6.6 Deleting Backups
While data backup provides a convenient way to recover from crashes and other losses of data, it comes at the cost of long-term persistence of the data. Imagine that you have a file that contains all of your old e-mail. At some point, you realize that having such a file implicates you in several "situations" that you would rather forget. Deleting your mail file is not enough. You have to delete all of the backup copies. If you did a very good job backing up your files, then there are many, many copies of the file at all different stages on all sorts of backup servers. Hopefully all of them are encrypted, but if you used a weak cipher such as 56-bit DES, which was believed to be secure several years ago, then that won't be very useful. Even if they are encrypted, you may discover that your backup software kept a copy of the key, which was the same key that you used to encrypt all of your backups on the local disk, and that you were hit by a virus that targets that backup system and copies the keys to remote locations. Yikes!
Boneh and Lipton  describe a revocable backup system. In their system, all data is encrypted by short-lived keys that expire at intervals defined by the user. A master key is used to encrypt all of the keys in the system. To make a backup of a file useless, all a user has to do is erase the key that was used for that file, and all of the previous versions of the backed-up file are rendered useless. In practice, the master key could be derived from the user-defined passphrase that is used in existing commercial systems, and the details of the revocable backup scheme could be hidden from the users.