Article Preview
Top1. Introduction
With the rapid growth of data scale, the demand for storage space is likewise increasingly growing. In this trend, cloud storage service has been recently presented as a service. This kind of service provides people with a lot of cheap and unlimited storage space. For example, Amazon Web Services and Google Cloud Storage offer cloud storage solutions to customers around the world, reducing the need of local devices’ storage space. Despite the tremendous benefits, the cloud user’s data, held in remote cloud storage, are absolutely beyond the user’s control. It is necessary to guarantee the assured deletion (Ramokapane, Rashid, & Such, 2016) for cloud users. The undeleted data may unexpectedly appear later, and thus exposes the user’s private information. The challenge of realizing assured deletion is that we have to trust in the CSP, who will completely delete data according to contract. It is a typical and practical trend among CSPs to store multiple backups of data over different online or offline servers for fault tolerance. One specific case is a fact that after receiving the request of deletion, CSPs may not actually remove all backup copies even though they have deleted the data in the current cloud server. Therefore, it is difficult to confirm that data have been forgotten by CSPs. How to completely remove data and maintain cloud users’ right to be forgotten has become an urgent problem.
Great importance has been attached to the right to be forgotten by many organizations. They introduced a series of security policies and laws. As early as 1995, the EU passed the 1995 Data Protection Directive, under which the data controller is required to remove the personal data of an individual upon request (Europea, 1995). This is the genesis of the right to be forgotten, which means that any organization is obligated to remove a customer’s personal data upon request. On May 13, 2014, the European Court of Justice compelled Google to remove links to a 1998 newspaper article about a Spanish man’s bankruptcy (Kropf, 2014), upholding the right to be forgotten on the Internet. Cybersecurity Law of the People’s Republic of China has come into effect since June 1, 2017, which states that: Network operators collecting and using personal information shall abide by the principles of legality, propriety and necessity and obtain the consent of the person whose data is gathered. In reality, these rules are included in the service contracts, cloud users still have to trust heavily in CSPs without any technical guarantee.
For assured deletion, a typical prior work in this area focuses on encryption technology (Perlman, 2005; Tang, Lee, Lui, & Perlman, 2012; Priebe, Muthukumaran, O’Keeffe, Eyers, Shand, Kapitza, & Pietzuch, 2014). According to (Tang, Lee, Lui, & Perlman, 2012), assured deletion makes the outsourced data permanently inaccessible to anyone upon the request of data deletion. In (Tang, Lee, Lui, & Perlman, 2012), a data owner first encrypts data and then sends the encrypted data to cloud servers managed by a CSP. Relevant encryption keys are preserved by the owner or managed by a third party. Finally, the deletion operation is artfully achieved by destroying encryption keys. As a result, the data can no longer be decrypted, not to mention being accessible. This kind of data encryption scheme gives cloud users some control over the removal of their data.
However, ciphertext computing services are very complex and impractical. By outsourcing plain data to cloud servers, users can fully enjoy fast cloud computing services, such as using an image to search other similar images, editing images in large-scale image libraries and so on. Therefore, we advocate uploading plain data to cloud servers. Unfortunately, there is no specific assured deletion scheme of plain data stored in cloud.