Design and Implementation of a Privacy-Preserving Database on PDC

Regulating access to electronically stored personal information is an increasingly challenging task and significant concerns about the privacy of personal data have emerged. These concerns are fueled, in part, by the ever-growing number of highly-publicized security incidents involving data theft and privacy violations. As the most recent example, UC Berkeley has discovered that foreign attackers breached the databases maintained by the University Health Services and gained unauthorized access to large volumes of personal data including names, birth dates, and social security numbers [5]. As a consequence of this security breach, approximately 160,000 current and former University students have been exposed to the risk of identity theft. One of the defining principles of information privacy is the notion of limited disclosure, which stipulates that individuals and organizations should have control over who is allowed to see their private information and for what purpose. Such information may not be revealed for purposes other than those for which there is consent from the owner of the information. The issues of privacy and information disclosure in database management systems have received a significant amount of research attention. In the context of relational databases, the principle of limited disclosure implies that the personal information stored in a database may be revealed to database users through queries only in accordance with the privacy preferences specified by the owner of this information. These preferences are essentially a set of rules that describe to whom data may be disclosed (recipients) and how it may be used (purposes). [2] proposes re-architecting our database management systems to include responsibility for the privacy of data as a fundamental tenet. This paper outlines the ten principles for privacypreserving (Hippocratic) databases which include, among others, purpose specification, consent, and limited disclosure. In [4], the authors demonstrate how the limited disclosure principle can be realized within the confines of a traditional RDBMS architecture. In the table semantics model of limited disclosure, each 〈Purpose,Recipient〉 pair is conceptually assigned a unique view over the entire database, in which prohibited attributes are masked with the NULL value. To implement these semantics, the authors propose storing the privacy preferences (and other policy metadata) in relational form and modifying incoming queries with CASE statements to enforce the rules and conditions expressed in the privacy metadata. While this approach is undoubtedly attractive due to its simplicity and ease of implementation, a purely database-level solution would only partially address the major security challenges. An unscrupulous user with administrative privileges can easily disable or circumvent the query rewriting mechanisms, for example by reading the raw (unfiltered) table contents directly from the database files in the underlying filesystem. Furthermore, the output of a query submitted on behalf