There have long been options for users seeking more privacy as they browse the web, from the anti-tracking search engine DuckDuckGo to the Tor secure browser. Now teams of researchers from Stanford and MIT have developed a system they say can enable users to make website database queries—such as to look up flights or find Yelp reviews—in anonymity.
This is important because website queries can derive a great deal of information about a visitor, as the paper's lead author noted to MIT's news service:
“The canonical example behind this line of work was public patent databases,” says Frank Wang, an MIT graduate student in electrical engineering and computer science and first author on the conference paper. “When people were searching for certain kinds of patents, they gave away the research they were working on. Stock prices is another example: A lot of the time, when you search for stock quotes, it gives away information about what stocks you’re going to buy. Another example is maps: When you’re searching for where you are and where you’re going to go, it reveals a wealth of information about you.”
Wang and his co-authors will present the system in a paper this week at the USENIX Symposium on Networked Systems Design and Implementation.
The system is called Splinter, an aptly chosen name given how it is architected. Splinter presents the user with a client through which they split queries into shares and send them to different servers hosting the same database. Splinter combines the results and returns them to the user. The system is foolproof as long as at least one server is trustworthy, according to the paper.
Splinter isn't the first idea of its kind, of course, but will deliver much better performance and faster results through the use of a recently developed cryptographic primitive, Function Secret Sharing, as the paper notes:
For example, systems based on Private Information Retrieval ... require many round trips and high bandwidth for complex queries, while systems based on garbled circuits have a high computational cost. These approaches are especially costly for mobile clients on high-latency networks.
FSS is up to an order of magnitude quicker than previously developed systems and can often answer queries with only one network roundtrip, the paper adds.
The researchers tested Splinter using an academic dataset from Yelp, a public flight database and a public traffic database from New York City, and achieved no greater than a 1.6 second response time across all three applications.
Overall, Constellation sees Splinter as a welcome tool for end-users in an age where their personal data is ever more increasingly being mined for commercial gain without enough transparency or returned value. Still, what seems a bit far in the future is the broad data ecosystem a service like Splinter will need to be relevant, as well as commercial viability. MIT's Wang offered this somewhat optimistic prediction:
“We see a shift toward people wanting private queries,” Wang says. “We can imagine a model in which other services scrape a travel site, and maybe they volunteer to host the information for you, or maybe you subscribe to them. Or maybe in the future, travel sites realize that these services are becoming more popular and they volunteer the data. But right now, we’re trusting that third-party sites have adequate protections, and with Splinter we try to make that more of a guarantee.”
MIT and Stanford's work appears to be very innovative, says Constellation Research VP and principal analyst Steve Wilson. "It's great to see new twists on Secret Sharing as a class of security techniques," he says. "Some of these things are provably secure in a mathematical sense, which is super valuable these days."
However, "I can't help but express some cautions," Wilson adds. "They call this a privacy solution, but really it's a secrecy solution. It stops people seeing what you're up to; it keeps your affairs hidden, but at some point you need to reveal yourself, and that's when true privacy kicks in. You need protection against misuse of your personally identifying information when someone has it.
"So in this case, there will be a splinter server—a point at which your database query gets splintered, farmed out, and the responses reassembled," he continues. "Users have to trust the splinter server to not abuse their personal information."
At this stage, "Splinter may end up becoming freeware, a gift from academia, but is it sustainable?" Wilson says. It could be very compute-intensive to run, although the researchers said their tests using Amazon Web Services found the costs to be fairly nominal.
Still, who pays? "The question of whether consumers will pay for privacy protection is vexed," Wilson says. "Consumers are usually shown to be unwilling to pay much of a premium for privacy preserving services."
The Bottom Line
"Privacy services which insert themselves into the information supply chain like this are a bit like bodyguards," Wilson says. "Perfectly understandable, but you cannot imagine a real-life situation where there is so much crime going on that everyone is encouraged to get a bodyguard. No, privacy is a public good, we all need it, it needs to be systemic, and not remedial in nature."
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.