A new way of thinking about and guarding privacy on the web

Andrey Chudnov
Department of Computer Computer Science
Stevens Institute of Technology

The Web has emerged as a dominant platform for exchanging information and deploying applications that use that information. Through the web you can stay in touch, review your bills and medical information, bank and everything in-between. Many applications by their very nature need to deal with private information. However, privacy safeguards –both in the browser, and on the server side– are lacking, as noted both in academic research and public discourse. For example, multiple privacy breaches, both intentional and accidental, on popular social networking have been in the news recently. But, social networks are not the only ones plagued by problems with privacy –they are just the most visible to the public. So, instead of trying to "band-aid" the problem, we need to find a fundamentally new way of thinking about and guarding privacy on the web.

Imagine if the next time you share something on your favorite social networking website you could specify how this information should be used and distributed: say, your photograph should be shown only to your friends, as well as their friends – but no further. Best of all, you could have assurance that the service would respect your preference even in the presence of incompetent or malicious developers – if only an technology called Information Flow Monitoring is adopted on the server side.

The theory of information flow control provides us with tools that allow describing sophisticated security and privacy requirements in an intuitive way, yet provides a strong mathematical foundation giving a precise meaning to these requirements. The latter allows for provably correct automated and semi-automated enforcement of said requirements in software. The notion of information flow captures dependency of information, allowing to reason about both direct disclosures –somebody sending your photograph directly– of information as well as indirect ones –somebody cutting your photograph in pieces then sending it piece by piece and gluing them back together. It is important to track indirect disclosures because they can be used by the attacker to derive private information without being obvious about it.

The browser, or the so-called "client side", is also in dire need of better privacy and security controls which stay hopelessly behind the trend of combining several applications and services in the browser, forming so-called "web mashups". For example, one can "mash" a map application with a rental property listing and display available properties on the map. Or, one could integrate a web calendar application with the doctor's office website for automated scheduling of appointments depending on your availability. An online store can integrate third-party credit card payment processors seamlessly on one page. Online ads are another example. The mashup technology allows an unprecedented ease of combining services and applications, but that comes at a high cost to privacy due to inadequate browser controls allowing only all-or-nothing sharing of information between components. Thus, while well-behaving payment processors would not disclose your credit card details to the web store or a reputable online calendar would only disclose your availability, but not the contents of your schedule, nothing prevents it from being otherwise. This is where information flow monitoring in the browser comes in and, instead of blindly trusting the mashup and component developers, enforces a flexible policy of information exchange between the components, ultimately safeguarding your privacy while enabling useful collaboration.

Cross-site scripting attacks can also violate your privacy. One could think of them as forced mashups, where an attacker exploits a flaw in a web application to be able to insert an additional component on the web page that has full access to all the information displayed and entered. Naturally, information flow control can help mitigate those attacks, if used in the browser, or prevent them, if used on the server side.

While information flow has been a target of predominantly theoretical research, a team of researchers in the department of Computer Science, professor David Naumann, and PhD student Andrey Chudnov are working on turning theory into practice and enhancing security and privacy in web applications using information flow monitoring, as well as developing new theory when the existing proves inadequate.