Intentional Forgetting

Many damaging cybersecurity attacks are enabled when an attacker can access residual sensitive information (e.g. cryptographic keys, personal identifiers) left behind from earlier computation. Attackers can sometimes use residual information to take control of a system, impersonate a user, or manipulate data. Current approaches to addressing access to residual sensitive information aim to patch individual software or hardware vulnerabilities. While such patching approaches are necessary to mitigate sometimes serious security vulnerabilities in the near term, they cannot address the underlying issue: explicit requirements for adequately eliminating residual information and explicit representations of the erasure capabilities of systems are necessary to ensure that sensitive information is handled as expected. This position paper introduces the concept of intentional forgetting and the capabilities that are needed to achieve it. Intentional forgetting enables software and hardware system designers at every level of abstraction to clearly specify and rigorously reason about the forgetting capabilities required of and provided by a system. We identify related work that may help to illuminate challenges or contribute to solutions and consider conceptual and engineering tradeoffs in implementations of forgetting capabilities. We discuss approaches to modeling intentional forgetting and then modeling the strength of a system's forgetting capability by its resistance to disclosing information to different types of detectors. Research is needed in a variety of domains to advance the theory, specification techniques, system foundations, implementation tools, and methodologies for effective, practical forgetting. We highlight research challenges in several domains and encourage cross-disciplinary collaboration to one day create a robust theory and practice of intentional forgetting.