-
The Role of Privacy Guarantees in Voluntary Donation of Private Health Data for Altruistic Goals
Authors:
Ruizhe Wang,
Roberta De Viti,
Aarushi Dubey,
Elissa M. Redmiles
Abstract:
The voluntary donation of private health information for altruistic purposes, such as supporting research advancements, is a common practice. However, concerns about data misuse and leakage may deter people from donating their information. Privacy Enhancement Technologies (PETs) aim to alleviate these concerns and in turn allow for safe and private data sharing. This study conducts a vignette surv…
▽ More
The voluntary donation of private health information for altruistic purposes, such as supporting research advancements, is a common practice. However, concerns about data misuse and leakage may deter people from donating their information. Privacy Enhancement Technologies (PETs) aim to alleviate these concerns and in turn allow for safe and private data sharing. This study conducts a vignette survey (N=494) with participants recruited from Prolific to examine the willingness of US-based people to donate medical data for developing new treatments under four general guarantees offered across PETs: data expiration, anonymization, purpose restriction, and access control. The study explores two mechanisms for verifying these guarantees: self-auditing and expert auditing, and controls for the impact of confounds including demographics and two types of data collectors: for-profit and non-profit institutions.
Our findings reveal that respondents hold such high expectations of privacy from non-profit entities a priori that explicitly outlining privacy protections has little impact on their overall perceptions. In contrast, offering privacy guarantees elevates respondents' expectations of privacy for for-profit entities, bringing them nearly in line with those for non-profit organizations. Further, while the technical community has suggested audits as a mechanism to increase trust in PET guarantees, we observe limited effect from transparency about such audits. We emphasize the risks associated with these findings and underscore the critical need for future interdisciplinary research efforts to bridge the gap between the technical community's and end-users' perceptions regarding the effectiveness of auditing PETs.
△ Less
Submitted 5 February, 2025; v1 submitted 3 July, 2024;
originally announced July 2024.
-
ProLoc: Robust Location Proofs in Hindsight
Authors:
Roberta De Viti,
Pierfrancesco Ingo,
Isaac Sheff,
Peter Druschel,
Deepak Garg
Abstract:
Many online services rely on self-reported locations of user devices like smartphones. To mitigate harm from falsified self-reported locations, the literature has proposed location proof services (LPSs), which provide proof of a device's location by corroborating its self-reported location using short-range radio contacts with either trusted infrastructure or nearby devices that also report their…
▽ More
Many online services rely on self-reported locations of user devices like smartphones. To mitigate harm from falsified self-reported locations, the literature has proposed location proof services (LPSs), which provide proof of a device's location by corroborating its self-reported location using short-range radio contacts with either trusted infrastructure or nearby devices that also report their locations. This paper presents ProLoc, a new LPS that extends prior work in two ways. First, ProLoc relaxes prior work's proofs that a device was at a given location to proofs that a device was within distance "d" of a given location. We argue that these weaker proofs, which we call "region proofs", are important because (i) region proofs can be constructed with few requirements on device reporting behavior as opposed to precise location proofs, and (ii) a quantitative bound on a device's distance from a known epicenter is useful for many applications. For example, in the context of citizen reporting near an unexpected event (earthquake, violent protest, etc.), knowing the verified distances of the reporting devices from the event's epicenter would be valuable for ranking the reports by relevance or flagging fake reports. Second, ProLoc includes a novel mechanism to prevent collusion attacks where a set of attacker-controlled devices corroborate each others' false locations. Ours is the first mechanism that does not need additional infrastructure to handle attacks with made-up devices, which an attacker can create in any number at any location without any cost. For this, we rely on a variant of TrustRank applied to the self-reported trajectories and encounters of devices. Our goal is to prevent retroactive attacks where the adversary cannot predict ahead of time which fake location it will want to report, which is the case for the reporting of unexpected events.
△ Less
Submitted 4 April, 2024;
originally announced April 2024.
