End-to-End Designs for Data Privacy

As increasing quantities of sensitive data are collected to gain valuable insights, the need to natively integrate privacy controls in data frameworks is growing in importance. Today, existing data protection systems are focused on ensuring that access to data is limited to authorized services, using security controls such as access control and encryption. However, once such a service is authorized to access the data, they have an unrestricted view of the data, which accounts for much of the data misuse today. We ultimately need to ensure that users' privacy preferences are respected even by authorized services. Privacy solutions that control the extent of what can be inferred (i.e., data minimization and purpose limitation) from data and protect individuals' privacy (i.e., differential privacy) are crucial if we are to continue to extract utility from data safely.In this project, we work towards a system design that simultaneously ensures the confidentiality of data from unauthorized parties and provides strong privacy guarantees for data accessed by authorized parties.

• Zeph (Published in USENIX OSDI’21): Zeph is a system that provides the means to extract value from encrypted streaming data safely while ensuring data confidentiality and privacy by serving only privacy-compliant views of data. It augments existing encrypted data processing systems with a privacy plane that enables users to authorize services to access privacy-compliant data securely. Zeph cryptographically enforces privacy compliance and executes privacy transformations on the fly over encrypted data, ensuring that the transformed views conform to users' privacy policies. To enable privacy-compliant data transformations on encrypted data, we present a new approach for encryption that decouples data encryption from privacy transformations. Data producers remain oblivious to the transformations and do not need to encrypt data for a fixed privacy policy. The separation between data and privacy plane requires fundamentally different designs, as traditional encrypted solutions are too heavily interwoven cryptographically to allow this split. Therefore, we introduced the concept of cryptographic privacy tokens to realize flexible privacy transformations. These tokens are, in essence, the necessary cryptographic keying material that enables the transformation of encrypted data. Our system creates these tokens via a hybrid construction of secure multi-party computation and partially homomorphic encryption schemes. We designed our system so that privacy tokens, which can be combined with encrypted data to release transformed data as per privacy policies, can be generated independently of the data producers. We leverage homomorphic secret sharing to achieve this logical separation while still allowing us to homomorphically compute on keying material to construct privacy tokens. Outputs of privacy transformations over encrypted data at the server side are then released by combining the output results with the corresponding privacy tokens.

• Privacy Management: The need for a privacy management layer in today's systems started to manifest in what we now see as the advent of new privacy-preserving and privacy-compliance systems. As a result, we started to see many independent efforts emerge that try to provide system support for privacy. These include systems that help track data and data accesses or maintain a global state of privacy resources across applications. As the adoption of and requirements for data privacy solutions increase, there is a need for a system architecture that simplifies and accelerates privacy management in large-scale systems. Building such a system entails working on new abstractions and mechanisms for efficient execution of privacy functions, state sharing, optimal allocation of scarce and non-replenishable resources (i.e., privacy budget), matching and composing privacy-compliant views, and more.

• Cryptographic Enforcement of Privacy Controls: Turning to cryptography for privacy enforcement may be intrinsic to allowing the benefits of data while confining data misuse. We are working on investigating cryptographic tools that can enable the enforcement of a richer set of privacy policies.