Could this encrypted cloud service make apps take your privacy seriously again?
March 22, 2016
Shah Sheikh (1294 articles)

Could this encrypted cloud service make apps take your privacy seriously again?

With our lives increasingly reliant on smartphones, tablets, smart meters, wearable technology and other internet-connected products, more and more of our personal data is being collected online.

But for the most part, users don’t have any indication as to what data apps and devices are collecting, let alone where that data is stored or if it’s even stored securely.

That’s why researchers at the Massachusetts Institute of Technology (MIT) and Harvard University are developing a cryptography-based service which they say would provide users with the final say on managing which applications can access their data and when it can be accessed.

Users of the application, called Sieve, would store all their personal data in an encrypted form in the cloud. Any application which wants access to data would then have to send a request to the user, and receive a key which decrypts only the specified information requested. Then, if the user wanted to revoke the app’s access, Sieve can re-encrypt data using a new cryptographic key.

Sieve represents “a rethinking of the Web infrastructure,” says Frank Wang, a PhD student in electrical engineering and computer science and one of the system’s designers, who suggests “Maybe it’s better that one person manages all their data”.

“We’re trying to present an alternative model that would be beneficial to both users and applications,” he said.

Working alongside Wang on the project are MIT associate professors of electrical engineering and computer science Nickolai Zeldovich and Vinod Vaikuntanathan. The project also involves James Mickens, an associate professor of computer science at Harvard University.

In order to ensure Sieve provides selective disclosure of data required, thee researchers had to develop practical versions of two different cryptographic techniques on the cutting-edge of the field; attribute-based encryption and key homomorphism.

When attribute-based encryption is used, the data items are assigned different labels – dubbed attributes – with secret keys deployed to unlock the required attributes, for example, it could be used to reveal a name and zip code, but not street name, or zip code and date of birth, but not name.

Meanwhile, key homomorphism crytography is what enables Sieve to revoke an app’s access to the user’s data. By using this technique, the cloud-server can re-encrypt the data stored within it without the need to decrypt it first.

According to Engin Kirda, a professor of electrical and computer engineering at Northeastern University, an application such as Sieve becoming commericially available could be useful for companies and individual users.

“Privacy is increasing in importance and the debate between Apple’s iPhone encryption and the FBI is a good example of that. I think a lot of users would appreciate having cryptographic control over their own data,” he says.

A system like Sieve could only be successful if it is adopted by app developers, but the MIT team argue that such a service could work to the advantage by making it easier to access data collected by other devices. Applications could distinguish themselves from their competitors by advertising themselves as Sieve-compliant, the researchers argue.

Source | ZDNET