Web privacy: a Formal Adversarial Model for Query Obfuscation
The queries we perform, the searches we make, and the websites we visit - this sensitive data is collected at scale by companies as part of the services they provide. Query obfuscation, intertwining the genuine queries of the user with artificial queries, has been proposed as a solution to protect t...
Gespeichert in:
| Veröffentlicht in: | IEEE transactions on information forensics and security 2023-01, Vol.18, p.1-1 |
|---|---|
| Hauptverfasser: | , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 1 |
|---|---|
| container_issue | |
| container_start_page | 1 |
| container_title | IEEE transactions on information forensics and security |
| container_volume | 18 |
| creator | Houssiau, Florimond Lienart, Thibaut Hendrickx, Julien De Montjoye, Yves-Alexandre |
| description | The queries we perform, the searches we make, and the websites we visit - this sensitive data is collected at scale by companies as part of the services they provide. Query obfuscation, intertwining the genuine queries of the user with artificial queries, has been proposed as a solution to protect the privacy of individuals on the web.We here present a formal model and formulate through attack models three privacy requirements for obfuscators: (1) indistinguishability , that the user query should be hard to identify; (2) coverage , that its topic should be hard to identify; and (3) imprecision , that the query should still be hard to identify for an attacker with additional auxiliary information. The latter is needed to make the former two guarantees "future-proof". Using our framework, we derive two important results for obfuscators. First, we show that indistinguishability imposes strong bounds on the coverage and imprecision achievable by an obfuscator. Second, we prove an important tradeoff between coverage and imprecision, which inherently limits the strength and robustness of the privacy guarantees that an obfuscator can provide. We then introduce a family of obfuscators with provable indistinguishability guarantees, which we call k -ball obfuscators, and show, for a range of parameter values, the achievable coverage and imprecision. We show empirically that our theoretical tradeoff holds, and that its bound is not tight in practice: even in a simple idealized setting, there is a significant gap between practical coverage and imprecision guarantees, and the optimal bounds. While obfuscators have proven popular with the general public, all obfuscators currently available provide adhoc guarantees, and have been shown to be vulnerable to attacks, putting the data of users at risk. We hope this work to be a first step towards a robust evaluation of the properties of query obfuscators and the development of principled obfuscators. |
| doi_str_mv | 10.1109/TIFS.2023.3262123 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_crossref_primary_10_1109_TIFS_2023_3262123</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10081382</ieee_id><sourcerecordid>2797298259</sourcerecordid><originalsourceid>FETCH-LOGICAL-c246t-a5c9a1cf86cf19ce54c396153bda75a18e94d588be56f780fff799b51ff477a93</originalsourceid><addsrcrecordid>eNpNkE1LAzEQhoMoWKs_QPAQ8Lw1k2y-BA9FrBYqRax4DNlsAlvapibdQv-9u7SIp3kPzzvDPAjdAhkBEP2wmE4-R5RQNmJUUKDsDA2Ac1EIQuH8LwO7RFc5LwkpSxBqgJ6-fYW3qdlbd3jEFk9iWtsVHtd7n7JNTZffY-1XOMSEP1qfDnhehTY7u2vi5hpdBLvK_uY0h-hr8rJ4fitm89fp83hWOFqKXWG50xZcUMIF0M7z0jEtgLOqtpJbUF6XNVeq8lwEqUgIQWpdcQihlNJqNkT3x73bFH9an3dmGdu06U4aKrWkWlHeU3CkXIo5Jx9M99japoMBYnpLprdkekvmZKnr3B07jff-H08UMEXZLyyCYoQ</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2797298259</pqid></control><display><type>article</type><title>Web privacy: a Formal Adversarial Model for Query Obfuscation</title><source>IEEE Electronic Library (IEL)</source><creator>Houssiau, Florimond ; Lienart, Thibaut ; Hendrickx, Julien ; De Montjoye, Yves-Alexandre</creator><creatorcontrib>Houssiau, Florimond ; Lienart, Thibaut ; Hendrickx, Julien ; De Montjoye, Yves-Alexandre</creatorcontrib><description>The queries we perform, the searches we make, and the websites we visit - this sensitive data is collected at scale by companies as part of the services they provide. Query obfuscation, intertwining the genuine queries of the user with artificial queries, has been proposed as a solution to protect the privacy of individuals on the web.We here present a formal model and formulate through attack models three privacy requirements for obfuscators: (1) indistinguishability , that the user query should be hard to identify; (2) coverage , that its topic should be hard to identify; and (3) imprecision , that the query should still be hard to identify for an attacker with additional auxiliary information. The latter is needed to make the former two guarantees "future-proof". Using our framework, we derive two important results for obfuscators. First, we show that indistinguishability imposes strong bounds on the coverage and imprecision achievable by an obfuscator. Second, we prove an important tradeoff between coverage and imprecision, which inherently limits the strength and robustness of the privacy guarantees that an obfuscator can provide. We then introduce a family of obfuscators with provable indistinguishability guarantees, which we call k -ball obfuscators, and show, for a range of parameter values, the achievable coverage and imprecision. We show empirically that our theoretical tradeoff holds, and that its bound is not tight in practice: even in a simple idealized setting, there is a significant gap between practical coverage and imprecision guarantees, and the optimal bounds. While obfuscators have proven popular with the general public, all obfuscators currently available provide adhoc guarantees, and have been shown to be vulnerable to attacks, putting the data of users at risk. We hope this work to be a first step towards a robust evaluation of the properties of query obfuscators and the development of principled obfuscators.