are the consequences to the parties when the litigation hold is so abrogated?
Complicating the situation is the fact that litigation holds are put in place early in the litigation process, as part of the preparation for the discovery process. Thus, if Vanish is used with electronically stored information in a business setting, it is conceivable that the automatic destruct would run its course long before the relevancy of the data was determined. In most proceedings, this would render unreadable potentially critical data covered by the litigation hold. It is important to emphasize that the encryption keys used by Vanish are never in the user’s possession: they are retrieved from a distributed external peer-to- peer file sharing network outside the control of the user and, in practical terms, of the court.
Personal issues parallel the business concerns. Although personal messages may be embarrassing, they may also be exculpatory. Many a television plot has found a character to be lying about their whereabouts, only to discover in the end that the individual, although indeed a liar, is not a murderer. The lies covered a lesser offense or personal embarrassment, for example, adultery.
Finally, Vanish does not guarantee that the message has been expunged. A decrypted copy of the message or other electronically stored information may be stored by the recipient. At a minimum, the message was displayed on a screen to be read, and can be saved using a screen-capture or even photographed. Thus, destruction can never be assured.
Vanish and similar approaches have their uses. It would appear to be a potentially useful technology for protecting in transit information in store-and-forward networks.
I compliment the Vanish team on an interesting approach and paper. My concerns with Vanish are on how the technology intersects with our society and legal system.
As always, comment is invited.
|||Bob Brown “Got something to hide? Try "Vanish" to protect your privacy”, Network World, July 20, 2009|
|||John Markoff “New Technology to Make Digital Data Self-Destruct” The New York Times, July 21, 2009|
|||Geambasu et al. “Vanish: Increasing Data Privacy with Self-Destructing Data”|
|||The US$ 1.58 billion damage award was later overturned by Florida’s 4th District Court of Appeal in 2007 on grounds unrelated the discovery sanctions involving electronically stored information.|
|||Two examples of which are: KCH Servs., Inc. v. Vanaire, Inc., 2009 WL 2216601 (W.D. Ky. July 22, 2009), and ACORN v. County of Nassau, 2009 WL 605859 (E.D.N.Y. March 9, 2009) described in K&L Gates’ blog articles referenced below.|