A suite of privacy-enhancing technologies
In the EU, the right to privacy is a fundamental right, enshrined in the Charter of Fundamental Rights of the European Union(opens in new window). But in a world where internet services such as email and messaging are a ubiquitous part of our lives, this right is often overlooked. “Such services often require that data be processed in the clear and on servers managed by a single service provider,” explains Thomas Schneider, a professor of Computer Science and head of the Cryptography and Privacy Engineering Group(opens in new window) (ENCRYPTO) at the Technical University of Darmstadt(opens in new window). The challenge is that the unencrypted processing of this data can infringe on the privacy of the data owner – namely, the user of the service. Furthermore, having a single service provider introduces a single point of failure in the system, where a successful attack on the provider can compromise the private data of many users. “Although steps have been taken to legally limit a service provider’s power over user data, such as the EU General Data Protection Regulation(opens in new window) (GDPR), balancing the need for privacy-preserving services with the need for a rich set of functionalities has proven to be very challenging,” adds Schneider. Helping to strike such a balance is the EU-funded PSOTI(opens in new window) project.
New ways to protect user data
At the heart of the project are several innovative privacy-enhancing technologies and protocols. “Our developed solutions help protect user data while also allowing multiple independent service providers to securely and jointly process it,” explains Schneider. One of those solutions is a framework for mixed-protocol secure two-party computation. The protocol significantly improves the communication of common building blocks such as multiplications and dot products with vast applications in privacy-preserving machine learning. Two further frameworks developed by the ENCRYPTO Group were cited as examples of best practices for open-source projects in the United Nations Guide on Privacy-Enhancing Technologies for Official Statistics(opens in new window). The PSOTI project, supported by the European Research Council(opens in new window), also developed the web-based tool called Encrypted Multi-Channel Communication(opens in new window), or EMC2. People can use the tool to communicate via two independent communication channels, such as email and WhatsApp. “With this tool, the message is protected, even if one of the channels is hacked or compromised,” notes Schneider.
Identifying concrete privacy attacks on internet services
During the project, the researchers also identified concrete attacks on privacy in existing internet services. This included the exposure of user contact information in popular messenger apps such as WhatsApp, Signal and Telegram(opens in new window). They also noted a privacy vulnerability in Apple’s AirDrop protocol for file sharing(opens in new window). “Based on these findings, we proposed privacy-preserving alternatives that leveraged some of the PSOTI solutions,” remarks Schneider. The project’s research on private contact discovery won the second prize at the 2020 German IT Security Award.
New project aims to automate privacy-friendly solutions
PSOTI has shown that certain internet services can be extended to protect privacy without sacrificing their ability to process user data. It also opened the door to new research opportunities. “The next big step is to develop tools that can automatically generate privacy-friendly solutions from high-level specifications,” concludes Schneider. Schneider and his team will take that step in the EU-funded ERC Consolidator Grant(opens in new window) project PRIVTOOLS.
