pr privacy cy pre prese servi rving ng fir firef efox x
play

Pr Privacy cy-pre prese servi rving ng Fir Firef efox x - PowerPoint PPT Presentation

Pr Privacy cy-pre prese servi rving ng Fir Firef efox x telem elemet etry wit ith Pr Prio Henry Corrigan-Gibbs (EPFL MIT CSAIL) In In c collabora ration wi with: Dan Boneh (Stanford), Gary Chen, Steven Englehardt, Robert


  1. Pr Privacy cy-pre prese servi rving ng Fir Firef efox x telem elemet etry wit ith Pr Prio Henry Corrigan-Gibbs (EPFL → MIT CSAIL) In In c collabora ration wi with: Dan Boneh (Stanford), Gary Chen, Steven Englehardt, Robert Helmer, Chris Hutten-Czapski, Anthony Miyaguchi, Eric Rescorla, and Peter Saint-Andre (Mozilla)

  2. Runni Running ng e exa xample ple: Measuring effectiveness of tracking protection 51

  3. Runni Running ng e exa xample ple: Measuring effectiveness of tracking protection Mozilla wants to know: “H “How many y Fir iref efox x user ers blocked ked a a trac racki king g cooki ookie e from rom fb fb.co .com?” ?” 52

  4. “58,329 Firefox users blocked an fb.com cookie.” Software vendors often answer these questions by collecting se sensi sitive usage data directly. à Single point of failure. 1 0 1 … 53

  5. “58,329 Firefox users blocked an fb.com cookie.” Software vendors often answer these questions by collecting se sensi sitive usage data directly. à Single point of failure. 1 0 1 – Theft by attackers … – Abuse by malicious insiders – Snooping by governments 54

  6. Pr Prio: : Aggregate data without the privacy risks C-G and Boneh (NSDI 2017) • Collect aggregate usage data wi withou out seeing any y single user’s data . • New cryptography makes this system practical – Proofs on secret-shared data • Basis for Mozilla’s new privacy-preserving telemetry system – In pilot phase: Enabled by default in Firefox’s “Nightly” build – Largest deployment of technology based on PCPs (probabilistically checkable proofs) 55

  7. Runni Running ng e exa xample ple: Measuring effectiveness of tracking protection • There are 𝑜 ≈ 2,500 domains on the tracking-protection blocklist • For each blocked domain, each user 𝑗 has a bit – Bit is “1” iff user 𝑗 ’s browser ever blocked cookies from domain.com – These bits are se sensi nsitive – reveal user’s browsing history il.com om t.com om com Domain 𝒐 it.com om ibm.com om nugg.ad com s.com cams.co onad.eu eu ucoz.ae fb.com ru4.co kut. xa.net gmail tapit. po.st st orku cam sas. gm po on nu xa sa uc fb or ru Do ta ib <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> Us User 1 User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us … … Us User 2 <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0> User 𝑽 Us 56

  8. Runni Running ng e exa xample ple: Measuring effectiveness of tracking protection • Mozilla wants the sum of these vectors over all users 𝑗 il.com om t.com om com Domain 𝒐 it.com om ibm.com om nugg.ad com s.com cams.co onad.eu eu ucoz.ae fb.com ru4.co kut. xa.net gmail tapit. po.st st orku cam sas. gm po on nu xa sa uc fb or ru Do ta ib <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> User 1 Us User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us … … Us User 2 <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0> User 𝑽 Us 57

  9. Running Runni ng e exa xample ple: Measuring effectiveness of tracking protection • Mozilla wants the sum of these vectors over all users 𝑗 il.com om t.com om Domain 𝒐 com it.com om ibm.com om nugg.ad com onad.eu eu s.com cams.co ucoz.ae fb.com ru4.co xa.net kut. gmail tapit. po.st st orku cam sas. gm Do on nu po uc xa sa fb or ru ta ib <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> Us User 1 User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us … … User 2 Us <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0> User 𝑽 Us SU SUM M 31, 91, 6, 0, 8, 29, 81, 0, 0, 88, 10, 5, 59, …, 50 58

  10. Running Runni ng e exa xample ple: Measuring effectiveness of tracking protection • Mozilla wants the sum of these vectors over all users 𝑗 il.com om t.com om Domain 𝒐 com it.com om ibm.com om nugg.ad com onad.eu eu s.com cams.co ucoz.ae fb.com ru4.co xa.net kut. gmail tapit. po.st st orku cam sas. gm Do on nu po uc xa sa fb or ru ta ib <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> User 1 Us User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us … … User 2 Us <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0> User 𝑽 Us SU SUM M 31, 91, 6, 0, 8, 29, 81, 0, 0, 88, 10, 5, 59, …, 50 How many users blocked fb.com cookies via tracking protection 59

