Protecting Sensitive User Data in Web Services

  • Frank Wang | MIT CSAIL

Web services like Google, Facebook, and Dropbox are now an essential part of people’s lives. In order to provide value to users, these services collect, store, and analyze large amounts of their users’ sensitive data. However, once the user provides her information to the web service, she loses control over how the application manipulates that data. For example, a user cannot control where the application forwards her data. Even if the service wanted to allow users to define access controls, it is unclear how these access controls should be expressed and enforced. Not only is it difficult to develop these secure access control mechanisms, but it is also difficult to ensure these mechanisms are practical. My research addresses these concerns. More specifically, it focuses on building practical, secure mechanisms for protecting user data in large-scale, distributed web services.

In this talk, I discuss one of my research systems, Splinter. Splinter keeps users’ queries private and scales to realistic applications. Splinter extends a recent cryptographic primitive called Function Secret Sharing (FSS); Splinter’s modifications to FSS make Splinter up to an order of magnitude more efficient than prior systems which used other cryptographic techniques like Private Information Retrieval and garbled circuits. We ported several realistic applications to Splinter, including a Yelp clone and a flight search application; Splinter achieves end-to-end response latencies of less than 1.6 seconds while hiding queries from the application.

Speaker Details

Frank Wang is a Ph.D. student at the MIT CSAIL, advised by Nickolai Zeldovich and James Mickens. He completed his undergraduate studies at Stanford University, focusing on applied cryptography. He runs the MIT security seminar and co-founded a summer program for early stage security companies called Cybersecurity Factory. He has interned at the security teams at Google and Facebook as well as consulted for security companies, such as Qualys. When he is not busy worrying about your security, he enjoys going to art museums and being outdoors.

Watch Next