Towards Contractual Agreements for Revocation of Online Data

Theodor Schnitzler, Markus Dürmuth, Christina Pöpper

IFIP International Conference on ICT Systems Security and Privacy Protection (IFIP SEC '19), Lisbon, Portugal, June 25-27, 2019


Once personal data is published online, it is out of the control of the user and can be a threat to users' privacy. Retroactively deleting data after it has been published is notoriously unreliable due to the distributed and open nature of the Internet. Cryptographic approaches implementing data revocation address this problem, but have serious limitations when considering practical deployment, and they have not been broadly adopted.

In this paper, we tackle the problem of data revocation from a different perspective by examining how contractual agreements can be applied to create incentives for providers to conform to expiration regulations. Specifically, we propose a protocol to automate the handling of data revocation. We have implemented a prototype smart contract on a local Ethereum blockchain to demonstrate the feasibility of our approach.

Our approach has distinct advantages over existing proposals: It can deal with a wide spectrum of revocation conditions, it can be applied retroactively after data has been published, and it does not require additional effort for users accessing the published data. It thus constitutes an interesting, novel approach to data revocation.