Privacy-preserving Services On The Internet

The PSOTI project addressed privacy concerns with Internet services such as email, forms, and messaging. These services often require data to be stored in the clear on servers managed by a single service provider. The data is then processed further, which requires the data to be unencrypted, infringing on the privacy of the data owner, namely the user of the service. Furthermore, having a single service provider introduces a single point of failure in the system where a successful attack on the service provider can compromise the data of many users.

Privacy has always been an essential human right, but it is often overlooked in today's convenient Internet services, which have become an essential part of our lives. Some steps have been taken to legally limit the service providers' power over users' data, such as the EU General Data Protection Regulation (GDPR). However, providing privacy-preserving services while providing a rich set of functionalities is very challenging.

The primary objective of the PSOTI project was to showcase that certain Internet services can be realized while still preserving privacy. For this, we substantially improved protocols and built frameworks for Secure Multi-Party Computation (MPC), allowing the secure processing of data under encryption. Moreover, we proposed MPC-based solutions and built prototype implementations that allow users to privately send, store, or even process data using multiple service providers.

In conclusion, we have shown that we do not require a single service provider to have plaintext access to the data, but multiple service providers can jointly and privately provide functionalities.

In the PSOTI project, we worked extensively on solutions that allow users to use their data easily and securely in services that by default can harm the users' privacy by processing data in in the clear. We have successfully built demonstrators that allow the users to securely send data over various service providers with small overhead.

One of our primary goals has been to create efficient private query protocols. We created and implemented several privacy-preserving search methods that can be used in combination with other queries. A fundamental technique for this is Private Function Evaluation (PFE) which allows to protect both data and functions and hence even the structure of the private query. As further building blocks, we designed Private Information Retrieval (PIR) protocols that allow to privately retrieve data from a database.

To improve usability, we designed and implemented MPC frameworks that allow to build privacy-preserving Internet services. Our MPC frameworks were implemented in C/C++ or even in Rust with focus on memory safety. Furthermore, we substantially improved the performance of MPC protocols for example using hardware acceleration and parallelization.

Finally, we showed how such technologies can be used to preserve privacy in several applications and demonstrated their practicality in various settings. Among many applications, we looked at securing email and provided a generalized method and demonstrator to communicate securely over multiple communication channels (e.g. email, SMS, WhatsApp, Signal), some of which might be compromised by backdoors or surveillance.

We have published and presented our research results at major conferences and journals in the area of applied cryptography and organized the 10. Theory and Practice of Multi-Party Computation Workshop (TPMPC'24).

Our implementations and tools were published as open source under liberal open source licenses such as MIT, allowing companies to turn them into products.

With multiple press releases that were picked up by the media, we also made our research accessible to the general public.

In the PSOTI project, we substantially improved protocols and built new frameworks for Multi-Party Computation (MPC) and related techniques. We improved performance in terms of communication and run-time, as well as so far less studied metrics such as memory consumption and scalability. Using such optimized protocols, we built demonstrators and implementations for multiple privacy-preserving applications.

Overall, the project PSOTI has shown that advanced cryptographic techniques can provide practical privacy-preserving solutions for Internet services.