research-article

Policy-Carrying Data: A Privacy Abstraction for Attaching Terms of Service to Mobile Data

Authors:

Sharad AgarwalAuthors Info & Claims

HotMobile '15: Proceedings of the 16th International Workshop on Mobile Computing Systems and Applications

Pages 129 - 134

https://doi.org/10.1145/2699343.2699357

Published: 12 February 2015 Publication History

Abstract

Despite decades of work on privacy-protecting systems, mobile user privacy remains at the mercy of cloud service providers. This paper proposes a different approach -- let users attach Terms of Service (ToS) to their data before uploading it to the cloud. We propose an abstraction, called policy-carrying data (PCD), that lets users specify and attach ToS to their data. PCD guarantees that cloud providers claim they are compliant with the ToS policy before they are able to access the data. To offer this guarantee, PCD relies on attribute-based encryption. We present PCD's semantics, its properties, and describe how PCD can be added to JSON or REST. Our hope is that PCD opens a different research path -- designing privacy abstractions that provide legal ammunition for mobile users against misuse of their data.

References

[1]

Freepik. https://www.freepik.com, 2014.

[2]

Terms of Service Didn't Read. https://tosdr.org/, 2014.

[3]

Y. Agarwal and M. Hall. ProtectMyPrivacy: Detecting and Mitigating Privacy Leaks on iOS Devices Using Crowdsourcing. In ACM MobiSys, 2013.

Digital Library

[4]

S. Bibas. A Contractual Approach to Data Privacy. Faculty Scholarship. Paper 1016, 1994.

[5]

T. Bray. RFC 7159: The JavaScript Object Notation (JSON) Data Interchange Format. http://www.rfc-editor.org/info/rfc7159, 2014.

[6]

X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In ASPLOS, 2008.

Digital Library

[7]

S. Chong, J. Liu, and A. C. Myers. Sif: Enforcing Confidentiality and Integrity in Web Applications. In USENIX Security Conference, 2007.

Digital Library

[8]

C. Dwork. Differential Privacy. In ICALP, 2006.

Digital Library

[9]

C. Dwork, F. McSherry, K. Nissim, and A. Smith. Calibrating Noise to Sensitivity in Private Data Analysis. In IACR Theory of Cryptography Conference, 2006.

Digital Library

[10]

W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In USENIX OSDI, 2010.

Digital Library

[11]

D. B. Giffin, A. Levy, D. Stefan, D. Terei, D. Mazières, J. C. Mitchell, and A. Russo. Hails: Protecting Data Privacy in Untrusted Web Applications. In USENIX OSDI, 2012.

Digital Library

[12]

P. Gill, V. Erramilli, A. Chaintreau, B. Krishnamurthy, K. Papagiannaki, and P. Rodriguez. Follow the money: Understanding economics of online aggregation and advertising. In IMC, 2013.

Digital Library

[13]

E. Goldman. How Zappos' User Agreement Failed In Court and Left Zappos Legally Naked. Forbes -- http://www.forbes.com/sites/ericgoldman/2012/10/10/how-zappos-user-agreement-failed-in-court- and-left-zappos-legally-naked/, 2012.

[14]

G. Greendwald and E. MacAskill. Boundless Informant: the NSA's secret tool to track global surveillance data. The Guardian -- http://www.theguardian.com/world/2013/jun/08/nsa-boundless-informant-global-datamining, 2013.

[15]

M. Gruteser and D. Grunwald. Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking. In ACM MobiSys, 2003.

Digital Library

[16]

S. Guha, B. Cheng, and P. Francis. Privad: Practical privacy in online advertising. In USENIX NSDI, 2011.

Digital Library

[17]

C. Hawblitzel, J. Howell, J. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad Apps: End-to-End Security via Automated Full-System Verification. In USENIX OSDI, 2014.

Digital Library

[18]

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, M. Norrish, R. Kolanski, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal Verification of an OS Kernel. In ACM SOSP, 2009.

