Author(s):
- Hossein Shafagh
- Anwar Hithnawi
Abstract:
The emergence of a plethora of wearables and sensing technologies has enabled non-intrusive digitization of our daily physical activities. Emerging applications utilize such data to make inferences about our physiological and health states, provide health diagnosis, and contribute to wellbeing improvements. The common approach for such applications is to collect data, either using mobile applications or special hardware, e.g., wearables, and store them on a third party storage provider. This results in many unconnected data silos of self-quantification data. Researchers and industry, advocate for a common personal storage space, to conquer the myriad of small chunks of data, deemed to be lost/forgotten in the long term. The benefits of such co-located personal data are tremendous, specifically with regards to personalized medicine, treatment, and health care. However, the centralized storage of data exacerbates the privacy and security concerns that the IoT ecosystem is facing today. In this position paper, we advocate the necessity of privacy and security guarantees for the paradigm of co-located storage of personal health data. We envision two core security functionalities: true end-to-end encryption, such that only encrypted data is stored in the cloud and secure sharing of encrypted data, without disclosing data owner’s secret keys. We discuss the challenges in adopting such an end-to-end encryption paradigm while preserving the cloud’s basic processing functionalities over encrypted data and how to cryptographically enforce access control.
Documentation: https://doi.org/10.1145/3097620.3097625
References:
- 2016. Ava: Fertility Tracking Bracelet. avawomen.com. (2016).
- 2016. Clue: Period/Ovulation Tracker. helloclue.com. (2016).
- 2016. Empatica. empatica.com. (2016).
- 2016. Femometer: Fertility Tracker. femometer.com. (2016).
- 2016. Keybase. keybase.io. (2016).
- Hassan Jameel Asghar, Luca Melis, Cyril Soldani, Emiliano De Cristofaro, Mohamed Ali Kaafar, and Laurent Mathy. 2016. SplitBox: Toward Efficient Private Network Function Virtualization. In Workshop on HotMiddlebox.
- Giuseppe Ateniese, Kevin Fu, Matthew Green, and Susan Hohenberger. 2005. Improved Proxy Re-encryption Schemes with Applications to Secure Distributed Storage. In NDSS.
- Summet Bajaj and Radu Sion. 2011. TrustedDB: A Trusted Hardware-Based Database with Privacy and Data Confidentiality. In ACM SIGMOD.
- Mario Ballano Barcena, Candid Wueest, and Hon Lau. 2014. How safe is your quantified self? Technical Report. Symantec.
- Liliana Barrios and Wilhelm Kleiminger. 2017. The Comfstat ? Automatically Sensing Thermal Comfort for Smart Thermostats. In PerCom.
- Matt Blaze, Gerrit Bleumer, and Martin Strauss. 1998. Divertible Protocols and Atomic Proxy Cryptography. In EUROCRYPT.
- Dan Boneh and Matthew K. Franklin. 2001. Identity-Based Encryption from the Weil Pairing. In CRYPTO.
- Dan Boneh, Craig Gentry, Shai Halevi, Frank Wang, and David J. Wu. 2013. Private Database Queries Using Somewhat Homomorphic Encryption. In Applied Cryptography and Network Security (ACNS).
- Dan Boneh, Kevin Lewi, Hart William Montgomery, and Ananth Raghunathan. 2013. Key Homomorphic PRFs and Their Applications. In CRYPTO.
- Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. 2012. (Leveled) Fully Homomorphic Encryption Without Bootstrapping. In Innovations in Theoretical CS Conference.
- Stuart Dredge. 2013. Yes, those Free Health Apps are Sharing your Data with other Companies. Guardian, Online: theguardian.com/technology/appsblog/2013/sep/03/fitness-health-apps-sharing-data-insurance. (2013).
- Deborah Estrin and Ida Sim. 2010. Open mHealth Architecture: an Engine for Health Care Innovation. Science 330, 6005 (2010), 759–760.
- Maurizio Garbarino, Matteo Lai, Dan Bender, Rosalind W Picard, and Simone Tognetti. 2014. Empatica E3 – A wearable wireless multi-sensor device for real-time computerized biofeedback and data acquisition. In Mobihealth.
- Craig Gentry. 2009. Fully Homomorphic Encryption Using Ideal Lattices. In ACM Symposium on Theory of Computing (STOC).
- Ben Greenstein, Damon McCoy, Jeffrey Pang, Tadayoshi Kohno, Srinivasan Seshan, and David Wetherall. 2008. Improving Wireless Privacy with an Identifier-free Link Layer Protocol. In MobiSys.
- Anwar Hithnawi, Hossein Shafagh, and Simon Duquennoy. 2015. TIIM: Technology-Independent Interference Mitigation for Low-power Wireless Networks. In ACM Conference on Information Processing in Sensor Networks (IPSN).
