Blockchain/ Distributed Ledger

2022-11-30 Protecting your high value accounts

  • 1.  2022-11-30 Protecting your high value accounts

    Posted Dec 14, 2022 10:02:00 AM
    Edited by Kurt Seifried Dec 14, 2022 10:03:34 AM

    Internal link: https://miro.com/app/board/uXjVP-XjdPw=/ 

    External link: https://miro.com/app/board/uXjVP-XjdPw=/?share_link_id=946462171123

    Threat model topic: Protecting your high value accounts (e.g. exchange accounts)

    Assumptions: these accounts have digital assets that are valuable (e.g. Bitcoin, Ethereum)

    Where we ended up going: We spent a lot of time talking about and threat modelling what happens to your data and assets after your die, something I haven't given much thought to beyond basic "I want my next of kin to have access", it turns out there is a lot more to think about.

    Key takeaways:

    • Technical vs legal compliance for account recovery/access, does the technology have to implement legal frameworks? What if the technology fails to implement part of the legal framework, or implements something that isn't legal?
    • What if the law changes in a way that is not possible to technically support?
    • Can the data be recovered/read (e.g. old tapes, encrypted backups)
    • Is there software and a run time to read the data (stories of Wordperfect and related software not existing anymore), should there be a requirement to not just offer the data but documentation and a parser? The story of Basecamp "backups" that are essentially web page scrapes, not the back end data, Kurt almost had to write a parser back in the day when the CSA moved off of Basecamp
    • Compliance with laws, free vs paid offerings, e.g. Free Gmail is not compliant in many jurisdictions for use by children/etc, but the paid offering has acceptable controls/etc.
    • Closing accounts and right to be forgotten, do the backups actually get destroyed? What about ML/AI models trained on the data?

    Unanswered questions:

    • Control of data after death, e.g. use of analytics/ML/AI
    • Should recovery of data be mandatory or should we allow people the option of "the data dies with me?"
    • Should/Can next of kin be blocked from data/assets? Legal obligations differ. Dying intestate and so on.


    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------