On Fri, 9 Jul 2004, Thomas Shaddack wrote: > > On Fri, 9 Jul 2004, Steve Schear wrote: > > > Quite a few book stores (including the local Half-Priced Books) now keep no > > records not required and some do not even automate and encourage their patron > > to pay cash. In California book sellers to such used/remaindered stores must > > identify themselves for tax purposes. > > The Patriot gag orders lead me to a thought. > > Is it possible to write a database access protocol, that would in some > mathematically bulletproof way ensure that the fact a database record is > accessed is made known to at least n people? A way that would ensure that > either nobody can see the data, or at least n people reliably know the > record was accessed and by whom? > > When somebody comes with a paper and asks for the data, the one currently > in charge of the database has to give them out, and may be gag-ordered. > However, when way too many people know about a secret, which the protocol > should ensure, it's better chance it leaks out, and less likely to > identify the one person responsible for the leak, who could be jailed > then. Especially when at least one of n is outside of the reach of the > paws of the given jurisdiction. > > The question is this: How to allow access to a specific file/db record in > a way that it can't be achieved without a specified list of parties (or, > for added system reliability, at least m of n parties) reliably knowing > about who and when accessed what record? With any attempt to prevent the > parties from knowing about the access leading to access failure? > > Note a peculiarity here; we don't ask for consent of the parties (that > would be a different threat-response model), we only make sure they know > about it. (We can deny the access, when at least (n-m)+1 parties refuse to > participate, though.)
That would crash the system.