|
|
|
|
|
|
by derefr
3424 days ago
|
|
|
I've always wondered whether a datastore built on an immutable architecture could be designed to cope with an expectation of receiving court orders to delete data. I think you'd arrive at a somewhat "DRM"-like design. That is: 1. the datastore system would be designed as an "appliance", intended to be installed directly on hardware, and would mandate (and check that) the hardware it was installed on provided both a TPM to store disk encryption keys in, and a full Secure Boot trust-chain granting only its bootloader boot privilege; 2. the datastore software would maintain a mutable index within the store (in the Merkle-tree-ref sense) of all data that is to be "considered deleted"—a master "tombstone" record, in the DBMS terminology—and would prevent anyone from accessing said data through the system's API. With such a design, the data is effectively "gone", just as if it was really erased from the disks; the only way for a company running such a datastore to "recover" the data would be to find an exploit in the appliance allowing them to modify either the tombstone list (somewhat easy to thwart by choice of data structure), or the code that applies the tombstone policy. |
|
|