Joel Reardon

SoK: Secure Data Deletion

Secure data deletion is the task of deleting data irrecoverably from a physical medium. In the digital world, data is not securely deleted by default; instead, many approaches add secure deletion to existing physical medium interfaces. Interfaces to the physical medium exist at different layers, such as user-level applications, the file system, the device driver, etc. Depending on which interface is used, the properties of an approach can differ significantly. In this paper, we survey the related work in detail and organize existing approaches in terms of their interfaces to physical media. We further present a taxonomy of adversaries differing in their capabilities as well as a systematization for the characteristics of secure deletion approaches. Characteristics include environmental assumptions, such as how the interfaces use affects the physical medium, as well as behavioural properties of the approach such as the deletion latency and physical wear. We perform experiments to test a selection of approaches on a variety of file systems and analyze the assumptions made in practice.

Secure data deletion from persistent media

Secure deletion is the task of deleting data irrecoverably from a physical medium. In this work, we present a general approach to the design and analysis of secure deletion for persistent storage that relies on encryption and key wrapping. We define a key disclosure graph that models the adversarial knowledge of the history of key generation and wrapping. We introduce a generic update function and prove that it achieves secure deletion of data against a coercive attacker; instances of the update function implement the update behaviour of all arborescent data structures including B-Trees, extendible hash tables, linked lists, and others. We implement a B-Tree instance of our solution. Our implementation is at the block-device layer, allowing any block-based file system to be used on top of it. Using different workloads, we find that the storage and communication overhead required for storing and retrieving B-Tree nodes is small and that this therefore constitutes a viable solution for many applications requiring secure deletion from persistent media.

User-level secure deletion on log-structured file systems

Deleting a file from a storage medium serves two purposes: it reclaims storage resources and ensures that any sensitive information contained in the file becomes inaccessible. When done for the latter purpose, it is critical that the file is securely deleted, meaning that its content does not persist on the storage medium after deletion. Secure deletion is the act of deleting data from a storage medium such that the data is afterwards irrecoverable from the storage medium. The time between deleting data and it becoming irrecoverable is called the deletion latency.

“Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale

Abstract We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps’ compliance with the Children’s Online Privacy Protection Act (COPPA), one of the few stringent privacy laws in the U.S. Based on our automated analysis of 5,855 of the most popular free children’s apps, we found that a majority are potentially in violation of COPPA, mainly due to their use of thirdparty SDKs. While many of these SDKs offer configuration options to respect COPPA by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do not make use of these options or incorrectly propagate them across mediation SDKs. Worse, we observed that 19% of children’s apps collect identifiers or other personally identifiable information (PII) via SDKs whose terms of service outright prohibit their use in child-directed apps. Finally, we show that efforts by Google to limit tracking through the use of a resettable advertising ID have had little success: of the 3,454 apps that share the resettable ID with advertisers, 66% transmit other, non-resettable, persistent identifiers as well, negating any intended privacy-preserving properties of the advertising ID.

Robust Key Management for Secure Data Deletion

This chapter considers the problem of an unreliable securely deleting storage medium, that is, one that may lose data, expose data, fail to delete data, and fail to be available. We build a robust fault-tolerant system that uses multiple unreliable storage media. The system permits multiple clients to store securely deletable data and provides a means to control policy aspects of its storage and deletion. It presents details on the implementation both of the distributed securely deleting medium as well as a file system extension that uses it. The solution has low latency at high loads and requires only a small amount of communication among nodes.

Dynamically Regulating Mobile Application Permissions

Current smartphone operating systems employ permission systems to regulate how apps access sensitive resources. These systems are not well-aligned with users’ privacy expectations: users often have no idea how often and under what circumstances their personal data is accessed. We conducted a 131-person field study to devise ways to systematically reduce this disconnect between expectations and reality. We found that a significant portion of participants make contextual privacy decisions: when determining whether access to sensitive data is appropriate, they consider what they are doing on their phones at the time, including whether they are actively using the applications requesting their data. We show that current privacy mechanisms do not do a good job of accounting for these contextual factors, but that by applying machine learning to account for context, we can reduce privacy violations by 80, while also minimizing user involvement.

Related Work on Secure Deletion

This chapter surveys related work and organizes existing solutions in terms of their interfaces. The chapter further presents a taxonomy of adversaries differing in their capabilities as well as a systematization of the characteristics of secure deletion solutions. Characteristics include environmental assumptions and behavioural properties of the solution.

B-Tree-Based Secure Deletion

This chapter presents a securely deleting data structure using insights from the previous chapter. It uses a B-Tree-based data structure to provide secure deletion. We implement our design in full and analyze its performance, finding that its communication and storage overhead is small.

UBIFSec: Adding DNEFS to UBIFS

This chapter presents UBIFSec, an implementation of DNEFS with the flash file system UBIFS.We describe our implementation and furthermore integrate UBIFSec in the Android operating system. We measure its performance and show that it is a usable and efficient solution. Android OS and applications run normally when using UBIFSec as the file system.

Flash Memory: Background and Related Work

This chapter opens the part on secure deletion for mobile storage. It first presents details on the characteristics of flash memory, which is currently ubiquitously used in portable storage devices. Flash memory has the problem that the unit of erasure is much larger than the unit of read and write, and worse, erasure is expensive. It then presents related work for flash memory as well as generalizations of this erasure asymmetry to other kinds of media.