Monday, January 9, 2017

Your personal data in a box!

By Hamed Haddadi @realhamed

Today's personal data ecosystem is in a fragile state. A large number of smartphone apps [1], third party trackers [2], or social media collect and aggregate personal information in order to provide location-based services or targeted advertising. This comes with several costs, including our privacy, energy, and bandwidth use. However, any attempts to reduce these costs that are in opposition to the basic economics of so many Internet services are unlikely to succeed. Likewise, personal data vaults and information silos are bound to become a target for security attacks.

In a new EPSRC-funded project, we are building the Databox [3], a personal networked device (and associated services) that collates and mediates access to personal and IoT data, allowing us to recover control of our online lives. The Databox is a first step to re-balancing power between us, the data subjects, and the corporations that collect and use our data.

In the Databox Project, starting from October 2016, the researchers are creating a hardware platform and an open source suite of software for bringing third party apps to personal data, without jeopardising individuals' privacy. This can be achieved by performing analytics over encrypted data [4] a first level of aggregation and data analysis at the user end, or in a distributed manner over the boxes in the community [5]. While the Databox is not a data silo, it allows the user to interact with their data using concepts inherited from the Human-Data Interaction framework, and install and verified authorised third party apps which have isolated and controlled access to different data sources.

One might think, what would we put our data together? What's in it for the user? Where's the business model? The way to think about it is the Android or iOS ecosystem, where the inherent value lies within the apps and the data, while in the Databox model, users might actually be tempted to pay for an app that does, say for example, income and expenditure analysis for getting the best mortgage, or mental and physical health analysis without giving up all their personal data and smartphone battery life. The app ecosystem is only limited by the developers' imagination and the users' needs.

Research in this space is the first step to fighting the privacy battle. The complex regulatory aspects over acquisition and trade of personal data, and various geographical jurisdictions surrounding [or lack there of] personal data all make for a challenging and bumpy road ahead. What is certain, is that the current wild-west nature of personal data can not continue for much longer.

[1] How Private Are Health-Tracking Apps on Your Phone?,

[2] The Murky World of Third Party Web Tracking,

[3] Hamed Haddadi, Heidi Howard, Amir Chaudhry, Jon Crowcroft, Anil Madhavapeddy, Derek McAuley, Richard Mortier, "Personal Data: Thinking Inside the Box”, The 5th decennial Aarhus conference (Aarhus 2015), August 2015

[4] Wang, Frank, James Mickens, Nickolai Zeldovich, and Vinod Vaikuntanathan. "Sieve: cryptographically enforced access control for user data in untrusted clouds." In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16), 2016.

[5] Hamed Haddadi, Richard Mortier, Steven Hand, Ian Brown, Eiko Yoneki, Derek McAuley and Jon Crowcroft: “Privacy Analytics”. ACM SIGCOMM Computer Communication Review, April 2012.