- Mohammad Saiful Islam, Mehmet Kuzu, and Murat Kantarcioglu. 2012. Access Pattern Disclosure on Searchable Encryption: Ramification, Attack and Mitigation. In NDSS.
- Sriram Keelveedhi, Mihir Bellare, and Thomas Ristenpart. 2013. DupLESS: Server-Aided Encryption for Deduplicated Storage. In USENIX Security.
- David Lazar and Nickolai Zeldovich. 2016. Alpenhorn: Bootstrapping Secure Communication Without Leaking Metadata (USENIX OSDI).
- Kevin Lewi and David J Wu. 2016. Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds. In ACM CCS.
- Torsten Lodderstedt, Mark McGloin, and Phil Hunt. 2013. OAuth 2.0 Threat Model and Security Considerations. IETF, RFC 6819 (January 2013).
- Adriana López-Alt, Eran Tromer, and Vinod Vaikuntanathan. 2012. On-the-fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption. In ACM STOC.
- Muhammad Naveed, Seny Kamara, and Charles V. Wright. 2015. Inference Attacks on Property-Preserving Encrypted Databases. In CCS.
- Valeria Nikolaenko, Udi Weinsberg, Stratis Ioannidis, Marc Joye, Dan Boneh, and Nina Taft. 2013. Privacy-Preserving Ridge Regression on Hundreds of Millions of Records. In IEEE Symposium on Security and Privacy.
- Pascal Paillier. 1999. Public-key Cryptosystems Based on Composite Degree Residuosity Classes.. In EUROCRYPT.
- Antonis Papadimitriou, Ranjita Bhagwan, Nishanth Chandran, Ramachandran Ramjee, Andreas Haeberlen, Harmeet Singh, Abhishek Modi, and Saikrishna Badrinarayanan. 2016. Big Data Analytics over Encrypted Datasets with Seabed. In USENIX OSDI.
- Raluca Ada Popa, Frank H. Li, and Nickolai Zeldovich. 2013. An Ideal-Security Protocol for Order-Preserving Encoding. In IEEE Symposium on Security and Privacy.
- Raluca Ada Popa, Catherine Redfield, Nickolai Zeldovich, and Hari Balakrishnan. 2011. CryptDB: Protecting Confidentiality with Encrypted Query Processing. In ACM SOSP.
- Raluca Ada Popa, Emily Stark, Jonas Helfer, Steven Valdez, Nickolai Zeldovich, M. Frans Kaashoek, and Hari Balakrishnan. 2014. Building Web Applications on Top of Encrypted Data Using Mylar. In USENIX NSDI.
- Ling Ren, Christopher Fletcher, Albert Kwon, Emil Stefanov, Elaine Shi, Marten van Dijk, and Srinivas Devadas. 2015. Constants Count: Practical Improvements to Oblivious RAM. In USENIX Security.
- Tahmineh Sanamrad, Lucas Braun, Donald Kossmann, and Ramarathnam Venkatesan. 2014. Randomly Partitioned Encryption for Cloud Databases. In DBSec.
- Hossein Shafagh, Lukas Burkhalter, and Anwar Hithnawi. 2016. Demo Abstract: Talos a Platform for Processing Encrypted IoT Data. In ACM SenSys.
- Hossein Shafagh, Anwar Hithnawi, Andreas Dröscher, Simon Duquennoy, and Wen Hu. 2015. Talos: Encrypted Query Processing for the Internet of Things. In ACM SenSys.
- Justine Sherry, Chang Lan, Raluca Ada Popa, and Sylvia Ratnasamy. 2015. Blind-Box: Deep Packet Inspection over Encrypted Traffic. In ACM SIGCOMM.
- E. Shi, J. Bethencourt, T.-H.H. Chan, D. Song, and A. Perrig. 2007. MultiDimensional Range Query over Encrypted Data. In IEEE Symposium on Security and Privacy.
- Elaine Shi, Richard Chow, T-H. Hubert Chan, Dawn Song, and Eleanor Rieffel. 2011. Privacy-preserving Aggregation of Time-series Data. In NDSS.
- D. X. Song, D. Wagner, and A. Perrig. 2000. Practical Techniques for Searches on Encrypted Data. In IEEE Security and Privacy.
- Adam Tanne. 2016. For Sale: Your Medical Records. In Nature. 26–27.
- Stephen Tu, M. Frans Kaashoek, Samuel Madden, and Nickolai Zeldovich. 2013. Processing Analytical Queries Over Encrypted Data. In VLDB.
- Frank Wang, James Mickens, Nickolai Zeldovich, and Vinod Vaikuntanathan. 2016. Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds. In USENIX NSDI.
- Andrew C. Yao. 1982. Protocols for Secure Computations. In Symposium on Foundations of Computer Science. 160–164.