Lessons learned on e-mail
When it comes to messages, some traces can linger
Michael Kineavy, chief aide to Boston Mayor Thomas M. Menino, has learned the hard way that simply deleting e-mails does not make them go away. The city is potentially facing hundreds of thousands of dollars in expenses to retrieve e-mail messages he deleted that have been subpoenaed by federal authorities and are the subject of a formal request from the Globe.
The lesson for Kineavy, who said yesterday he was taking an unpaid leave, is that it’s very difficult to wipe out all traces of the e-mails we send. And it’s not just e-mail. Millions of us post personal information on social networking sites like Facebook, display photographs at Flickr, or load videos on YouTube. And once that data has been published online, it’s virtually impossible to erase it.
“There are problems you can’t do anything about. Welcome to one of them,’’ said Bruce Schneier, inventor of a popular data encryption system and author of multiple books about computer security.
Consider e-mail. Even if you delete your copy of a message, the copies sent to others may live on. That’s how the City of Boston found more than 5,000 of Kineavy’s deleted messages - by scouring the e-mail archives of other city workers who had received e-mail from him.
Besides, messages are copied all along the route, not just on the sender or recipient’s hard drive. E-mail providers use server computers to handle the messages. A copy of each message is stored on the outgoing server used by the sender, and the incoming server used by the recipient. Those stored messages can sit on the server for years.
And to make sure no messages are lost during a catastrophic computer breakdown, the e-mail companies make regular backup copies of the stored messages, usually onto cheap magnetic tape cartridges. Those just-in-case backups aren’t supposed to last forever. Boston, for instance, writes new data over its backups every 90 days. But the tapes are not always wiped. Indeed, the city has found a few old tapes that may still contain some missing Kineavy e-mails.
E-mail isn’t the only trace we leave. Internet companies like Google, Yahoo Inc., and Microsoft Corp. offer a host of online services - Web searching, of course, but also photo sharing, word processing, blogging, and many more. With each interaction, these companies collect data about the users. This data may be retained indefinitely.
Any information published online is likely to be stored in multiple forms and at multiple locations. Finding and deleting all of it can be costly and time consuming. Yet because of the falling price of computing hardware, it costs little to keep the data indefinitely, so much of it remains on hard drives and on backup tape cartridges. “It is cheaper to save this stuff than to throw it away,’’ Schneier said.
Besides, all that collected data has considerable economic value. Internet companies analyze stored information about users’ Internet searches and e-mail messages to craft custom-tailored advertisements. Sites like Facebook will show visitors customized advertisements, chosen according to personal information that users have published at the site.
Viktor Mayer-Schönberger, a former faculty affiliate at Harvard University’s Kennedy School of Government, worries about the long-term consequences of an Internet that never forgets. In his new book, “Delete,’’ Mayer-Schönberger cited a man who was barred from entering the United States in 2006, because an Internet search revealed that he had consumed illegal drugs during the 1960s. “Not only must we be aware that anything we do and say will be noticed by anybody out there, but by anybody in the future,’’ he said.
Mayer-Schönberger thinks Internet businesses should voluntarily limit the data they collect, and how long they keep it. Mayer-Schönberger cites the example of Google, which used to store customer search data indefinitely. In 2007, the company said it would delete the data after two years, but rival search services like Ask.com said they would delete search information after just 18 months. Google responded by promising to delete the files after just nine months.
Some companies build “expiration dates’’ into their Internet services, Mayer-Schönberger said. For instance, the file-sharing service Drop.io lets users limit the lifespan of stored files. After a set period of time, the files are wiped out.
Mayer-Schönberger also likes the idea of self-destructing Internet data. Researchers at the University of Washington have developed a privacy technology called Vanish that could be used for e-mail messages or postings on websites like Facebook. Vanish encrypts all messages, but allows them to be temporarily read by those with specially modified Internet browsers. After a certain time, the messages are permanently encrypted, so they can never be read again.
Other Internet privacy experts think the answer lies in better privacy laws. A new consumer survey conducted by the universities of Pennsylvania and California found that 92 percent of Americans would favor legislation to require businesses to delete all their files on an individual, at the individual’s request. Also, 62 percent think that advertisers should be required to immediately delete their information about a person’s Internet activities.
Chris Jay Hoofnagle, director of the Berkeley Center for Law & Technology at the University of California, said that such legislation “would have to be cognizant of the technical limits of deletion.’’ As Boston city officials have found, merely hitting the “delete’’ key isn’t enough.
Truly wiping the data requires writing new information on the drive, a slow and expensive process. But Hoofnagel thinks the public is eager for this kind of privacy protection. “What we saw is that individuals are pretty frustrated,’’ he said.
Hiawatha Bray can be reached at email@example.com.