BACKGROUND It is often desirable to store electronic information for only a limited time. For example, companies often create highly sensitive electronic documents, such as electronic mail messages, that the companies would not want a competitor or other outside party to access. In addition, once such a document is generated, it may only be useful for a very limited time. For example, if the document relates to an economic analysis of a merger opportunity, the document may not be useful to the company after the merger is complete. The company would typically like to ensure that all copies, including electronic copies, of such a document are destroyed.

A difficulty with the destroying of all electronic copies is that it can be very difficult to locate all such electronic copies. For example, the user who receives the document via electronic mail may store the document locally on their computer system in a way that is not visible to other computer systems. Moreover, additional copies may be created when the various computer systems are backed up. Also, the user may additionally copy the document to their home computer. Because of this proliferation of electronic copies, a company cannot typically ensure that all electronic copies have been destroyed.

A company could use encryption techniques to help ensure the confidentiality of such documents. The company could distribute encrypted copies of a document so that only those employees with the

proper decryption key can then access the document. Thus, a person who gets access to a backup copy would not be able to view the document unless they were also able to obtain that decryption key. There are many different types of encryption techniques that can be used to help ensure the confidentiality of the such documents. Conventional encryption techniques can be categorized as symmetric or asymmetric.

The symmetric encryption techniques, such as the Data Encryption Standard ("DES") and the Information Data Encryption Algorithm ("IDEA"), use the same key or password to encrypt and decrypt information.

Asymmetric techniques used two separate keys, a public key and a private key. Information encrypted with a public key can be decrypted with the corresponding private key, and vice versa.

Although the encryption of documents helps ensure their confidentiality, such confidentiality can be compromised by a"blackmail" attack, also known as a"subpoena"attack. A person who has an encrypted copy of the document can gain access to the decryption key by either blackmailing or subpoenaing a person who has access to the decryption key. The confidentiality of such documents can also be compromised by a person who willingly provides a copy of that document and its decryption key to an outsider.

It would be the desirable to have a technique that would minimize the chances of such confidential documents being accessible as a result of a proliferation of electronic copies or as a result of blackmail or a subpoena.

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a block diagram illustrating an example use of the escrow system.

Figure 2 is a block diagram illustrating the components of the escrow system in one embodiment.

Figure 3 is a flow diagram illustrating the store message component of a client computer in one embodiment.

Figure 4 is a flow diagram illustrating the read message component of a client computer in one embodiment.

Figure 5 is a flow diagram of the store message key component of a server computer in one embodiment.

Figure 6 is a flow diagram of the retrieve message key component of a server computer in one embodiment.

Figure 7 is a flow diagram of the delete message key component of a server computer in one embodiment.

DETAILED DESCRIPTION A method and system for controlling the accessibility of information is provided. In one embodiment, an escrow system automatically makes information inaccessible regardless of how many electronic copies of the information have been made and regardless of the location of such copies. The escrow system provides an escrow agent that is responsible for storing decryption keys and providing those decryption keys when the information is to be decrypted. In addition, the escrow agent automatically destroys decryption keys based on certain expiration conditions, such as passage of time. To use to the escrow system, a user encrypts the information and provides a copy of the decryption key to the escrow agent. The user then destroys the unencrypted copy of the information and destroys its copy of the decryption key. When the user wants to access the information, the user requests the decryption key from the escrow agent. Upon receiving the decryption key, the user decrypts the information and destroys their copy of the decryption key.

After accessing the decrypted information, the user destroys the decrypted copy of the information. When the expiration condition is satisfied, the escrow agent destroys the decryption key. Once the escrow

agent destroys its copy of the decryption key, the information is no longer accessible because no more copies of the decryption key exist even though many copies of the encrypted information may exist. The use of the escrow system minimizes the chances of a successful subpoena attack. In particular, once the decryption key is destroyed by the escrow agent, the information cannot be decrypted and is thus no longer accessible to anyone.

In one embodiment, the escrow system is implemented in a computer environment in which a server computer serves as a the escrow agent and various client computers use the services of the escrow agent.

A client computer uses the escrow system by encrypting information (e. g., an electronic mail message or an electronic document). The client computer then destroys (or expunges) all copies of the unencrypted information. The client computer also sends the decryption key to the server computer. Before the decryption key is sent to the server computer, the decryption key may itself be encrypted in such a way that only the client computer can decrypt the decryption key. In this way, the server computer cannot intentionally or inadvertently compromise the decryption key. (The client computer could also store the decryption key that is used to decrypt the decryption key of the information with a different server computer. In this way, the client computer can help ensure that the message becomes inaccessible even if one of the server computers fails to destroy its stored decryption key when the expiration condition is satisfied.) After sending the decryption key to the server computer, the client computer destroys its copy of the decryption key.

