At the recently concluded SIGMOD conference in Scottsdale, AZ (the premier conference for database related research), Microsoft Research and Cornell University had a research paper titled MASKIT: Privately Releasing User Context Streams for Personalized Mobile Applications (PDF). The paper shows a way to release sensitive sensor data (like location information) to installed apps on a cellphone while protecting the privacy of the user.
In order to explore a better tradeoff between privacy and utility, we can let the user control at a fine granularity when and what context data is shared with which application. For example, a user might be okay to release when he is at lunch but he might be hesitant to release when he is at a hospital.
All cellphone platforms today provide a way to disable location data collection by apps – but Götz et.al. argue in this paper that explicitly turning location data off itself is an indication that something interesting is probably happening. In fact, they claim that in more than 50% of the cases, an adversary was able to figure out what a user was up to even when they had disabled the sensors.
Consider a user who suppresses his location when he is at a hospital. This, however, might not be sufficient: when he releases his non-sensitive context while he is driving to the hospital, the adversary can infer where he is heading. Similarly, when he releases the use of a hospital finder app, the adversary can again infer where he is heading.
Installed apps can learn user behavior from figuring out exactly when the user turns location data off – and build a behavioral model of the user. In the paper, they introduce a module that intelligently decides to either send the accurate sensor value to the app, or block it completely. They do it in such a way, that it becomes theoretically impossible for the app to build a model of the user’s behavior. They did quite detailed testing as well, including a PC and Windows phone:
We have evaluated MASKIT on a PC as well as on a smart phone, with real public traces from 91 human subjects over the course of nine months, representing user contexts over 266,000 hours.
They found that using this privacy protecting system did not significantly reduce the utility of the apps that depend upon sensor data, while at the same time providing a theoretically proven guarantee that sensitive information will not be leaked.
While this is obviously a research paper, the existence of a windows phone prototype gives us hope that this will eventually make its way to the operating system, which will definitely make it one of the only platforms to deeply care about the user’s privacy. We also applaud Microsoft for taking the matter of privacy so seriously.
Michaela Götz, Suman Nath, Johannes Gehrke. MASKIT: Privately Releasing User Context Streams for Personalized Mobile Applications. In Proceedings of the 2012 ACM SIGMOD international conference on Management of Data, 289-300