Sangmin Lee, Edmund L. Wong, Deepak Goel, Mike Dahlin, and Vitaly Shmatikov, The University of Texas at Austin
Abstract:
We present πBox, a new application platform that prevents apps from misusing information about their users. To strike a useful balance between users’ privacy and apps’ functional needs, πBox shifts much of the responsibility for protecting privacy from the app and its users to the platform itself. To achieve this, πBox deploys (1) a sandbox that spans the user’s device and the cloud, (2) specialized storage and communication channels that enable common app functionalities, and (3) an adaptation of recent theoretical algorithms for differential privacyunder continual observation. We describe a prototype implementation of πBox and show how it enables a wide range of useful apps with minimal performance overhead and without sacrificing user privacy.
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
We are witnessing a proliferation of software applications that run on personal devices (mobile phones, game consoles, or web browsers) and connect to remotely hosted services. These applications pose a growing privacy threat because they often have access to sensitive user data, but are designed by third-party publishers with unknown reputation or uncertain data usage policies. So users today have to trade off their privacy for apps' functionality. This paper takes a significant step towards addressing this timely and important problem.
The basic idea here is to move the responsibility for protecting users' privacy from the apps to a new platform, called PiBox, that confines and isolates the untrusted apps even as it provides them with necessary access to users' personal data. At its core, PiBox relies on a per-user, per-app sandbox that spans the local device and a cloud virtual machine managed by a trusted provider, such as the provider of the device software (e.g., Google Chrome) or software and hardware (e.g., Apple iPhone). A key assumption is that a few, large platform (device) providers could be trusted to enforce privacy better than hundreds or thousands of small, third-party app publishers.
The key technical innovations of PiBox lie in the design of the access-restricted storage and communication channels that support the functionality of a number of different types of apps, while preserving user privacy. These channels enable the per-user, per-app sandboxes to interact with one another as well as the app publishers. The design of the communication channel that enables publishers to collect aggregate statistics on users' collective behavior is particularly tricky, but crucial for advertiser supported apps. PiBox leverages recent theoretical advances in differential privacy under continual observation, to enable publishers to periodically gather aggregate statistics about their users (e.g., ad impressions).
PiBox is not a privacy panacea. Not all apps running on PiBox can offer the same privacy guarantees. For example, apps that do not involve sharing information between users (e.g., navigation or speech recognition) can offer strong privacy guarantees when run over PiBox, but apps whose primary purpose is sharing and collaborating (e.g., Facebook or Twitter) benefit relatively less from running over PiBox. PiBox also restricts communications outside of the platform, preventing apps from using external content delivery networks and requiring changes to click-through ad URLs.
In summary, the PiBox design represents an interesting and compelling tradeoff point between apps' usability and users' privacy. But, it is far from being the last work on this important and challenging problem. Hopefully, this paper will fuel more community interest and future work on designing privacy-preserving app platforms.
connect with us