</description><identifier>ISSN: 1556-6013</identifier><identifier>EISSN: 1556-6021</identifier><identifier>DOI: 10.1109/TIFS.2023.3262123</identifier><identifier>CODEN: ITIFA6</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Behavioral sciences ; Data privacy ; Games ; Privacy ; Queries ; Robustness ; Semantics ; Surveillance ; Tradeoffs ; Websites</subject><ispartof>IEEE transactions on information forensics and security, 2023-01, Vol.18, p.1-1</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2023</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><cites>FETCH-LOGICAL-c246t-a5c9a1cf86cf19ce54c396153bda75a18e94d588be56f780fff799b51ff477a93</cites><orcidid>0000-0001-7412-4389 ; 0000-0001-8214-8292 ; 0000-0002-2559-5616</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10081382$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,27923,27924,54757</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10081382$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Houssiau, Florimond</creatorcontrib><creatorcontrib>Lienart, Thibaut</creatorcontrib><creatorcontrib>Hendrickx, Julien</creatorcontrib><creatorcontrib>De Montjoye, Yves-Alexandre</creatorcontrib><title>Web privacy: a Formal Adversarial Model for Query Obfuscation</title><title>IEEE transactions on information forensics and security</title><addtitle>TIFS</addtitle><description>The queries we perform, the searches we make, and the websites we visit - this sensitive data is collected at scale by companies as part of the services they provide. Query obfuscation, intertwining the genuine queries of the user with artificial queries, has been proposed as a solution to protect the privacy of individuals on the web.We here present a formal model and formulate through attack models three privacy requirements for obfuscators: (1) indistinguishability , that the user query should be hard to identify; (2) coverage , that its topic should be hard to identify; and (3) imprecision , that the query should still be hard to identify for an attacker with additional auxiliary information. The latter is needed to make the former two guarantees "future-proof". Using our framework, we derive two important results for obfuscators. First, we show that indistinguishability imposes strong bounds on the coverage and imprecision achievable by an obfuscator. Second, we prove an important tradeoff between coverage and imprecision, which inherently limits the strength and robustness of the privacy guarantees that an obfuscator can provide. We then introduce a family of obfuscators with provable indistinguishability guarantees, which we call k -ball obfuscators, and show, for a range of parameter values, the achievable coverage and imprecision. We show empirically that our theoretical tradeoff holds, and that its bound is not tight in practice: even in a simple idealized setting, there is a significant gap between practical coverage and imprecision guarantees, and the optimal bounds. While obfuscators have proven popular with the general public, all obfuscators currently available provide adhoc guarantees, and have been shown to be vulnerable to attacks, putting the data of users at risk. We hope this work to be a first step towards a robust evaluation of the properties of query obfuscators and the development of principled obfuscators.</description><subject>Behavioral sciences</subject><subject>Data privacy</subject><subject>Games</subject><subject>Privacy</subject><subject>Queries</subject><subject>Robustness</subject><subject>Semantics</subject><subject>Surveillance</subject><subject>Tradeoffs</subject><subject>Websites</subject><issn>1556-6013</issn><issn>1556-6021</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpNkE1LAzEQhoMoWKs_QPAQ8Lw1k2y-BA9FrBYqRax4DNlsAlvapibdQv-9u7SIp3kPzzvDPAjdAhkBEP2wmE4-R5RQNmJUUKDsDA2Ac1EIQuH8LwO7RFc5LwkpSxBqgJ6-fYW3qdlbd3jEFk9iWtsVHtd7n7JNTZffY-1XOMSEP1qfDnhehTY7u2vi5hpdBLvK_uY0h-hr8rJ4fitm89fp83hWOFqKXWG50xZcUMIF0M7z0jEtgLOqtpJbUF6XNVeq8lwEqUgIQWpdcQihlNJqNkT3x73bFH9an3dmGdu06U4aKrWkWlHeU3CkXIo5Jx9M99japoMBYnpLprdkekvmZKnr3B07jff-H08UMEXZLyyCYoQ</recordid><startdate>20230101</startdate><enddate>20230101</enddate><creator>Houssiau, Florimond</creator><creator>Lienart, Thibaut</creator><creator>Hendrickx, Julien</creator><creator>De Montjoye, Yves-Alexandre</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7TB</scope><scope>8FD</scope><scope>FR3</scope><scope>JQ2</scope><scope>KR7</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0001-7412-4389</orcidid><orcidid>https://orcid.org/0000-0001-8214-8292</orcidid><orcidid>https://orcid.org/0000-0002-2559-5616</orcidid></search><sort><creationdate>20230101</creationdate><title>Web