Forgetting the Forgotten with Letheia, Concealing Content Deletion from Persistent Observers
Most people are susceptible to oversharing their personal information publicly on social platforms today. As a coping strategy, these platforms offer mechanisms allowing users to delete their posts, and a significant fraction of users exercise this right to be forgotten. However, ironically, users' attempt to reduce attention to sensitive posts via deletion, in practice, attracts unwanted attention from stalkers, curious friends, and even blackmailers specifically to those (deleted) posts. In fact, multiple third party services today identify and hoard deleted posts from millions of users. Thus, in general, deletions may leave users more vulnerable to attacks on their privacy, and users hoping to make their posts forgotten can face a "damned if I do, damned if I don't" dilemma. In the form of intermittent withdrawals, we propose a rather disruptive solution (Letheia) to this problem of (really) forgetting the forgotten. If the platforms are willing to give up the uninterrupted availability of non-deleted posts by a very small fraction, Letheia provides privacy to the deleted posts over long durations. With Letheia, an adversarial observer becomes unsure if some posts are permanently deleted or just temporarily withdrawn; at the same time, the adversarial observer is overwhelmed by a large number of falsely flagged undeleted posts. We analyze large-scale data about users' deletion over Twitter and thoroughly investigate how to choose time duration distributions for alternating between temporary withdrawals and resurrections of non-deleted posts. We find a favorable trade-off between privacy, availability and adversarial overhead in Letheia under different settings. For example, we show that while maintaining content availability as high as 95 deletion privacy for up to 3 months from the time of deletion while still keeping the adversarial precision to 20
READ FULL TEXT