← Back to context

Comment by traskjd

7 years ago

We don't soft delete payloads at Raygun (https://raygun.com), for the very fact that typically if one of our customers wants to delete something it's because they might have sent something they don't want a third party to have. We have filters and other PII filtering tools etc, but it every now and then something might be sent by mistake.

Having said that, you'd be amazed how often folks ask for things to be undeleted (despite a big warning dialog).

Clearly developers pervasively believe soft deletes are occurring everywhere.

12 comments

traskjd

Reply
Someone  7 years ago

It isn’t that hard to combine soft deletes with delayed hard deletes: generate a new encryption key every day for “data deleted today”, and encrypt deleted data with it. After X days, destroy the decryption key.

If you use asymmetric encryption, you can keep the group of people who who can recover “deleted data” small. You could even have an independent party generate your encryption key pair, give you the encryption key, and your customer, on request, the decryption key (I think there is a business model for a non-profit here).

  • skj  7 years ago

    Instead of having a key that you delete (and also build non trivial infrastructure to support), why not delete the actual data?

    • Someone  7 years ago

      Because the key is smaller, it is easier to make sure you deleted every copy of that key than that you deleted every copy of the data. The data also might be part of a larger backup that you would have to take apart and reassemble in order to delete the data, or might be in a place where doing that is costly (e.g. on Amazon Glacier)

      4 replies →

russdpale  7 years ago

That's great you guys do that. But it cant be proven, why take your word for it?

Ultimately, its the trust that is ghe problem, and that is what needs to be removed eother through new technology or legislation or both.

gcb0  7 years ago

and why offer the false sense of security?

if they upload a private key, and delete because they "don't want a third party to have". do you also guarantee it wasn't seen or cached anywhere else? I dont know the details of that product, but I usually treat anything uploaded even once as compromised from that point on.

  • Jweb_Guru  7 years ago

    This is the same argument people used to make for why it was fine for capabilities to be unrevocable--someone could have copied the data anyway (or whatever) so there was no point in revoking it. In reality, most of the time nobody but the host of a deleted item has access to the data, has a way to tie it to the originator, and has a motive to use it, especially without significant effort. Being able to delete things is a very important feature (not to mention a legal requirement in many countries!), and it's disturbing to me how many people seem to want to justify a world where every bit of data is saved, forever.

meddlepal  7 years ago

How do you handle:

1. Deletions from backups

2. Deleting material that has been deleted prior to the restoration of the backup?