CAREER: Privacy-Compliant Web Services By Construction

Today's web services store and process sensitive personal data without sufficient attention to data privacy. Privacy laws like the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the proposed United States Consumer Data Privacy Act (CDPA) and Consumer Online Privacy Rights Act (CORPA) give users new rights to control their data (e.g., access and erasure on request, rights to object to processing).

With today's systems, compliance with these laws requires onerous manual labor, particularly from small and medium-sized organizations. This project investigates new systems that – by construction – comply with these privacy laws. The key idea is to provide a "micro-database" for each user, which stores all their data and which they can choose to withdraw or resubscribe.

This design enables new, fundamentally privacy-centric models, such as automatically removing idle users' data while making it easy for the users to return. Realizing compliance-by-construction requires innovation in storage systems and data processing techniques. To succeed, compliant-by-construction systems must match the convenience and performance of today's systems, and the project will contribute systems that efficiently handle millions of per-user micro-databases by advancing the state-of-the-art in scalable computing techniques (e.g., dataflow systems).

The proposed research will lead to new, compliant-by-construction equivalents of today's popular web service software. These privacy-first systems will provide off-the-shelf tools that automate and "democratize" good privacy practices for small and medium-size organizations. This has the potential to save considerable expense, prevent costly mistakes, and improve data privacy on the internet.

The work will affect academic state-of-the-art through papers, industry practice through technology transfer and open-source software, and the general public through new tools and raised awareness of privacy issues. All software developed in this project will be available as open-source code on the project website (https://cs.brown.edu/people/malte/research/privacy-by-construction.html).

Undergraduate and graduate students will be trained in privacy-conscious system design and implementation, and in the implications of new privacy laws for system design, through curriculum integration of the research.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.