by Nicolas Anciaux, Jean-Marc Petit, Philippe Pucheral and Karine Zeitouni
In the IT world every piece of information is just “one-click away”. This convenience comes at a high indirect price: the loss of the user’s control over her personal data. We propose a simple yet effective approach, called Personal Data Server, to help protect the user’s data.
An increasing amount of personal data is gathered on servers by administrations, hospitals, insurance companies, etc. Smart devices all around us also produce transparently spatio-temporal sensitive information (eg healthcare monitoring, smart buildings, road pricing). In the meantime, more and more digitized data is delivered to the user (salary forms, invoices, phone call sheets, banking statements, etc). While primary copies of these data are kept by the issuer information systems, citizens themselves often rely on Internet companies to reliably store secondary copies and make them available online. Unfortunately, there are many examples of privacy violations arising from negligence, abuse and attacks and even the most secured servers are not spared.
We draw a radically different, highly decentralized, vision of the management of personal data. It builds upon the emergence of new devices known as Secure Tokens combining the security of smart cards and the storage capacity of NAND Flash chips (eg mass storage SIM cards, secure USB sticks, smart sensors). This unprecedented conjunction of portability, security and mass storage holds the promise of a real breakthrough in the management of personal data.
The idea is to embed in Secure Tokens, software components capable of acquiring, storing and managing securely personal data. This forms a full-fledged Personal Data Server (PDS) remaining under holder’s control. PDS is not a simple secure repository of personal data. It must allow the development of powerful, user-centric and privacy-preserving applications thus requiring a well organized and queryable representation of user’s data. It must also provide the data holder with a friendly control over the sharing conditions related to her data. PDSs must finally provide traditional database services like durability and query facilities and must be able to interoperate with external data sources in a secure manner.
With appropriate infrastructure, PDSs enable the vision depicted in Figure 1. John’s personal data, delivered and certified by different sources, are sent to his PDS which can then serve data requests from various applications. While protecting personal information on the issuer side will remain an open problem, the PDS vision enables executing all these applications under the full control of individuals.
Figure 1: Personal Data Server Architecture
Private applications are run by the holder herself and inherit her privileges (eg a budget optimizer). External applications/services declare collection rules specifying which data is required by which business rules (eg salary and tax information for a bank loan, aggregates of GPS data for a PayAsYouDrive system). The PDS then computes the minimum amount of data to be disclosed and shows it to the holder who can finally opt-in/out for this service. Conversely, data provenance is certified by the PDS and can be checked by the service. Privacy-preserving global computations are large-scale treatments made on a population of PDSs (eg aggregate queries or anonymized release for an epidemiological study), providing privacy guarantees (eg differential privacy, k-anonymity) enforced by all PDSs in a secure multi-party way. Finally, collaborative applications can exchange personal data among PDSs (eg patient’s data exchanged among doctors, personal files exchanged among a community of friends or colleagues). Sharing situations can be bounded in time thanks to data retention rules and can be audited afterwards. Secure collaborative scenarios can be achieved because all participant PDSs are tamper-resistant and trusted.
Converting the PDS vision into reality introduces three main scientific challenges: (1) new database techniques must be devised to efficiently manage embedded data while tackling the strong hardware constraints inherent to Secure Tokens ; (2) a rich and intuitive model must be provided to help individuals protect all facets of their privacy and proof of legitimacy must be provided for any data entering/leaving a PDS; (3) the traditional functions of a central server must be re-established in an atypical environment combining a large number of highly secure but low power Secure Tokens with a powerful but unsecured infrastructure.
Our hope is that the PDS approach will provide a credible alternative to the systematic centralization of personal data on servers and will pave the way for new privacy-by-design architectures.
This work is supported by the KISS ANR project which groups academics (INRIA, LIRIS, UVSQ), industry (Gemalto, CryptoExperts) and administrations (Yvelines District General Council-CG78). A platform prefiguring the PDS vision is being experimented in the field under grant DMSP. It implements a secure and portable patient’s folder improving social and medical care coordination for elderly people.
KISS project: http://blog.inria.fr/kiss/
DMSP project: http://www-smis.inria.fr/_DMSP/accueil.php
T. Allard et al, "Secure Personal Data Servers: a Vision Paper", 36th International Conference on Very Large Data Bases, PVLDB 3(1): 25-35, 2010.
Philippe Pucheral (KISS project)
University of Versailles & Inria , France
Nicolas Anciaux (DMSP project)