Websites keep deleted photos, study shows

News 20 May, 2009

Cambridge researchers have shown that photos aren't always deleted when users ask, causing a major 'data remanence' issue for cloud computing.

Data deleted from the cloud doesn’t always disappear, according to researchers from the University of Cambridge.

According to a study of 16 social networking, blogging and photo sharing sites outlined by researcher Joseph Bonneau on his blog, most of them failed to remove photos after users deleted them – an issue with wider repercussions, especially as businesses look to move to cloud computing.

“It’s often feared that once data is uploaded into ‘the cloud,’ it’s impossible to tell how many backup copies may exist and where, and this provides clear proof that content delivery networks are a major problem for data remanence,” he wrote.

After 30 days, the researchers found seven of the 16 tested sites failed to revoke the photos at all, while others took hours – leaving the so-called 'zombie photo' still live at the same URL.

Among others, Bebo, Facebook and MySpace left the photo live for a full month after the user deleted it, while Google services Blogger and Picasa took a few hours to remove the image. Yahoo’s Flickr, Photobucket and Google’s Orkut removed the images immediately.

Bonneau praised Microsoft’s Windows Live Spaces, which has photo servers that use session cookies and therefore avoid the revocation issue, as the URL used doesn’t stay live. Bonneau offered “a refreshing congratulations to Microsoft for beating the competition in security.”

Bonneau explained that such sites are likely just waiting for photos to automatically fall out of their photo servers’ cache, rather than actively deleting them as it saves on costs and complexity.

“Facebook is actually quite explicit about this, stating that ‘when you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer’,” he noted.

While such systems may be laid out in the Terms of Service, Bonneau suggested it may be illegal under the UK’s data protection act and the EU’s data protection directive.

“Architecture matters, and though it may be more complicated, sensitive personal data must be stored and cached using reference counts to ensure it can be fully deleted, and not simply left to be garbage collected down the road,” he noted.

The researchers have restarted the experiment with live viewing, “just for fun”.

Read on here to find out if cloud computing is secure enough for business.