Retroactive Security

Butler Lampson


Citation: Iíve given versions of this talk at the Computer Security Foundations Symposium in 2012, Fred Schneiderís 60th birthday celebration in 2013, New England Database Day in 2014,

Links: Abstract, Acrobat, PowerPoint.

Email: This paper is at



Itís time to change the way we think about computer security: instead of trying to prevent security breaches, we should focus on dealing with them after they happen. Today computer security depends on access control, and itís been a failure. Real world security, by contrast, is mainly retroactive: the reason burglars donít break into my house is that they are afraid of going to jail, and the financial system is secure mainly because almost any transaction can be undone.

There are many ways to make security retroactive:

ē                        Track down and punish offenders.

ē                        Selectively undo data corruption caused by malware.

ē                        Require applications and online services to respect peopleís ownership of their personal data.

Access control is still needed, but it can be much more coarse-grained, and therefore both more reliable and less intrusive. Authentication and auditing are the most important features. Retroactive security will not be perfect, but perfect security is not to be had, and it will be much better than what we have now.