Policy-Carrying Data: A Privacy Abstraction for Attaching Terms of Services to Mobile Data

Slides used for presentation at HotMobile 2015. Joint work with Alec Wolman and Sharad Agarwal

PrivacyAttribute Based EncryptionCryptography
1.0x

Policy-Carrying Data: A Privacy Abstraction for Attaching Terms of Services to Mobile Data

Created 2 years ago

Duration 0:18:27
lesson view count 52
Slides used for presentation at HotMobile 2015. Joint work with Alec Wolman and Sharad Agarwal
Select the file type you wish to download
Slide Content
  1. Policy-Carrying Data: A Privacy Abstraction for AttachingTerms of Service to Mobile Data

    Slide 1 - Policy-Carrying Data: A Privacy Abstraction for AttachingTerms of Service to Mobile Data

    • Stefan Saroiu, Alec Wolman, Sharad Agarwal
    • Microsoft Research
  2. Mobile Users Face a Privacy “Crisis”

    Slide 2 - Mobile Users Face a Privacy “Crisis”

    • Privacy landscape is very one-sided
    • Providers control how data is stored, managed, & used
    • Users are at the mercy of cloud providers:
    • Choice #1: Use the cloud and lose control over data
    • Choice #2: Stop using the cloud
    • More bad news for privacy:
    • Cloud often partners with 3rd-parties: ad-networks, SSL optimizers, testing and perf. monitoring services
    • It appears that national security trumps privacy in the cloud
    • All ongoing work based on single approach
    • Put strong fences around data
  3. Alternative: Attach Terms of Service

    Slide 3 - Alternative: Attach Terms of Service

    • Users sends:
    • “firstName”: “Barack”
    • “lastName”: “Obama”
    • “latitude”: “38.8951N”
    • “longitude”: ”77.0367W”
    • “ToS”: “data_retention_limit= one time AND service_name = Bing Maps
    • ToS are legally-binding
    • Data owners can take legal action upon violation detection
    • Key distinction: user assigns ToS (rather than cloud provider)
  4. Icons by Freepik/CC BY 3.0

    Slide 4 - Icons by Freepik/CC BY 3.0

    • Policy-Carrying Data (PCD)
    • Do Not Store
    • PCD
    • Step 1: Cloud Must Interpret Policy Before Access
    • Step 2: Previous Step Must be Externally Verifiable
  5. Fences vs. PCD

    Slide 5 - Fences vs. PCD

    • Technical security guarantees:
    • Contractual security guarantees:
    • >
    • <
    • PCD does not enforce detection
    • Icons by Freepik/CC BY 3.0
  6. Outline

    Slide 6 - Outline

    • Introduction
    • Examples of Terms of Service
    • Policy-carrying data (PCD): new abstraction
    • Preliminary performance evaluation
    • Related work
    • Conclusions
  7. Terms of Service: Examples

    Slide 7 - Terms of Service: Examples

    • Specify that CC# is for single transaction only
    • No detailed processing of photo’s content (e.g., no FR)
    • No third-party sharing of my health data
    • Data retention, shareability, anonymity policies
    • Software/Hardware/Physical-compliance mechanisms
    • Software: BitLocker, seL4, Ironclad
    • Presence of trusted hardware: TPMs
    • Specify which country my data is stored in
  8. Content Owners Already Use ToS

    Slide 8 - Content Owners Already Use ToS

    • ToS: approach that “works” for other valuable data
    • Websites publish ToS on how users must treat websites’ data
    • Programmers attach license to their code before releasing it
    • DVD-industry uses short “do not copy” previews
    • Avoid obscurity: color-code policies for users
    • “green” policy: liberal use of the data by the cloud
    • “red” policy: stringent requirements
    • Incentives for detection likely to arise
    • Industry opportunity: help detect and monetize privacy violations
  9. Outline

    Slide 9 - Outline

    • Introduction
    • Examples of Terms of Service
    • Policy-carrying data (PCD): new abstraction
    • Preliminary performance evaluation
    • Related work
    • Conclusions
  10. Two Requirements

    Slide 10 - Two Requirements

    • Website/cloud must interpret the policy before data access
    • There must be an externally verifiable record of website interpreting the policy
  11. Using Encryption for Req. #1

    Slide 11 - Using Encryption for Req. #1

    • Idea: Use Policy as Encryption/Decryption Key
  12. Two Problems

    Slide 12 - Two Problems

    • Can cast doubt whether cloud really “interprets” policy
    • What should “to interpret a policy” mean?
    • Doesn’t meet req#2: externally verifiable record
  13. Attribute-Based Encryption

    Slide 13 - Attribute-Based Encryption

    • Icons by Freepik/CC BY 3.0
    • Privacy Authority
    • (e.g., EFF, The Guardian)
    • List of Attributes
    • (e.g., single-use GPS reading)
    • Decryption Keys
    • Public Key
    • This Key Setup is a Rare Operation
    • Encryption uses public key and policy
    • Decrypt. success iff attributes satisfy policy
  14. PCD with ABE

    Slide 14 - PCD with ABE

    • Icons by Freepik/CC BY 3.0
    • Step 1. Encrypt
    • Do Not Store
    • PCD
    • Step 2. Decrypt is successful iffattributes satisfy policy
  15. PCD Meets Requirements

    Slide 15 - PCD Meets Requirements

    • ABE forces the cloud to declare the attributes offered in exchange for decryption keys
    • Due to ABE, PCD meets the two requirements:
    • Website/cloud must interpret the policy before data access
    • There must be an externally verifiable record of website interpreting the policy
  16. Outline

    Slide 16 - Outline

    • Introduction
    • Examples of Terms of Service
    • Policy-carrying data (PCD): new abstraction
    • Preliminary performance evaluation
    • Related work
    • Conclusions
  17. ABE Perf. Is Adequate

    Slide 17 - ABE Perf. Is Adequate

    • Decryption Perf. > Encryption Perf.
  18. Outline

    Slide 18 - Outline

    • Introduction
    • Examples of Terms of Service
    • Policy-carrying data (PCD): new abstraction
    • Preliminary performance evaluation
    • Related work
    • Conclusions
  19. Related Work

    Slide 19 - Related Work

    • Excalibur [Sec’12] uses:
    • ABE to encrypt users’ data and bind it to policy
    • Heavyweight policy enforcement mechanisms:
    • Secure hypervisors, TPMs, verified protocols
  20. Conclusions

    Slide 20 - Conclusions

    • Mobile users face “privacy crisis”
    • Current approach: put fences around the data
    • Alternative approach: attach ToS to data
    • PCD: abstraction for attaching ToS to mobile data
    • Advantages:
    • Websites must interpret policy before access
    • Externally-verifiable record of websites’ policies
    • Can support easy-to-understand policies
    • Adequate performance
    • Disadvantages:
    • Does not stop cloud for mistreating data
    • Requires detection of cloud’s misbehavior
  21. qUESTIONS?

    Slide 21 - qUESTIONS?

    • ssaroiu@microsoft.com