What happens with our data when you log-in to an online service, e. g. over a smartphone app? Is your complete usage profile forwarded to the company?
Many online services, e. g. online newspapers, have a subscription model, where the user has to pay for its usage. It is valid to restrict access to paying customers, but is it necessary for a newspaper to know exactly what articles were read by which customers? The goal of this thesis is to evaluate an approach that obfuscates the actual usage of a service, while maintaining the possibility to restrict access to paying customers.
The idea is to run the login-process on a Trusted Execution Environment (TEE). What happens inside the TEE cannot be seen by the company running the service, not even by an admin. The TEE itself will call the regular functions, provided by the service, but without any information on the user. To have transparency on the login process, the code is published as open source. The TEE manufacturer attests to the user that this specific code has been executed on their hardware. So, instead of trusting the admins of the newspaper company, we shifted the trust one level down, to the TEE manufacturer.
SCS has worked with TEEs in other projects. The software being developed in this thesis will build upon this work (see https://github.com/scs/substraTEE).
Kind of Work
30% Theory, 70% Implementation
- Interest in privacy
- Openness to work with new (and sometimes unstable) technologies
Time & Effort
Master’s Thesis, 1 Student