An Infrastructure for Verifiable Sensitive Data Processing

Description

There are many instances where an individual’s right to privacy clashes with others’ rights, public or economic concerns. These conflicting interests are reconciled by trusted institutions like courts, banks or certifying organizations, which control access to personally identifiable information on behalf of data owners. The process of data access is often manual, analog, lacks transparency and is therefore prone to error and abuse. We propose an infrastructure for digital trustees which makes this process more secure, transparent and privacy-preserving using the tools of modern IT security. We consider a generalized scenario with three different actors: a data provider, who submits sensitive data, a data consumer, who wants to process this data and trustee organizations which perform access control. A central assumption of the system is that individual trustees may act erratically or maliciously. We therefore propose a decentralized access control scheme which allows trustee organizations to hold each other accountable and to overrule minority decisions. In particular, a data consumer’s access request is only considered granted if at least m of a total of n trustees allow it, where m is a configurable threshold. Trustee organizations operate a distributed ledger which serves as a single source of truth for access requests and verdicts while creating a transparent, auditable record of data access. Access control is enforced using a cryptographic secret sharing scheme: sensitive data is encrypted with a secret shared between trustee organizations, such that only subsets of at least m trustees can recover the secret by combining their shares. To minimize exposure of sensitive information, data consumers specify a computation to be performed over the sensitive inputs and only receive the result. The computation is performed on designated processing hosts which are attested by trustees prior to data access.