copyright notice
accesses since July 11, 2008

Digital Vaults, Crypts and Ossuaries  

Hal Berghel


There has been quite a bit of media coverage lately on digital vaults.  Many of you have seen some of the press coverage.  I predict that digital vaults will become much more prominent in the years to come.   It is not at all obvious, however, whether that will be good or bad overall.  I'll outline a few of the attendant risks below.

So that we're all both literally and figuratively on the same page, some definitions are in order.  As I use the terms, digital vaults, digital crypts, and digital ossuaries  are all digital repositories of data.  Nothing is excluded as long as it can be represented as zeros and ones.  But I make a distinction between vaults, crypts and ossuaries in terms of  (a) the nature of their contents, (b) whether they're necessarily online, and (c) the purpose they serve.   When I use the term "digital vault" I'm referring to online repositories  with real time accessibility.  "Digital crypts," on the other hand, are online but are only subjected to limited or occasional access.  Think of digital crypts as a vault at 110 baud with occasional modem faults.  Finally, "digital ossuaries" are offline digital repositories used exclusively for archival purposes - kind of a mausoleum for bytes.  These distinctions become important as they all have a different business model and have different implications for privacy and the law.

Let's dispense with digital ossuaries first as they are the most traditional examples of digital repositories dating back as far as the earliest removable storage devices.  The first practical example of personal removable storage media with sufficient capacity to hold personal data was the Iomega Bernoulli Box in the 1980's.  Many of you may recall Iomega's popular successor to their Bernoulli Box, the Zip drive, that followed about 10 years later.  What made these storage devices useful was their capacity - approaching that of internal hard disks.  For the first time it was possible to back up a large part of a hard drive with removable media that could fit in a pocket.

The ossuary role of Zip drives was evident from the start  Many IT professionals began storing sensitive, personal, and private data on this media for offsite storage.  In effect, these devices made it possible for individuals to achieve a level of secure storage that was previously only available to the enterprise.  Offsite storage of personal data remains commonplace today, especially with the advent of R/W DVD technology.  There were two aspects of the original digital ossuaries that make them relatively harmless: first, the media remains in the care, custody and control of the information owner, and second, the digital repository was not accessible from the Internet cloud.  The importance of these two factors should not be overlooked.

As an aside, this technology illustrates the principle of "technological displacement."  The Zip drive evolved into the Jaz drive just about the time that R/W CD and DVD technology took off.  The result was that the Jaz drive died a quick death.  The reason was an axiom that all IT professionals should hold dear: other things equal, cheap and disposable media will always displace the more expensive and permanent.

A VAULT BY ANY NAME

We're familiar with vaults, if for no other reason that our banks intentionally make them visible to us.  We have come to expect a vault door looming large from virtually any vantage point in a bank lobby.  I still remember seeing a bank vault for the first time.  To a child this was an object of amazement - an enormous foot-thick, stainless steel door with huge 3 inch locking bolts and a giant spindle on the outside that opened into a thick-walled room of smaller doors.  Even Superman couldn't break into that I reckoned. 

It didn't take the info-brats long to figure out that we could use these physical vaults to store our digital ossuaries - say by storing complete computer backups on removable media in safety deposit boxes or off-site safes.  We can think of digital vaults as a variation on this theme.  Digital vaults simplify storage because they avoid the trip to the bank or safe.  I've been working with digital security for more years than I care to remember.  I've seen all sundry kinds of hacks, malware, scams, phish pharms, viruses, worms, etc. to the point where virtually nothing surprises me any more.  From where I sit, the prospect of a digital vault doesn't give me that warm, fuzzy sense of security I had when I first saw the Superman-proof bank vault as a kid.  To the contrary, when I think of a digital vault I think of the lockable piggy bank molded in pot metal in the shape of a potato that my dad gave me when I was 5.  Even at that age, my first keyless "withdrawl" took me less than 10 seconds!

But digital vaults are here to stay.  The business model is predicated on the assumption that since most of our personal data is now digital, storing it on removable media and transporting it to a secure location.  Why not just deposit it in cyberspace?   There are many parallels of this sort of technology disintermediation.  10 years ago, most duplication of recorded music resulted from "duping" CDs.  Now, most duplication involves file transfer over the Internet.  If you think about this phenomenon in the abstract, you can see why CD and DVD technology has to be on the way out: it just doesn't make sense to distribute digital information on physical media if you don't have to.  CDs and DVDs will last for awhile in applications with limited file sharing capability (e.g., cars, boats, trains, and airplanes), but their days are definitely numbered.  I remember giving a talk on this topic to a group of business executives about 10 years ago.  I predicted the demise of CD and DVD technology to a group that had yet to embrace them.  Eyebrows raised, the audience heard me prophecy that removable entertainment media would be historical relics by 2020.  Ten years later, I still hold to this prediction.  CD and DVD sales will continue to set sales records during the next decade or two.  Then they will greacefully drop out of sight like the 8-track tape.

THE KEY TO DIGITAL VAULTS

There's a striking similarity between digital and physical vaults when it comes to securing the data.  The dual-key paradigm applies here as well - one key in the hands of the owner and one in the hands of the custodian (aka online service).  Both keys are required for access.  In terms of the online experience, the custodial key is provided by online access.  The private key is the encryption password that applies to the data.  Eventually, public-key encryption will be deployed much as it is in email, but in the near term custodial access will be through popular security protocols like SSH and SSL.

