Prochlo: Strong Privacy for Analytics in the Crowd

The large-scale monitoring of computer users' software activities has become commonplace, e.g., for application telemetry, error reporting, or demographic profiling. This paper describes a principled systems architecture---Encode, Shuffle, Analyze (ESA)---for performing such monitoring with high utility while also protecting user privacy. The ESA design, and its Prochlo implementation, are informed by our practical experiences with an existing, large deployment of privacy-preserving software monitoring. (cont.; see the paper

Bridging policy, regulation and practice? A techno-legal analysis of three types of data in the GDPR

The paper aims to determine how the General Data Protection Regulation (GDPR) could be read in harmony with Article 29 Working Party’s Opinion on anonymisation techniques. To this end, based on an interdisciplinary methodology, a common terminology to capture the novel elements enshrined in the GDPR is built, and, a series of key concepts (i.e. sanitisation techniques, contextual controls, local linkability, global linkability, domain linkability) followed by a set of definitions for three types of data emerging from the GDPR are introduced. Importantly, two initial assumptions are made: 1) the notion of identifiability (i.e. being identified or identifiable) is used consistently across the GDPR (e.g. Article 4 and Recital 26); 2) the Opinion on Anonymisation Techniques is still good guidance as regards the classification of re-identification risks and the description of sanitisation techniques. It is suggested that even if these two premises seem to lead to an over-restrictive approach, this holds true as long as contextual controls are not combined with sanitisation techniques. Yet, contextual controls have been conceived as complementary to sanitisation techniques by the drafters of the GDPR. The paper concludes that the GDPR is compatible with a risk-based approach when contextual controls are combined with sanitisation techniques

Guess my vote : a study of opacity and information flow in voting systems

With an overall theme of information flow, this thesis has two main strands. In the first part of the thesis, I review existing information flow properties, highlighting a recent definition known as opacity [25]. Intuitively, a predicate cP is opaque if for every run in which cP is true, there exists an indistinguishable run in which it is false, where a run can be regarded as a sequence of events. Hence, the observer is never able to establish the truth of cPo The predicate cP can be defined according to requirements of the system, giving opacity a great deal of flexibility and versatility. Opacity is then studied in relation to several well-known definitions for information flow. As will be shown, several of these properties can be cast as variations of opacity, while others have a relationship by implication with the opacity property [139]. This demonstrates the flexibility of opacity, at the same time establishing its distinct character. In the second part of the thesis, I investigate information flow in voting systems. Pret a Voter [36] is the main exemplar, and is compared to other schemes in the case study. I first analyse information flow in Pret a Voter and the FOO scheme [59], concentrating on the core protocols. The aim is to investigate the security requirements of each scheme, and the extent to which they can be captured using opacity. I then discuss a systems-based analysis of Pret a Voter [163], which adapts and extends an earlier analysis of the Chaum [35] and Neff [131]' [132]' [133] schemes in [92]. Although this analysis has identified several potential vulnerabilities, it cannot be regarded as systematic, and a more rigorous approach may be necessary. It is possible that a combination of the information flow and systems- based analyses might be the answer. The analysis of coercion-resistance, which is performed on Pret a Voter and the FOO scheme, may exemplify this more systematic approach. Receipt-freeness usually means that the voter is unable to construct a proof of her vote. Coercion-resistance is a stronger property in that it accounts for the possibility of interaction between the coercer and the voter during protocol execution. It appears that the opacity property is ideally suited to expressing the requirements for coercion-resistance in each scheme. A formal definition of receipt-freeness cast as a variation of opacity is proposed [138], together with suggestions on how it might be reinforced to capture coercion-resistance. In total, the thesis demonstrates the remarkable flexibility of opacity, both in expressing differing security requirements and as a tool for security analysis. This work lays the groundwork for future enhancement of the opacity framework.EThOS - Electronic Theses Online ServiceDSTL : EPSRCGBUnited Kingdo