Towards an end-to-end architecture for handling sensitive data

1
Towards an end-to-end architecture forhandling
sensitive data

• Hector Garcia-Molina
• Rajeev Motwani
• and students

1
2
DB Perspective

• Performance
• Preservation
• Distribution (P2P)
• Bad Guys
• eavesdrop
• corrupt
• Trust

3
DB Perspective

• Preservation

goal

easy
preservation
easy
-
-

privacy
4
Privacy Spectrum

• Prevention
• Detection
• Containment

5
Prevention Our Work

• Privacy-Preserving OLAP
• Distributed Architecture for Secure DBMS (P)
• Data Preservation in P2P Systems
• P2P Trust and Reputation Management (P)
• P2P Privacy Preserving Indexing (P)

6
Distributed Architecturefor Secure DBMS

• Motivation Outsourcing
• Secure Database Provider (SDP)

Encrypt
ServiceProvider
Client
7
Performance Problem
Encrypt
ServiceProvider
Client
Query Q
Q
Client-side Processor
Answer
Relevant Data
Problem Q ? SELECT
8
The Power of Two
DSP1
Client
DSP2
9
Basic Idea
CC
CC, expDate, name
expDate, name
10
Another Example
salary rand
salary
rand
11
The Power of Two
DSP1
Q1
Query Q
Client-side Processor
Q2
DSP2
Key Ensure Cost (Q1)Cost (Q2) ? Cost (Q)
12
Challenges

• Find a decomposition that
• Obeys all privacy constraints
• Minimizes execution cost for given workload
• For given query, find good plan

13
Example
R(id, a, b, c), privacy constraint a, b, c
R1(id, a, b) R2(id, b, c)

R1(id, a) R2(id, b, c)
R1(id, a, b) R2(id, c)
R1(id, a, c) R2(id, b, c)
14
Detection Our Work

• Simulatable Auditing (P)
• k-Anonymity
• algorithms and hardness

15
Containment Our Work

• Paranoid Platform for Privacy Preferences (P)
• Entity Resolution

16
Containment

• Trusting
• privacy policies
• Paranoid

17
Example Trusting
(1) browse policy
(2) give info
alice
(3) cross fingers
dealsRus

• Example P3P Policies
• Current purpose completion and support of the
  recurring subscription activity
• Recipients DealsRUs and/or entities acting as
  their agents or entities for whom DealsRUs are
  acting as an agent...

18
Example Email
(1) temp a12_at_w
(2) a12_at_w
(3) Toa12_at_w
(4) To a_at_z
alicesagent
alicea_at_z
dealsRus
19
P4P Paranoid Platformfor Privacy Preferences
Framework
Data/Control Types t1 ... tn
20
Private Information
sharable
accountable
no integration
control
no predicate input
limited time use
complete privacy
function
copy
identifier
service handle
input to predicate
ownership
individual
organization
21
Entity Resolution
e2
e1
N a A b CC c Ph e
N a Exp d Ph e

• Applications
• mailing lists, customer files, counter-terrorism,
  ...

22
Privacy
Alice
1.0
1.0
Nm Alice Ad 32 Fox
Nm Alice Ad 32 Fox Ph 5551212 Ad 14 Cat
Bob
23
Leakage
Alice
Bob
L 0.6 (between 0 and 1)
24
Multi-Record Leakage
Alice
r1, L 0.9 r2, L 0.8 r3, L 0.7
Bob
LL 0.9 (between 0 and 1,
e.g., max L)
25
Q1 Added Vulnerability?
p
Alice
r1
r2
r3
r4
Bob
r4 may cause Bobs records to snap together!
?LL ??
26
Q2 Disinformation?
p
Alice
r1
r2
r3
r4 (lies)
Bob
What is most cost effective disinformation?
?LL ??
27
Q3 Verification?
p
Alice
hypothesis h (0.6)
r1, 0.9 r2, 0.8 r3, 0.7 ...
Bob
What is best fact to verify to increase confidence
in hypothesis?
28
Privacy Spectrum

• Prevention
• Detection
• Containment