While reading this article on the reg, I had the strange sense that we’d all been here before. In my opinion the real issue is storing documents in unencrypted binary or textual form. Especially, with the popularity of XML-based document formats this is a bit of a nightmare.
If you analyse a system like FreeNet it works by anonymising and encrypting the information contained within the network. Therefore, if I encrypt information on my network such that reliable estimates suggest it will take hundreds of years to crack the encryption (e.g. 2KB asymmetric keys), even allowing for Moore’s law then surely the holding party can’t really claim to be in “possession” of the information. The are in possession of bits and bytes which have the “potential” to become the information. They have an intermediate form and are therefore less in possession of it than a telephone wire is in possession of a document you send via facsimile.
So one solution is the secure “vault” concept which Gaisan did some work on the distant past. The vault is a remote data store where you and only you can read your information. There are no back-doors or concerns that competitors, authorities or anyone else can read your information. There’s no “forgot my password” admin function. Access to the vault is via a dedicated “black-box” which is tamper-proof, EM shielded. Your keys are stored on smart cards and retrieval/decryption of vault information is based on presenting the correct smart card.. Different keys are used at different times and the “box” contains an algorithm to enable information to be retrieved from the “vault”. Vault space was “leased” for an appropriate period of time, which could be no more than a few seconds in an “information sharing” scenario. We had a few other ideas which I’d rather not discuss in this freewheeling blog but the overall goal as to enforce storage of anonymous bits with no idea of where they originated from and what they may be.
I’m more convinced than ever that clear-text storage of corporate information on external servers is a big legal problem and should be avoided at all costs.
Categories