PrivacyPutting data privacy in the hands of users

By Rob Matheson

A new platform developed by MIT and Harvard University researchers ensures that web services adhere to users’ preferences on how their data are stored and shared in the cloud.

In today’s world of cloud computing, users of mobile apps and web services store personal data on remote data center servers. These data may include photos, social media profiles, email addresses, and even fitness data from wearable devices. Services often aggregate multiple users’ data across servers to gain insights on, say, consumer shopping patterns to help recommend new items to specific users, or may share data with advertisers. Traditionally, however, users haven’t had the power to restrict how their data are processed and shared.

In a paper being presented at this week’s USENIX Networked Systems Design and Implementation conference, the researchers describe a platform, called Riverbed, that forces data center servers to only use data in ways that users explicitly approve.  

In Riverbed, a user’s web browser or smartphone app does not communicate with the cloud directly. Instead, a Riverbed proxy runs on a user’s device to mediate communication. When the service tries to upload user data to a remote service, the proxy tags the data with a set of permissible uses for their data, called a “policy.”

Users can select any number of predefined restrictions — such as, “do not store my data on persistent storage” or “my data may only be shared with the external service x.com.” The proxy tags all the data with the selected policy.

In the datacenter, Riverbed assigns the uploaded data to an isolated cluster of software components, with each cluster processing only data tagged with the same policies. For example, one cluster may contain data that can’t be shared with other services, while another may hold data that can’t be written to disk. Riverbed monitors the server-side code to ensure it adheres to a user’s policies. If it doesn’t, Riverbed terminates the service.