Digital Library

[19]

M. A. Lemley. Terms of Use. Minnesota Law Review, 91, 2006.

[20]

I. Leontiadis, C. Efstratiou, M. Picone, and C. Mascolo. Don't kill my ads! balancing privacy in an ad-supported mobile application market. In HotMobile, 2012.

Digital Library

[21]

N. Li, T. Li, and S. Venkatasubramanian. t-Closeness: Privacy beyond k-anonymity and l-diversity. In ICDE, 2007.

[22]

A. Machanavajjhala, D. Kifer, J. Gehrke, and M. Venkitasubramaniam. l-Diversity: Privacy Beyond k-Anonymity. In ICDE, 2007.

Digital Library

[23]

J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In IEEE Symposium on Security and Privacy, 2010.

Digital Library

[24]

C. Pautasso, E. Wilde, and R. Alarcon. REST: Advanced Research Topics and Practical Applications. Springer, 2014.

[25]

R. A. Popa, C. M. S. Redfield, N. Zeldovich, and H. Balakrishnan. CryptDB: Protecting Confidentiality with Encrypted Query Processing. In ACM SOSP, 2011.

Digital Library

[26]

H. Raj, D. Robinson, T. Tariq, P. England, S. Saroiu, and A. Wolman. Credo: Trusted Computing for Guest VMs with a Commodity Hypervisor. Technical Report MSR-TR-2011--130, Microsoft Research, 2011.

[27]

N. Santos, R. Rodrigues, K. Gummadi, and S. Saroiu. Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services. In USENIX Security Conference, 2012.

Digital Library

[28]

A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In ACM SOSP, 2007.

Digital Library

[29]

A. Shieh, D. Williams, E. G. Sirer, and F. B. Schneider. Nexus: a new operating system for trustworthy computing. In ACM SOSP, 2005.

Digital Library

[30]

L. Sweeney. k-Anonymity: A Model for Protecting Privacy. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10(5), 2002.

Digital Library

[31]

S. Zdancewic, L. Zheng, N. Nystrom, and A. C. Myers. Untrusted Hosts and Confidentiality: Secure Program Partitioning. In ACM SOSP, 2001.

Digital Library

[32]

F. Zhang, J. Chen, H. Chen, and B. Zang. CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization. In ACM SOSP, 2011.

Digital Library

Cited By

Fernandez CBraud THui PLiKamWa RHengartner U(2022)Implementing GDPR for mobile and ubiquitous computingProceedings of the 23rd Annual International Workshop on Mobile Computing Systems and Applications10.1145/3508396.3512880(88-94)Online publication date: 9-Mar-2022
https://dl.acm.org/doi/10.1145/3508396.3512880
Cauvin SOren NVasconcelos WBlitza E(2019)Policies to Regulate Distributed Data ExchangeAuswirkungen des Meeresspiegelanstiegs auf maritime Grenzen10.1007/978-3-030-17294-7_11(146-161)Online publication date: 4-Apr-2019
https://doi.org/10.1007/978-3-030-17294-7_11
Padget JVasconcelos W(2018)Fine-Grained Access Control via Policy-Carrying DataACM Transactions on Internet Technology10.1145/313332418:3(1-24)Online publication date: 5-Feb-2018
https://dl.acm.org/doi/10.1145/3133324
Show More Cited By

Index Terms

Policy-Carrying Data: A Privacy Abstraction for Attaching Terms of Service to Mobile Data
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Privacy policies

Recommendations

User interfaces for privacy agents

Most people do not often read privacy policies because they tend to be long and difficult to understand. The Platform for Privacy Preferences (P3P) addresses this problem by providing a standard machine-readable format for website privacy policies. P3P ...
Privacy policy enforcement for ambient ubiquitous services
AmI'10: Proceedings of the First international joint conference on Ambient intelligence

Ubiquitous service providers leverage miniaturised computing terminals equipped with wireless capabilities to avail new service models. These models are pivoted on personal and inexpensive terminals to customise services to individual preferences. ...
An Assessment of Blockchain Identity Solutions: Minimizing Risk and Liability of Authentication
WI '19: IEEE/WIC/ACM International Conference on Web Intelligence