The client computer may also provide the server computer with an expiration condition (e. g., time) when the server computer is to destroy its copy of the decryption key. To subsequently access the information, the client computer requests the decryption key from the server computer.

Upon receiving the decryption key, the client computer decrypts the

decryption key, if encrypted. The client computer then decrypts the information using the decryption key. The client computer destroys its copy of the decryption key and, when finished accessing the decrypted information, destroys the decrypted copy of the information. If the expiration condition has been satisfied, then the server computer returns an indication that the decryption key is no longer available which makes the information inaccessible.

The server computer receives decryption keys, stores the decryption keys, returns the decryption keys when requested, and expunges the decryption keys when they have expired. The server computer maintains a key database that contains an entry for each user who has sent keys to the server computer for storage. In one embodiment, each entry contains the keys of a user along with the expiration condition associated with each key. Each key may have an identifier associated with it so that the client computer can identify which information is to be decrypted with the key. Periodically, the server computer accesses the key database and deletes the keys that have expired. One skilled in the art will appreciate that many different algorithms may be used for determining when a key has expired. For example, a client computer may provide with each key a software module that is invoked by the server computer to determine whether that key has expired. The software module could base its decision on whether the key has expired based on certain external events such as the date of the initial public offering, the price of a certain stock, and so on. The server computer can be specially programmed to ensure that any backup copies of the key are also periodically deleted. When the server computer receives a request for the key for a user, it retrieves the keys associated with that user from the key database and then sends the keys the client computer.

Figure 1 is a block diagram illustrating an example use of the escrow system. In this example, the escrow system is a used to distribute information between sender computers and a recipient computer in a such a way that the distributed information is no longer accessible after a certain expiration time. The recipient computer 101 initially generates a public and private key pair. In step 1, the recipient computer publishes the public key to the sender computers 102,103, and 104. In step 2, the recipient computer sends the private key to the server computer 105 that serves as the escrow agent. The recipient computer destroys its copy of the private key. In step 3, the sender computer 102 sends an encrypted message the recipient computer. Since the recipient computer does not have the private key, it sends a request for the private key to the server computer and receives the private key in step 4. The recipient computer then decrypts the message using the private key and then destroys its copy of the private key. When access to the decrypted message is complete, the recipient computer destroys the decrypted message, but may retain a copy of the encrypted message. In step 5, the sender computer 103 sends an encrypted message to the recipient computer.

Upon receiving the encrypted message, the recipient computer processes that encrypted message in a manner similar to the processing of encrypted message received from sender computer 102. The server computer then detects that the private key expires and destroys the private key. In step 7, the sender computer 104 sends an encrypted message to the recipient computer. Upon receipt of the encrypted message, the recipient computer requests the server computer to provide its private key. In this case, however, the server computer has already destroyed the private key because the expiration time has passed. Thus, in step 8, the server computer sends a response to the recipient computer that the private key is not available. In such a case, the recipient computer cannot decrypt the encrypted message or any other message

that was previously encrypted using the public key or that will be encrypted with the public key.

Figure 2 is a block diagram illustrating the components of the escrow system in one embodiment. The client computers 210 and the server computer 220 are interconnected via the Internet 230. The computers may include a central processing unit, memory, input devices (e. g., keyboard and pointing devices), output devices (e. g., display devices), and storage devices (e. g., disk drives). The memory and storage devices are computer-readable media that may contain instructions that implement the escrow system. In addition, the data structures and message structures including requests and responses that may be stored or transmitted via a data transmission medium such as a signal on a communications link. Various communication channels other than the Internet may be used, such as local area networks, wide area networks, or point-to-point dial-up connections. The client computers include a store message component 211, a read message component 212, and an encrypted message database 213. The store message component controls the encrypting of the message, sending of the decryption key to the server computer, destroying of the unencrypted copy of the message and the decryption key, and storing the encrypted message in the encrypted message database. The read message component controls the retrieving of the decryption key from the server computer for an encrypted message, retrieving of the encrypted message from the encrypted message database, decrypting the message, destroying the decryption key, and after access of the encrypted message is complete, destroying the unencrypted message. The encrypted message database stores in the encrypted messages. The server computer 220 includes a store message key component 221, a retrieve message key component 222, a delete message keys component 223, and a message key database 224. The store message key component

receives requests to store message keys from client computers and stores the received message keys in the message key database. The retrieve message key component receives requests to retrieve message keys from the client computers, retrieves the message keys from the message key database, and returns the retrieved message keys to the requesting client computers. The delete message keys component periodically scans the message key database and removes any message keys whose expiration condition has been satisfied. The message key database contains the message keys for the users. The entries of the message key database may contain a user identifier, a decryption key, an expiration condition, and a user-specified identifier. The server computer may return all the decryption keys for a user identifier at a time or may return on the decryption key with a user-specified identifier that is indicated in the request for the decryption key.

Figure 3 is a flow diagram illustrating the store message component of a client computer in one embodiment. In block 301, the component generates a message. The message may be generated using an electronic mail system program, word processing program, or any other program. In addition, the message may have been previously generated or received from another computer system. In block 302, the component generates a message encryption key, which may be a symmetric key or a public key. In block 303, the component encrypts the message using the message encryption key. In block 304, the component stores the encrypted message in the encrypted message database. In block 305, the component encrypts the message encryption key. In one embodiment, the message decryption key (e. g., the symmetric key or the private key) may be encrypted with another symmetric key or another public key. In block 306, the component sets the message decryption key expiration condition. In block 304, the component sends the message decryption key and the expiration condition to the server computer. The

component may also verify that the server computer successfully received the decryption key before proceeding to block 308. In block 308, the component deletes the message decryption key and deletes the unencrypted copy of the message. The component then completes.

Figure 4 is a flow diagram illustrating the read message component of a client computer in one embodiment. In block 401, the component retrieves an encrypted message from the encrypted message database.

In block 402, the component retrieves the message decryption key for the encrypted message from the server computer. In decision block 403, if the message decryption key was successfully retrieved from the server computer, the component continues at block 404, else the component completes. The message decryption key may not be successfully retrieved if the server computer has already deleted that message decryption key because the expiration condition has been satisfied. In block 404, the component decrypts the message decryption key using the symmetric key that was used to encrypt the message decryption key or using the private key corresponding to the public key that was used to encrypt the message decryption key. In block 405, the component decrypts the message using the message decryption key. In block 406, the component accesses the encrypted message. In block 406, the component deletes the encrypted message and the message decryption key. The component then completes.

Figure 5 is a flow diagram of the store message key component of a server computer in one embodiment. In block 501, the component receives a message key, an expiration condition, and a user identifier from a client computer. In block 502, the component stores the message decryption key and expiration condition in the key database in the entry for that user identifier. The component then completes.

Figure 6 is a flow diagram of the retrieve message key component of a server computer in one embodiment. In block 601, the component

receives a request for the message decryption key from a client computer.

The request includes a user identifier. In block 602, the component retrieves the message decryption key for the user identifier from the key database. In decision block 603, if a message decryption key was retrieved, then the component continues at block 604, else the message decryption key has already expired the component continues at block 606. In decision block 604, if the retrieved message decryption key has its expiration condition satisfied, then the component continues at block 605, else the component continues at block 607. This check ensures that a message decryption key that expires in between the periodic deletion of message decryption keys by the server computer is not inadvertently returned to the client computer. In block 605, when the retrieved message decryption key has expired, the component deletes the message decryption key from the key database. In block 606, the component sends a not found response to the client computer and completes. In block 607, the component sends the retrieved a message decryption key to the client computer and then completes.

Figure 7 is a flow diagram of the delete message key component of a server computer in one embodiment. This component loops selecting each message decryption key and determining whether its expiration condition has been satisfied. If satisfied, the component deletes the message decryption key from the key database. In block 701, the component selects the next message decryption key from the key database. In decision block 702, if all the message decryption keys have already been selected, then the component completes, else the component continues at block 703. In decision block 703, if the retrieved message decryption key has expired, then the component continues at block 704, else the component loops to block 701 to select the next message decryption key. In block 704, the component deletes the

selected message decryption key from the key database and loops to block 701 to select the next message decryption key.

From the foregoing, it will be appreciated that although embodiments of the escrow system have been described for purposes of illustration, various modifications may be made without deviating from the spirit and scope of the invention. The escrow agent can store anything that is needed to access another thing, and not be limited to encryption keys. Accordingly, the invention is not limited except by the appended claims.