Sharing private data without compromizing privacy and security

With SAFE your data is yours and doesn’t belong to some megacorp.

Uses of collected user data aren’t all bad though.

If you use Google Maps you can see when a location is likely to be crowded, for a shop that might be a time when you want to avoid it, but for a bar that might be a good time to visit (at least in non-corona times).

Smart watches have activity trackers, pulse meters, oxygen sensor and are getting blood glucose sensors. This data could be collected and analyzed to make new health discoveries, even more if it could be combined with medical journals.

IoT or smart home devices collects all kinds of useful data. If you were using SAFE, sometimes some of that data might not be very private and you could just share it publically, such as data from a weather station showing outside temperatures, wind and rain. In many cases you might be vary of just publically sharing all data though.

As it turns out, it may be possible to still share private data in a way such that it can be analyzed by algorithms, without anyone being able to see the input data, only the result.

One such way is functional encryption. Functional encryptions works in such a way that a central authority generates a private and public key pair, with that private key they can then generate a number of special private keys connected to some function or algorithm, that when combined with data encrypted by the public will, will perform this function or algorithm during the decryption process.

For example 10 users may each send in a number, the authority will create a special secret key for the process of calculating the average of those numbers and each of the users will encrypt their number with the public key distributed by the autority and when decrypting these with the special key it would spit out the average.

The Fentec Project has a bunch of interesting examples published such as machine learning on encrypted data, selective access to clinical data and building a heat-map of the location of users in a fully anonymous way.

The problem with functional encryption is that you need a trusted central authority. That central authority has a master key, which could in theory decrypt all the data, but they’re trusted to only use this master key to create new special keys for the requested computations.

In SAFE, the elders of a section forms such an authority. Assuming the majority of the elders in a section are honest, if they were tasked with creating keys for some computation on encrypted data, they could be trusted to do this and not decrypt/steal the whole dataset, I suppose this would be analogous to a section stealing money that it is responsible for.

It would require some kind of compute support on SAFE though.

Modified definition taken from the wikipedia page on functional encryption.

Setup → (pk,msk)
Keygen(msk,f) → sk
Enc(pk,x) → c
Dec(sk,c) → y

Where pk is the public key, msk is the master secret key, f is the function to be performed on the encrypted data, sk is the secret they that can be used to decrypt the data while simultaneously performing the function f on it, c is the encrypted data from each user and y is the final decrypted data, containing the result of the computation.

The steps that would need to be performed by the elders of a section is Setup and Keygen. Ideally Setup would be what the elders have already done, setting up a BLS key where each elder has one part of the multisig private key. In that case a way would need to be found to use BLS keys in the rest of the steps.

The key sk returned by the keygen process could then either be published publically or kept privately in cases where for exampe a data marketplace would pay all users contributing the data and each user who wanted to access the data would need to pay to do so (anyone could in theory choose to post the data publically though).

Evaluating the results could be done by clients or adults in a section. The main point of this is that no single elder in a section would be able to decrypt the data encrypted by the users. All, or a majority of, elders would have to collude for that.

Getting stuff like this production ready would need lots of research and development and is still at minimum years away, but the SAFE Network itself should just need general compute abilities as is planned for later plus some kind of API access to section keys, maybe the last part would need to be implemented as a specific feature for functional encryption.

4 Likes

Search for @aboynejames on the forum and you should find a video demo where he dies something similar to what you describe: for example, decentralised opt in, privacy respecting science using data from personal activity monitors.

I think there’s significant activity going on in that area although I haven’t kept track of it lately.

1 Like

It’s not just for science though.

A lot of features of many popular apps today are only possible because the app/service creators can hoard and analyze all the users data. With functional encryption you could have the same features in SAFE apps, but without compromising the privacy of the users. We’ll see how much these features are missed once SAFE apps starts popping up though.

2 Likes

The Google Maps features that a Safe Maps application would be missing without analyzing private location data is real time traffic information, which places are popular at what times and how much time people on average spend on one location.