-
HotOS XIX Panel Report: Panel on Future of Reproduction and Replication of Systems Research
Authors:
Roberta De Viti,
Solal Pirelli,
Vaastav Anand
Abstract:
At HotOS XIX (2023), we organized a panel to discuss the future of reproducibility and replication in systems research. In this document, we highlight the key points and themes that were discussed in the panel and summarize the various opinions shared by both the panelists as well as the HotOS attendees.
At HotOS XIX (2023), we organized a panel to discuss the future of reproducibility and replication in systems research. In this document, we highlight the key points and themes that were discussed in the panel and summarize the various opinions shared by both the panelists as well as the HotOS attendees.
△ Less
Submitted 8 August, 2023;
originally announced August 2023.
-
CoVault: A Secure Analytics Platform
Authors:
Roberta De Viti,
Isaac Sheff,
Noemi Glaeser,
Baltasar Dinis,
Rodrigo Rodrigues,
Bobby Bhattacharjee,
Anwar Hithnawi,
Deepak Garg,
Peter Druschel
Abstract:
Analytics on personal data, such as individuals' mobility, financial, and health data can be of significant benefit to society. Such data is already collected by smartphones, apps and services today, but liberal societies have so far refrained from making it available for large-scale analytics. Arguably, this is due at least in part to the lack of an analytics platform that can secure data through…
▽ More
Analytics on personal data, such as individuals' mobility, financial, and health data can be of significant benefit to society. Such data is already collected by smartphones, apps and services today, but liberal societies have so far refrained from making it available for large-scale analytics. Arguably, this is due at least in part to the lack of an analytics platform that can secure data through transparent, technical means (ideally with decentralized trust), enforce source policies, handle millions of distinct data sources, and run queries on billions of records with acceptable query latencies. To bridge this gap, we present an analytics platform called CoVault which combines secure multi-party computation (MPC) with trusted execution environment (TEE)-based delegation of trust to be able execute approved queries on encrypted data contributed by individuals within a datacenter to achieve the above properties. We show that CoVault scales well despite the high cost of MPC. For example, CoVault can process data relevant to epidemic analytics for a country of 80M people (about 11.85B data records/day) on a continuous basis using a core pair for every 20,000 people. Compared to a state-of-the-art MPC-based platform, CoVault can process queries between 7 to over 100 times faster, as well as scale to many sources and big data.
△ Less
Submitted 22 January, 2024; v1 submitted 7 August, 2022;
originally announced August 2022.
-
Pacer: Comprehensive Network Side-Channel Mitigation in the Cloud
Authors:
Aastha Mehta,
Mohamed Alzayat,
Roberta de Viti,
Björn B. Brandenburg,
Peter Druschel,
Deepak Garg
Abstract:
Network side channels (NSCs) leak secrets through packet timing and packet sizes. They are of particular concern in public IaaS Clouds, where any tenant may be able to colocate and indirectly observe a victim's traffic shape. We present Pacer, the first system that eliminates NSC leaks in public IaaS Clouds end-to-end. It builds on the principled technique of shaping guest traffic outside the gues…
▽ More
Network side channels (NSCs) leak secrets through packet timing and packet sizes. They are of particular concern in public IaaS Clouds, where any tenant may be able to colocate and indirectly observe a victim's traffic shape. We present Pacer, the first system that eliminates NSC leaks in public IaaS Clouds end-to-end. It builds on the principled technique of shaping guest traffic outside the guest to make the traffic shape independent of secrets by design. However, Pacer also addresses important concerns that have not been considered in prior work -- it prevents internal side-channel leaks from affecting reshaped traffic, and it respects network flow control, congestion control and loss recovery signals. Pacer is implemented as a paravirtualizing extension to the host hypervisor, requiring modest changes to the hypervisor and the guest kernel, and only optional, minimal changes to applications. We present Pacer's key abstraction of a cloaked tunnel, describe its design and implementation, prove the security of important design aspects through a formal model, and show through an experimental evaluation that Pacer imposes moderate overheads on bandwidth, client latency, and server throughput, while thwarting attacks based on state-of-the-art CNN classifiers.
△ Less
Submitted 17 February, 2022; v1 submitted 30 August, 2019;
originally announced August 2019.