Personally Identifiable Information (PII) is often used to perform authentication and acts as a gateway to personal and organizational information. One weak link in the architecture of identity management services is sufficient to cause exposure and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

HotMobile '15: Proceedings of the 16th International Workshop on Mobile Computing Systems and Applications

February 2015

152 pages

ISBN:9781450333917

DOI:10.1145/2699343

General Chair:
Justin Manweiler
IBM Research - TJ Watson, USA
,
Program Chair:
Romit Roy Choudhury
University of Illinois at Urbana Champaign, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 February 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

HotMobile '15

Sponsor:

SIGMOBILE

HotMobile '15: The 16th International Workshop on Mobile Computing Systems and Applications

February 12 - 13, 2015

New Mexico, Santa Fe, USA

Acceptance Rates

HotMobile '15 Paper Acceptance Rate 23 of 85 submissions, 27%;

Overall Acceptance Rate 96 of 345 submissions, 28%

Upcoming Conference

HOTMOBILE '25

Sponsor:
sigmobile

The 26th International Workshop on Mobile Computing Systems and Applications

February 26 - 27, 2025

La Quinta , CA , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
394
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Fernandez CBraud THui PLiKamWa RHengartner U(2022)Implementing GDPR for mobile and ubiquitous computingProceedings of the 23rd Annual International Workshop on Mobile Computing Systems and Applications10.1145/3508396.3512880(88-94)Online publication date: 9-Mar-2022
https://dl.acm.org/doi/10.1145/3508396.3512880
Cauvin SOren NVasconcelos WBlitza E(2019)Policies to Regulate Distributed Data ExchangeAuswirkungen des Meeresspiegelanstiegs auf maritime Grenzen10.1007/978-3-030-17294-7_11(146-161)Online publication date: 4-Apr-2019
https://doi.org/10.1007/978-3-030-17294-7_11
Padget JVasconcelos W(2018)Fine-Grained Access Control via Policy-Carrying DataACM Transactions on Internet Technology10.1145/313332418:3(1-24)Online publication date: 5-Feb-2018
https://dl.acm.org/doi/10.1145/3133324
Brückner SSato YKurabayashi SWaragai I(2018)The Handling of Personal Information in Mobile GamesAdvances in Computer Entertainment Technology10.1007/978-3-319-76270-8_29(415-429)Online publication date: 21-Feb-2018
https://doi.org/10.1007/978-3-319-76270-8_29
Rahmati AFernandes EEykholt KChen XPrakash AChoudhury TKo SCampbell AGanesan D(2017)HeimdallProceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services10.1145/3081333.3081334(453-463)Online publication date: 16-Jun-2017
https://dl.acm.org/doi/10.1145/3081333.3081334
Dai WChen LQiu MWu ALiu M(2017)DASS: A Web-Based Fine-Grained Data Access System for Smartphones2017 IEEE International Conference on Smart Cloud (SmartCloud)10.1109/SmartCloud.2017.45(238-243)Online publication date: Nov-2017
https://doi.org/10.1109/SmartCloud.2017.45
Dai WChen LQiu MWu AChen B(2017)A Privacy-Protection Data Separation Approach for Fine-Grained Data Access Management2017 IEEE International Conference on Smart Cloud (SmartCloud)10.1109/SmartCloud.2017.20(84-89)Online publication date: Nov-2017
https://doi.org/10.1109/SmartCloud.2017.20
Cauvin SKollingbaum MSleeman DVasconcelos W(2017)Towards a Distributed Data-Sharing EconomyCoordination, Organizations, Institutions, and Norms in Agent Systems XII10.1007/978-3-319-66595-5_1(3-21)Online publication date: 30-Aug-2017
https://doi.org/10.1007/978-3-319-66595-5_1
Padget JVasconcelos W(2015)Policy-Carrying Data: A Step Towards Transparent Data SharingProcedia Computer Science10.1016/j.procs.2015.05.02052(59-66)Online publication date: 2015
https://doi.org/10.1016/j.procs.2015.05.020

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents