The Right to Be Forgotten
Reinforcing Digital Data Forgetting in Cloud Storage
M. Darwish Khabbaz (TU Delft - Cyber Security)
G. Smaragdakis – Promotor (TU Delft - Cyber Security)
M. Conti – Promotor (Università degli Studi di Padova)
E.A. Markatou – Copromotor (TU Delft - Cyber Security)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
The exponential growth of digital data has reshaped the global landscape of information management, posing urgent security, compliance, and sustainability challenges. Cloud computing offers scalable, ubiquitous storage but raises critical concerns about data lifecycle governance, especially the irreversible deletion of data that has outlived its purpose. Digital forgetting becomes the art of purposeful disappearance in a cloud that remembers everything. The thesis addresses this pressing question: \textbf{Can cloud-stored data ever be truly forgotten?}
To answer this, the thesis presents four interrelated contributions
to reinforce digital data forgetting in cloud storage: advancing privacy-preserving forgetting, enabling audience-specific expiration control, supporting collaborative deletion for co-owned data, and ensuring verifiable erasure in untrusted multi-cloud environments.
To address retrospective privacy, we propose Key Decay, a cryptographic scheme where encryption keys degrade irreversibly over time, eliminating reliance on ephemeral storage and enhancing data expiration guarantees.
To support audience-specific data expiration, we propose a Disjunctive Multi-Level Forgetting Scheme that enables distinct user groups to access the same data under tailored validity periods. Smart contracts and decay sensitivity tuning enforce flexible governance across hierarchical access levels.
To manage co-owned data deletion, we introduce a Policy-Based Conjunctive Scheme that accommodates overlapping group memberships and collaborative decision-making. It applies conjunctive thresholds and verifiable key decay that comply with secure forgetting under the EU General Data Protection Regulation (GDPR) Right to Be Forgotten in real-world multi-stakeholder settings.
To ensure verifiable deletion under Byzantine infrastructure, we design a Verifiable Deletion Framework for Multi-Cloud Environments, combining Hardware Security Modules, Secure Enclaves, and dual-layer Merkle hashing to produce cryptographic proofs of deletion across providers both locally and globally.
Together, these contributions form a unified, privacy-preserving framework for managing cloud data from creation to irreversible deletion, reinforcing secure digital forgetting and regulatory compliance.