Data Collection with Self-Enforcing Privacy
- Philippe Golle ,
- Frank McSherry ,
- Ilya Mironov
ACM Trans. Inf. Syst. Secur., Special Issue on Computer and Communications Security | , Vol 12
Consider a pollster who wishes to collect private, sensitive data from a number of distrustful individuals. How might the pollster convince the respondents that it is trustworthy? Alternately, what mechanism could the respondents insist upon to ensure that mismanagement of their data is detectable and publicly demonstrable?
We detail this problem, and provide simple data submission protocols with the properties that a) leakage of private data by the pollster results in evidence of the transgression and b) the evidence cannot be fabricated without breaking cryptographic assumptions. With such guarantees, a responsible pollster could post a “privacy-bond,” forfeited to anyone who can provide evidence of leakage. The respondents are assured that appropriate penalties are applied to a leaky pollster, while the protection from spurious indictment ensures that any honest pollster has no disincentive to participate in such a scheme.
Permission to make digital or hard copies of part or all of this work for personal or classroomuse is granted without fee provided that copies are not made or distributed for proï¬t or direct commercial advantage and that copies show this notice on the ï¬rst page or initial screen of a display along with the full citation. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credits is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works requires prior speciï¬c permission and/or a fee. Permissions may be requested from the Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212) 869-0481, or permission@acm.org.(c) 2008 ACM 1094-9224/2008/12-ART9 $5.00 DOI: 10.1145/1455518.1455521.