What were the design goals for Vanish?
Motivated by the above, we sought a system that can permanently delete data after a timeout: • even if an attacker can retroactively obtain a pristine copy of that data and any relevant persistent cryptographic keys and passphrases from before that timeout, perhaps from stored or archived copies; • without the use of any explicit delete action by the user or the parties storing that data; • without needing to modify any of the stored or archived copies of that data; • without the use of secure hardware; and • without relying on the introduction of any new external services that would need to be deployed. A corollary of (5), but also of independent importance, is that we did not wish to force a reliance on any centralized or managed trusted service. It would seem inappropriate for users to trust such a service if they are simultaneously concerned about Google, Facebook, or other web service providers archiving their data indefinitely.
