Please note: This PhD defence will take place online.
Miti Mazmudar, PhD candidate
David R. Cheriton School of Computer Science
Supervisor: Professor Ian Goldberg
In today’s big data world, companies collect extensive profiles of users’ personal information. This kind of extensive data collection risks exposing users’ personal information in larger, more severe and frequent data breaches. Furthermore, software development practices lead developers to processing this sensitive information for purposes orthogonal to the core functionality offered by the business. Users’ sensitive data has often been shared with business partners and other third parties in violation of the business’ privacy policy, and in a breach of the users’ trust. Hoepman proposes eight privacy design strategies, in order to guide software developers to incorporate privacy as a central element within the software development process. These privacy design strategies underpin the design of, and draw examples from, various privacy-enhancing technologies (PETs) that are deployed today, including differential privacy, anonymity networks and so on. Nevertheless, software engineers and privacy engineers have found that realizing these privacy design strategies within the back-end web architectures that they maintain remains challenging. Some privacy design strategies, such as the Inform and Control strategies, are commonly realized, by informing users through privacy policies and equipping them with controls. However, the remaining strategies are not commonly translated into practice.
We consider different back-end web architectures, including both centralized and distributed web architectures, and each contribution in this thesis operationalizes one or more privacy design strategies for the respective back-end architecture. In our first system, namely CacheDP, we examine relational DBMSes, and reduce the granularity of sensitive data revealed to data analysts using these systems, thereby realizing the Abstract strategy. In our second and third systems, namely DHTPIR and Peer2PIR, we delve into peer-to-peer networks and distributed hash tables. Both of these contributions seek to minimize the data revealed to other peers while a peer queries for, and retrieves, files from the network, and thus, they realize the Minimize strategy. However, both systems do so differently; DHTPIR separates the sensitive content of the query across multiple peers in the network, thereby realizing the Separate strategy, while Peer2PIR hides the content of the query using encryption, and thus operationalizes the Hide strategy. In our final system, namely Prose, we focus on a distributed microservice architecture, conceptualizing technical requirements that cater towards the needs of privacy engineers and software engineers, and implements the Enforce and Demonstrate strategies for this architecture. Considering the Minimize strategy as an example, we distinguish betweeen PETs that realize a privacy design strategy once within the underlying architecture, without further interventions as the architecture evolves, as is the case with DHTPIR and Peer2PIR, with PETs that realize a strategy in a way such that the PET can respond to changes in the architecture, as in Prose. We thus relate our privacy-enhancing technologies to the privacy design strategies that they realize, highlighting combinations of privacy design strategies that are realized simultaneously, and illustrating how some privacy design strategies may be used to indirectly realize others. Importantly, our work shows that PETs can be designed to systematically and continually realize privacy design strategies, such as the Enforce, Demonstrate and Minimize strategies. Finally, we evaluate our privacy-enhancing technologies and show that they are effective, in terms of continuing to providing the desired functionality but with the added privacy guarantee afforded by the privacy design strategy, and efficient, in terms of low communication and computation overheads over the original architecture.
.