I’d probably miss street view more though, I guess we’ll probably have to wait until AR glasses get popular for that. It remains to be seen if that could be constructed solely from public data, but I suspect not.

snuff videos?? :rofl: :stuck_out_tongue_winking_eye:

I know you meant “does”, but couldn’t resist

4 Likes

One issue I can see is that if some created a maps APP and obviously you have to enable writing of data to 3rd party objects, that they then also send information of being in one place for long durations. From that you could deduce & link datasets

I also think that it will be essential to have education for people to understand how to choose Apps that have audit reports and/or opensourced stating that such private info is not being leaked. Of course associated with that is some sort of value system that rates an APP on its privacy.

I say this because even with the above, if the data is stored somewhere of a anon person’s location then its possible to link all the datasets together with a very high success rate.

1 Like

If using functionally encryption though, the app could be made to encrypt the location data of users with a public key connected to a function that could be implemented to check if the input contains a minimum of for example 100 users and the decrypted data would in case of real time traffic information then output an aggregated heatmap on top of road locations, that would show where there is lots of traffic at some time, but not the individual data of any single user so nobody would see things like a path from some person’s home to some location and be able to guess the user.

As you say, it would be essential to educate users of how to choose safe apps though. For downloadable apps, some kind of app store could display if apps have an audit report and privacy rating, maybe only allowing audited apps that has been shown to have proper privacy.

Yes, that is how I understood what you were getting at.

My only point was that google could still come in using that method and still aggregate data on individuals using such things as locations where large amounts of time is spent, even if the data comes in with multiple IDs (key pairs) for the one person. This is where the trust of an App is important.

Really any way we made make Apps less intrusive we also, in my opinion, need some sort of education program. Maybe a “Getting started with the Safe Network” APP that is packaged with the download for the browser. Anyone want to run with this, be a good little project to put together an educational guide that doesn’t sound like an educational guide for new people to the Safe Network.

True.

Since someone can make mutable data and pay for updates to that data, I’m sure some app developers will try to use this to get users to share the actual individual data with them too. They may try to own user data by themselves paying for and setting up the initial mutable data that will be shared with the user and the user gets to use the app for free in return for selling their data to the app developer.

Maybe showing something like the green padlock on https pages for privacy vetted apps could work. That could also be a standard in the browser, so you could enter the url of the app vetting service in the settings and when you enter some url in the browser it would try to fetch something like safe://vettingservice/hashofcurrenturl to check if there’s a json file there that says if the current url has been vetted and to what level.

3 Likes

App curation will be critical. I see three categories of app in a ‘Safe Store’. These would be:

  1. Safe
  2. Unsafe
  3. Testing

This is analogous to the debian model of free vs. nonfree vs contrib.

1 Like

Honestly I would prefer to see a list of standard things making up the “Safe App”. Like when third party storing is given permission then

  • releasing data to third party (multiple entries except none)
    • None
    • Anonymous (statistical style data only)
    • Requests permission in the App itself (eg presents profile to fill in) to collect Personal identifying data (includes general map location even if anon). This would be for Stores that require things like delivery addresses.
      • This is not referring to the App permissions settings
      • A list of what type of data is stored and if valid reason.
    • Stores private data without stating it is or what it is used for.

Basically a breakdown of what is happening to the data. The shopping App will need to obtain personal information so the item can be paid for and delivered. Even if it is only a safemail box. But a google style maps would show the App is scraping your personal info for its own purpose. But the Maps App @intrz suggests would show as Safe with the info the data is only statistical traffic information being sent to a third party/public data store.

3 Likes

So I suppose a message whether or not the specific version of an app has been vetted as doing what it says should show up in the box requesting permission.

If the app, or specific version of the app,hasn’t been vetted by the community that it does what it claims to do, there should be a warning message something like:

“Warning! The app is requesting access to your data. This app has not been vetted and may use your data for other purposes than it claims.”

For a Maps app, the vetting may only be need to be done on the parts that make statistics of user data, to check that it cannot copy the location data of individual users. That part could be a library and as long as the app is referring to the library by the xor address of the vetted library, there’s no need to display a warning if any other parts of the app changed.

In cases where the app requests access to non-anonymous data, there’s no guarantee that an app developer doesn’t copy the data and use it for whatever purpose. This should also be clearly stated to the user, shown together with the data that will be shared so that the user knows exactly what data is being shared.

2 Likes