The Internet Security Research Group (ISRG) has a plan to allow companies to collect information about how people are using their products while protecting the privacy of those generating the data.
Today, the California-based non-profit, which operates Let’s Encrypt, introduced Prio Services, a way to gather online product metrics without compromising the personal information of product users.
“Applications such as web browsers, mobile applications, and websites generate metrics,” said Josh Aas, founder and executive director of ISRG, and Tim Geoghegan, site reliability engineer, in an announcement. “Normally they would just send all of the metrics back to the application developer, but with Prio, applications split the metrics into two anonymized and encrypted shares and upload each share to different processors that do not share data with each other.”
Normally they would just send all of the metrics back to the application developer, but with Prio, applications split the metrics into two anonymized and encrypted shares
Prio is described in a 2017 research paper [PDF] as “a privacy-preserving system for the collection of aggregate statistics.” The system was developed by Henry Corrigan-Gibbs, then a Stanford doctoral student and currently an MIT assistant professor, and Dan Boneh, a professor of computer science and electrical engineering at Stanford.
Prio implements a cryptographic approach called secret-shared non-interactive proofs (SNIPs). According to its creators, it handles data only 5.7x slower than systems with no privacy protection. That’s considerably better than the competition: client-generated non-interactive zero-knowledge proofs of correctness (NIZKs) are 267x slower than unprotected data processing and privacy methods based on succinct non-interactive arguments of knowledge (SNARKs) clock in at three orders of magnitude slower.
“With Prio, you can get both: the aggregate statistics needed to improve an application or service and maintain the privacy of the people who are providing that data,” said Boneh in a statement. “This system offers a robust solution to two growing demands in our tech-driven economy.”
In 2018 Mozilla began testing Prio to gather Firefox telemetry data and found the cryptographic scheme compelling enough to make it the basis of its Firefox Origin Telemetry service.
In a blog post last year, Chris Hutten-Czapski, Firefox platform engineer, wrote, “Prio is neat. It allows us to learn counts of things that happen across the Firefox population without ever being able to learn which Firefox sent us which pieces of information.”
Prio Services will let any company subscribe to have its product-generated data sliced, diced, and anonymized so it can be viewed in aggregate, without the risk that the data could be used to identify people.
Let’s Encrypt warns about a third of Android devices will from next year stumble over sites that use its certs
ISRG will operate a data processing server, and subscribers will have to implement a second server and arrange to have its apps transmit their metrics so they can be divided between the two servers for subsequent anonymized aggregation and analysis.
“By offering low-cost and easy-to-use cryptographic privacy protection for user metrics, ISRG will be taking a significant step to protect the general public from privacy violations,” said Aas and Geoghegan. “It is our hope that privacy respecting metrics collection will become an expectation for application developers.”
Prio Services isn’t yet open to the public. ISRG is working to implement the service with its first set of subscribers, and will provide more information at a later date. But the org says it expects to be the first organization running Prio as a production service.
In an email to The Register, Aas said it’s too early to provide pricing details.
“While some subscribers down the line may be paying for the service, many will have access to the service through philanthropic contributions,” he said. “We are not able to provide pricing for potential paying subscribers at this time.”
Aas said companies that don’t care about user privacy may not have much incentive to use Prio, though he suggested the service may appeal to those interested in returning from the dark side.
“Prio prevents both intentional and unintentional privacy violations, so the system benefits companies with the best of intentions,” he said. “Being able to convince people that an application is trustworthy is important to many companies, and using Prio is a way for them to do that.” ®