In light of recent events, where Apple resurfaced photos that users had deleted1,2,3, we wanted to share how Ente ensures that deleted data is actually deleted.
Before we dive into the technical details, there are two angles from which we approach data deletion. The first is that of respecting your wish to not relive certain memories. The second is that of ensuring you have the freedom to delete bits of information you've given us.
So how do we do this reliably?
Data deletion
There are three ways to delete your data on Ente, each cascading over the other.
- Deleting a file
- Deleting an album
- Deleting your account
Deleting a file
When you delete a file, Ente's server immediately moves that file to your Trash.
You can recover your data from Trash for 30 days, post which, the files are queued for deletion.
There are two queues we maintain, to track
- Encrypted blobs that represent the actual files, and are stored in S3 compliant providers
- Encrypted metadata that help you (and only you) decrypt these blobs, and are stored in a Postgres database
The first queue pops items that were added over 45 days ago and deletes them from every bucket the data has been replicated to.
The second queue deletes any metadata related to these files from our databases.
All of our storage layers offer strong consistency guarantees. This means, once we request deletion, any subsequent requests to read the same data will fail. When these bytes are overwritten on their disks depends on their own implementation of garbage collection, but they are eventually overwritten to make space for new data.
What is important to note here is, when we process a file for deletion, we also remove all metadata related to that file - including the object keys (path) to access its blobs and the necessary metadata to help our clients decrypt them. So once a deletion request is processed, the file will become inaccessible to Ente, and to you.
In short, the system is designed to make deleted data irrecoverable.
Deleting an album
When you delete an album, Ente's server will process that request and move all the files that are unique to that album into your Trash.
You can recover this data from your Trash within the next 30 days, post which, the exact same workflow for deleting files runs to purge each of these files from our systems.
Deleting your account
When you request to delete your account, Ente's server will process the request to
- Cancel and delete your subscription
- Revoke all your authentication tokens
- Unsubscribe you from our mailing lists
- Remove your email address from our database
- Queue your account's data for cleanup
The clean up is performed 7 days later, to make room for data recovery. After 7 days, your account's data will be processed for cleanup in multiple stages where Ente will
- Delete your albums
- Verify that data has been purged
- Complete the cleanup by removing every entry related to your account from our database
Data recovery
Say you deleted your account by accident, and need help recovering your deleted data, can we help?
Yes we can.
This is why there is a 7 day delay to process the cleanup. If you reach out to support within this duration, we will help you out.
That is all.
We've adopted an approach to data deletion that is rooted in simplicity, and it's this simplicity that makes it work. It is likely that deleted data resurfacing on Apple / Google is because of bugs introduced by complexity rather than malicious intent.
Also, thanks to Ente's server being open source, it is easy to share references to our codebase where our promises are being kept. If you find room for improvement in our implementation, please do let us know.
Because at the end of the day, our ability to forget is a feature, and not a bug. It makes us human, and at Ente we'd like to write software that makes us more human.