Technical Details
We at the University of Texas at Austin, Princeton and the University of Michigan have broken the security guarantees of the Vanish system with a system we call Unvanish.

The increasing prevalence of networked computing and communications combined with the ubiquity of caching, backup, and archival tools have resulted in world where data sent or shared or any way over the Internet can be difficult or impossible to control or destroy. This is a critical privacy concern as it impacts anyone who uses the Internet for communication, be it by using email, social networking tools such as Facebook or Flickr, file-sharing systems and so on.

Vanish is an experimental computer system created at the University of Washington that claims to provide a self-destruct mechanism for digital data. Vanish encodes data, such as emails, photographs or video so that it can only be read for a limited time window, such as eight hours. After eight hours, the data still exists, but it can no longer be read, it is just digital gibberish.

Vanish would be useful for people when they want to discuss something sensitive, like a divorce or lawsuit with a friend. By sending an email about a private matter over the Internet, users currently risk its privacy because it is impossible for users to control where copies of it may be made as it traverses the path to its destination. The provider of the user's email service may keep a copy as part of its backup system. The user's friend may keep a copy, either intentionally or accidentally. Even if the friend respects the user's privacy concerns, constantly demanding a friend delete this email or that attachment quickly becomes tedious for both parties. While encryption technologies exist that address many privacy concerns in this scenario, as long as encryption keys remain around, the private communication remains as well; moreover encryption keys can be subpoenaed. There is currently no way for a user to permanently delete any material they have posted or sent through the Internet.

The Vanish system claims to solve this problem by making electronic messages that self-destruct after a period of time. Vanish encrypts a message with a secret key, then uses a peer-to-peer network to make the key disappear, rendering the message unreadable. Keys are split up into many small pieces and stored at many different places in the peer-to-peer network. As users of the peer-to-peer network join and leave, the pieces of the key disappear with them, eventually making it impossible for anyone (even the original sender) to reassemble the key and read the message. Because these networks are based on millions of personal computers whose addresses change as they join and leave the network, the Vanish authors claim it is exceptionally difficult for an eavesdropper to collect all the pieces of the key necessary to reassemble the key because it is never held in a single location.

Unvanish shows that the Vanish system does not provide the privacy guarantees it claims, by making Vanish messages recoverable after they should have disappeared. Our goals with this work are to discourage people from relying on the privacy of a system that is not actually private.

The insight behind Unvanish is that it is possible for an eavesdropper or spy to use a single computer to join the peer-to-peer network in many places simultaneously (a Sybil attack). Because fragments have a recognizable size, it is possible for the eavesdropper to use a small number of computers to join the network and act like a large number of computers that simply store anything that looks like a fragment of a Vanish key. Later, when given a message that should have "disappeared", unvanish simply consults its archive of these fragments to find the pieces it needs to decrypt the message. In our experiments with Unvanish, we have shown that it is possible to make Vanish messages "reappear" long after they should have "disappeared" nearly 100% of the time.

If you are curious about how unvanish works, we encourage you to peruse either our publications page or the technical details area.

Copyright © Unvanish 2015