Flexible Privacy via Disguising and Revealing

Users have tens to hundreds of accounts with web services that store sensitive data, from social media to tax preparation and e-commerce sites. While users have the right to delete their data (via e.g., the GDPR or CCPA), more nuanced data controls often don’t exist. For example, a user might wish to hide and protect their profiles on an e-commerce or dating app when inactive, and to recover their accounts should they return to the application. However, services often provide only coarse-grained tools that result in all-or-nothing exposure of users’ private data. This thesis introduces the notion of *disguised data*, a reversible state in which sensitive data is hidden. To demonstrate the feasibility of disguised data, this thesis also presents Edna— the first system for disguised data—which helps database-backed web applications provide new privacy features for users, such as removing their data without permanently losing their accounts, anonymizing their old data, and selectively dissociating personal data from public profiles. Edna helps developers support these features while maintaining application functionality and referential integrity in the database via *disguising* and *revealing* transformations. Disguising selectively renders user data inaccessible via encryption, and revealing restores their data to the application. Edna’s techniques allow transformations to compose in any order, e.g., deleting a previously anonymized account, or restoring an account back to an anonymized state. With Edna, web applications can enable flexible privacy features with reasonable developer effort and moderate performance impact on application operation throughput. In the Lobsters social media application—a 160k LoC web application with >16k users—adding Edna and its features takes <1k LoC, and decreases throughput 1–7% in the common case. Edna decreases throughput up to 28% when a heavy user who owns 1% of all application data continuously disguises and reveals their account.