  11. Running Runni ng e exa xample ple: Measuring effectiveness of tracking protection • Mozilla wants the sum of these vectors over all users 𝑗 il.com om t.com om Domain 𝒐 com it.com om ibm.com om nugg.ad com onad.eu eu s.com cams.co ucoz.ae fb.com ru4.co xa.net kut. gmail tapit. po.st st orku cam sas. gm Do on nu po uc xa sa fb or ru ta ib <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> Us User 1 User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us … … User 2 Us <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0> User 𝑽 Us SU SUM M 31, 91, 6, 0, 8, 29, 81, 0, 0, 88, 10, 5, 59, …, 50 60

  12. Running Runni ng e exa xample ple: Measuring effectiveness of tracking protection • Mozilla wants the sum of these vectors over all users 𝑗 il.com om t.com om Domain 𝒐 com it.com om ibm.com om nugg.ad com onad.eu eu s.com cams.co ucoz.ae fb.com ru4.co xa.net kut. gmail tapit. po.st st orku cam sas. gm Do on nu po uc xa sa fb or ru ta ib 𝑦 ' <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> User 1 Us 𝑦 ( User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us … … User 2 Us 𝑦 ) <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0> User 𝑽 Us ) 𝑦 + Σ +,' SU SUM M 31, 91, 6, 0, 8, 29, 81, 0, 0, 88, 10, 5, 59, …, 50 61

  13. Running Runni ng e exa xample ple: Measuring effectiveness of tracking protection • Mozilla wants the sum of these vectors over all users 𝑗 il.com om t.com om Domain 𝒐 com it.com om ibm.com om nugg.ad com onad.eu eu s.com cams.co ucoz.ae fb.com ru4.co xa.net kut. gmail tapit. po.st st orku cam sas. gm Do on nu po uc xa sa fb or ru ta ib 𝑦 ' <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> Us User 1 𝑦 ( User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us … … User 2 Us 𝑦 ) <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0> User 𝑽 Us ) 𝑦 + Σ +,' SU SUM M 31, 91, 6, 0, 8, 29, 81, 0, 0, 88, 10, 5, 59, …, 50 We run the system many times in parallel to compute the statistics for all domains 62

  14. Prio: System goals ) Σ +,' 𝑦 + 1. 1. Co Correc ectnes ess. If clients and servers are honest, servers learn Σ + 𝑦 + Extension: Maintain correctness in spite of server faults 2. 𝒈 -Pr 2. Privacy. Attacker must compromise all servers to learn more than Σ + 𝑦 + Extension: Differential privacy [DMNS06] 𝑦 . 𝑦 ( 𝑦 ) 3. Disr 3. srupt ption resi sist stan ance. The worst that a malicious client … can do is lie about her input. 4. Efficiency. Handle millions of 4. submissions per server per hour 63

  15. Prio: System goals ) Σ +,' 𝑦 + 1. Co 1. Correc ectnes ess. If clients and servers are honest, servers learn Σ + 𝑦 + Extension: Maintain correctness in spite of server faults Attacker must 2. 𝒈 -Pr 2. Privacy. Attacker must compromise all servers to learn compromise all more than Σ + 𝑦 + servers to learn Extension: Differential privacy [DMNS06] 𝑦 . 𝑦 ( 𝑦 ) private data. 3. 3. Disr srupt ption resi sist stan ance. The worst that a malicious client … can do is lie about her input. 4. Efficiency. Handle millions of 4. submissions per server per hour 64

  16. Prio: System goals ) Σ +,' 𝑦 + 1. 1. Co Correc ectnes ess. If clients and servers are honest, servers learn Σ + 𝑦 + Extension: Maintain correctness in spite of server faults 2. 𝒈 -Pr 2. Privacy. Attacker must compromise all servers to learn more than Σ + 𝑦 + Extension: Differential privacy [DMNS06] 𝑦 . 𝑦 ( 𝑦 ) 3. Disr 3. srupt ption resi sist stan ance. The worst that a malicious client … can do is lie about her input. 4. Efficiency. Handle millions of 4. submissions per server per hour 65

  17. Prio: System goals ) Σ +,' 𝑦 + 1. 1. Co Correc ectnes ess. If clients and servers are honest, servers learn Σ + 𝑦 + Extension: Maintain correctness in spite of server faults 2. 𝒈 -Pr 2. Privacy. Attacker must compromise all servers to learn more than Σ + 𝑦 + Extension: Differential privacy [DMNS06] 𝑦 . 𝑦 ( 𝑦 ) 3. Disr 3. srupt ption resi sist stan ance. The worst that a malicious client … can do is lie about her input. 4. Efficiency. Handle millions of 4. submissions per server per hour 66

  18. Prio: System goals ) Σ +,' 𝑦 + 1. 1. Co Correc ectnes ess. If clients and servers are honest, servers learn Σ + 𝑦 + Extension: Maintain correctness in spite of server faults 2. 𝒈 -Pr 2. Privacy. Attacker must compromise all servers to learn more than Σ + 𝑦 + Extension: Differential privacy [DMNS06] 𝑦 . 𝑦 ( 𝑦 ) 3. Disr 3. srupt ption resi sist stan ance. The worst that a malicious client … can do is lie about her input. 4. Efficiency. Handle millions of 4. submissions per server per hour 67

Recommend


More recommend