 

Though key-distribution is handled similarly, there are some differences.  Physical vaults are decidedly low-tech; unauthorized access is generally characterized by force,  and it's practically impossible to not leave evidence of the intrusion.  In contrast, digital vaults are high-tech, unauthorized access is generally characterized by finesse, and it is relatively easy to not leave evidence behind because "clearing the tracks" is the last step of hacking.  Digital vaults stand to physical vaults as digital ballot boxes stand to physical ballot boxes - the "digital" varieties are easier to use and, as a consequence, easier to abuse.  That's why so many IT professionals have spoken out against the use of "paperless ballots!"

 

EXEMPLARS

One example of a digital vault is Wells Fargo's vSafe.  In May, 2008 Wells Fargo announced their version of cyberstorage for rates ranging from $4.95 for 1 gigabyte to $14.95 for 6 gigabytes.  Take a virtual tour of this service via their vSafe website  at https://www.wellsfargo.com/jump/wellsfargovsafe/comingsoon.  Google, Yahoo and Microsoft have also moved into this space, though business model is ad-based subscription.  Within a year, expect every online service of any size to offer digital vaults because the potential for ad revenue is considerable.  Imagine an access to your archived bank statements when a pop-up appears that emphasizes that the Bank of No Returns provides free checking.  Eventually, the ad-based systems will dominate just as they do in virtually every other online market.  I would expect that the financial companies will quickly move to a bundled-service model to add value to their other services.  For-fee digital vaults will go the way of commercial web browsers.

THE UGLY SIDE OF DIGITAL VAULTS

This past year the Cleveland Clinic partnered with Google to store patient electronic personal health records in a product called Google Health (www.google.com/health).  Google Health uses standard health-care data formats for data portability.  Records already conforming to a clinical document architecture in the form of eCleveland Clinic MyChart makes uploading straightforward.   Access to this information at present is limited to the Cleveland Clinic and their patients.  The argument for this is that this will empower patients, limit costs and ensure portability, all of which is true.  It is important to note that apparently no patient objected to this voluntary program!  The reason for this lack of dissent is in my view a lack of understanding of just how serious the downstream privacy implications are.  Microsoft also offers a similar service under the name HealthVault (www.healthvault.com)

I think this is pretty scary from a privacy point of view.  Let me explain why I feel this way:

  1. In the US, ownership of patient records is not clearly defined.  Once these records are in an online database, and under the care, custody and control of a 3rd party (*not* the patient)  the question of ownership takes on critical importance.  Suppose that legislation or case law suggests that ownership is not exclusively with the patient but rather "shared."  What chance is there of limiting access to parties the patient doesn't want to have access?  Online data spreads across the Internet at gigabit+ speeds.  As Paris Hilton and other celebrities can attest, there's no getting the data back once it hits the Internet cloud.  In the US ownership claims have historically been made by patients, healthcare providers, insurance companies, employers, and even the government.  Think back on how hard it was to get xrays from hospitals and physician's offices a few decades ago.  The hospitals and physicians felt that they "owned" this information.  The point to bear in mind is that once this information is in the care, custody and control of someone other than the patient, there is always the risk that it will fall into the hands of someone who's interests work against those of the patient.
  2. There is an active campaign in the US by the Insurance companies to provide healthcare information to employers.  One major insurance company has transferred the care, custody and control of patient records to a bank subsidiary to get around the HIPAA prohibition of directly sharing patient records with employers:  HIPAA does not strictly prohibit sharing information between financial institutions and employers! 

    Sharing healthcare information with potential employers can lead to a pernicious form of healthcare discrimination.  Needless to say the employers health care premiums will go down if it only hires healthy people - and since health care costs represent a large share of the benefits package, not employing less-healthy people provides a company with a competitive advantage.  I see health-risk prospecting as a real threat to health care in the US.

  3. The custodian of the health care records could easily become a gatekeeper if the government isn't eternally vigilant.  Imagine that the custodian receives a royalty from healthcare provider XYZ, but no royalty from provider ABC.  What incentive would there be for the custodian to allowing the patient to provide access to ABC?

As we know from the world of identity theft and financial fraud, once the digital toothpaste is out of the tube it's impossible to get it back in.  If the custodian's servers get compromised, who's to tell what nefarious ends the hacker might put to the information.

.

CONCLUSION

In my opinion, digital vaults represent the biggest threat to personal privacy since the misuse of the social security number.  If something goes wrong with digital vaults in the healthcare industry, we could end up with a caste of healthcare untouchables in the US who can't access adequate healthcare and are unemployable.  This is a trainwreck in the making.

Of course, there is a simple way to avoid the biggest part of the problem: legislate that the patient, alone, has any ownership claim to his/her healthcare records.  This simple move would place enormous incentives on any proprietor of digital records storage to ensure their safe storage under HIPAA.  With that one stroke, many - but not all - of my concerns would be addressed.  By the way, Australia did this some years ago, so it can be done in western democracies *if* the public demands it.  However, left to its own devices, the body politic will react to the pressure from lobbyists from insurance and healthcare provider industries who do not want the inconvenience of having to be accountable to the patient.

Society has always had a fascination with vaults.  History records their widespread use in Pharaonic Egypt 6,000 years ago in the form of the ancient pyramids.  Bank robbers have figured out sundry ways to compromise them.  The devious among us have relied on them for stealth.  Vaults aren't good or bad in themselves, it's the use to which they're put and the fact that they may give us a false sense of security that we need to worry about.  Take a look at the 24/7 Private Vaults website (24-7privatevaults.com) for example, and ask yourself who the prospective customer might be.

This is definitely a techno-trend worthy of eternal vigilance.