"Today's web services" says Professor Malte Schwarzkopf of Brown CS, "often store and process sensitive personal data without sufficient attention to data privacy. Privacy laws like the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the proposed United States Consumer Data Privacy Act (CDPA) and Consumer Online Privacy Rights Act (COPRA) give users new rights to control their data (for example, rights to access and erasure on request or to object to specific kinds of processing). With today's systems, compliance with these laws requires onerous manual labor, particularly from small and medium-sized organizations who don't have dedicated privacy teams."
Malte has just received a National Science Foundation (NSF) CAREER Award to investigate new systems that by construction comply with these privacy laws. CAREER Awards are given in support of outstanding junior faculty teacher-scholars who excel at research, education, and integration of the two within the context of an organizational mission.
The key idea of Schwarzkopf's research is to provide a "micro-database" for each user, which stores all their data and which they can choose to withdraw or resubscribe. His design enables new, fundamentally privacy-centric models, such as automatically removing idle users' data while making it easy for the users to return.
"How many websites do you have accounts with that you've since forgotten about?" Malte asks. "That hotel that you stayed at once five years ago still has your home address, travel dates, and passport number. Or the online store that you bought something from once; they probably still have your credit card details and purchase history. We would all be better off if this information went away after some time, and new privacy laws like the GDPR indeed require deletion after the information is no longer needed. But deleting data without making it harder for users to return if they actually want to continue using the service, perhaps after a long break, requires new systems built around data privacy controls from the ground up."
"Realizing compliance-by-construction requires innovation in storage systems and data processing techniques," Malte explains. "To succeed, compliant-by-construction systems must match the convenience and performance of today's systems, and the project will contribute systems that efficiently handle millions of per-user micro-databases by advancing the state-of-the-art in scalable computing techniques (for example, inspired by the dataflow systems used to process big data)."
Schwarzkopf's proposed research will lead to new, compliant-by-construction equivalents of today's popular web service software. These privacy-first systems will provide off-the-shelf tools that automate and "democratize" good privacy practices for small and medium-size organizations. This has the potential to save considerable expense, prevent costly mistakes, and improve data privacy on the internet.
"This work," Malte tells us, "will produce open-source software that provides an off-the-shelf way to comply with major provisions of new privacy laws, which we hope will be useful to organizations that struggle today, and raise awareness that we can do better. All software developed in this project will be available as open-source code on the project website. The research has involved undergraduate students from the idea's inception: the very first prototype of our system was written by a Brown CS senior over the summer of 2020. In the future, we hope to continue to have undergraduates involved, and will add new modules on good privacy practices to courses in the CS curriculum."
For more information, click the link that follows to contact Brown CS Communication Outreach Specialist Jesse C. Polhemus.