Internal link: https://miro.com/app/board/uXjVP-XjdPw=/
External link: https://miro.com/app/board/uXjVP-XjdPw=/?share_link_id=946462171123
Threat model topic: Protecting your high value accounts (e.g. exchange accounts)
Assumptions: these accounts have digital assets that are valuable (e.g. Bitcoin, Ethereum)
Where we ended up going: We spent a lot of time talking about and threat modelling what happens to your data and assets after your die, something I haven't given much thought to beyond basic "I want my next of kin to have access", it turns out there is a lot more to think about.
Key takeaways:
- Technical vs legal compliance for account recovery/access, does the technology have to implement legal frameworks? What if the technology fails to implement part of the legal framework, or implements something that isn't legal?
- What if the law changes in a way that is not possible to technically support?
- Can the data be recovered/read (e.g. old tapes, encrypted backups)
- Is there software and a run time to read the data (stories of Wordperfect and related software not existing anymore), should there be a requirement to not just offer the data but documentation and a parser? The story of Basecamp "backups" that are essentially web page scrapes, not the back end data, Kurt almost had to write a parser back in the day when the CSA moved off of Basecamp
- Compliance with laws, free vs paid offerings, e.g. Free Gmail is not compliant in many jurisdictions for use by children/etc, but the paid offering has acceptable controls/etc.
- Closing accounts and right to be forgotten, do the backups actually get destroyed? What about ML/AI models trained on the data?
Unanswered questions:
- Control of data after death, e.g. use of analytics/ML/AI
- Should recovery of data be mandatory or should we allow people the option of "the data dies with me?"
- Should/Can next of kin be blocked from data/assets? Legal obligations differ. Dying intestate and so on.
------------------------------
Kurt Seifried
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance
[email protected]------------------------------