privacy: a Formal Adversarial Model for Query Obfuscation</title><author>Houssiau, Florimond ; Lienart, Thibaut ; Hendrickx, Julien ; De Montjoye, Yves-Alexandre</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c246t-a5c9a1cf86cf19ce54c396153bda75a18e94d588be56f780fff799b51ff477a93</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Behavioral sciences</topic><topic>Data privacy</topic><topic>Games</topic><topic>Privacy</topic><topic>Queries</topic><topic>Robustness</topic><topic>Semantics</topic><topic>Surveillance</topic><topic>Tradeoffs</topic><topic>Websites</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Houssiau, Florimond</creatorcontrib><creatorcontrib>Lienart, Thibaut</creatorcontrib><creatorcontrib>Hendrickx, Julien</creatorcontrib><creatorcontrib>De Montjoye, Yves-Alexandre</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Mechanical & Transportation Engineering Abstracts</collection><collection>Technology Research Database</collection><collection>Engineering Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Civil Engineering Abstracts</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE transactions on information forensics and security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Houssiau, Florimond</au><au>Lienart, Thibaut</au><au>Hendrickx, Julien</au><au>De Montjoye, Yves-Alexandre</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Web privacy: a Formal Adversarial Model for Query Obfuscation</atitle><jtitle>IEEE transactions on information forensics and security</jtitle><stitle>TIFS</stitle><date>2023-01-01</date><risdate>2023</risdate><volume>18</volume><spage>1</spage><epage>1</epage><pages>1-1</pages><issn>1556-6013</issn><eissn>1556-6021</eissn><coden>ITIFA6</coden><abstract>The queries we perform, the searches we make, and the websites we visit - this sensitive data is collected at scale by companies as part of the services they provide. Query obfuscation, intertwining the genuine queries of the user with artificial queries, has been proposed as a solution to protect the privacy of individuals on the web.We here present a formal model and formulate through attack models three privacy requirements for obfuscators: (1) indistinguishability , that the user query should be hard to identify; (2) coverage , that its topic should be hard to identify; and (3) imprecision , that the query should still be hard to identify for an attacker with additional auxiliary information. The latter is needed to make the former two guarantees "future-proof". Using our framework, we derive two important results for obfuscators. First, we show that indistinguishability imposes strong bounds on the coverage and imprecision achievable by an obfuscator. Second, we prove an important tradeoff between coverage and imprecision, which inherently limits the strength and robustness of the privacy guarantees that an obfuscator can provide. We then introduce a family of obfuscators with provable indistinguishability guarantees, which we call k -ball obfuscators, and show, for a range of parameter values, the achievable coverage and imprecision. We show empirically that our theoretical tradeoff holds, and that its bound is not tight in practice: even in a simple idealized setting, there is a significant gap between practical coverage and imprecision guarantees, and the optimal bounds. While obfuscators have proven popular with the general public, all obfuscators currently available provide adhoc guarantees, and have been shown to be vulnerable to attacks, putting the data of users at risk. We hope this work to be a first step towards a robust evaluation of the properties of query obfuscators and the development of principled obfuscators.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TIFS.2023.3262123</doi><tpages>1</tpages><orcidid>https://orcid.org/0000-0001-7412-4389</orcidid><orcidid>https://orcid.org/0000-0001-8214-8292</orcidid><orcidid>https://orcid.org/0000-0002-2559-5616</orcidid></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | ISSN: 1556-6013 |
| ispartof | IEEE transactions on information forensics and security, 2023-01, Vol.18, p.1-1 |
| issn | 1556-6013 1556-6021 |
| language | eng |
| recordid | cdi_crossref_primary_10_1109_TIFS_2023_3262123 |
| source | IEEE Electronic Library (IEL) |
| subjects | Behavioral sciences Data privacy Games Privacy Queries Robustness Semantics Surveillance Tradeoffs Websites |
| title | Web privacy: a Formal Adversarial Model for Query Obfuscation |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-08T22%3A35%3A23IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Web%20privacy:%20a%20Formal%20Adversarial%20Model%20for%20Query%20Obfuscation&rft.jtitle=IEEE%20transactions%20on%20information%20forensics%20and%20security&rft.au=Houssiau,%20Florimond&rft.date=2023-01-01&rft.volume=18&rft.spage=1&rft.epage=1&rft.pages=1-1&rft.issn=1556-6013&rft.eissn=1556-6021&rft.coden=ITIFA6&rft_id=info:doi/10.1109/TIFS.2023.3262123&rft_dat=%3Cproquest_RIE%3E2797298259%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2797298259&rft_id=info:pmid/&rft_ieee_id=10081382&rfr_iscdi=true |