Privacy-Friendly Services and Apps

The objective of this project is to re-imagine how modern on-line services and applications may be engineered to provide a higher degree of technical privacy protection. Supporting stronger privacy and user control involves a serious redesign of key protocols and architectures that underlie these services, as well as the development of principled definitions of privacy, tools to realize them, and methods to evaluate the degree of protection afforded.

We consider two categories of services: The first one consists of those systems that process personal information but generate information that is publicly disclosed. A typical example is aggregating the data of multiple individuals, and extracting higher level information and statistics. For example, the likelihood of customers buying two items together, or the correlation between a certain disease and obesity. For those features, the objective of this project is to devise generic techniques to compute and make available such statistical data while minimizing the exposure of personal information.

The second category of services both processes personal information and also generates personal information. For example, the insurance premium to be paid by an individual on the basis of their health may be both the result of processing sensitive information, as well as sensitive itself. For those applications, we aim to devise generic architectures that (a) minimize the exposure of private information and (b) allow for flexible policies to determine under what conditions the resulting sensitive information is shared, and with whom.

A fundamental objective, common to both categories, is to develop principled and robust definitions of privacy, as well as methods for evaluating the quality of protection offered by different proposed mechanisms. We intend to consider variants of differential privacy, cryptography and other established privacy technologies, augmented by rigorous proofs of correctness.

We plan to dedicate particular attention to the domain of location-based services. We aim at designing mechanisms that will allow a user to get information from such services, such as point of interest, or nearby friends, without exposing his precise location. To this aim, we plan to develop obfuscation techniques that will provide strong privacy guarantees, such as geo-indistinguisghability, a variant of differential privacy suitable for geo-location.

Finally, we intend to prototype high quality software tools for developing and evaluating privacy-friendly services. These include tools and libraries that implement high value computations in a privacy preserving manner; language based tools, such as compilers and runtimes, to support building higher level services; and platforms and API that support privacy features out of the box. These should be capable of inter-operating to produce larger and richer services that process location, medical, or financial data without exposing them to third parties. While this is not a core objective of the project, we hope to achieve synergies with other Microsoft Research-Inria projects that focus on automatic verification to validate the code that implements protection mechanisms.