PriServ: A P2P Based Privacy Service

PriServ is a privacy service for peer-to-peer (P2P) data sharing that combines purpose-based access control, trust and encryption, for applications with sensitive data, e.g. medical data. The key feature is that owner peers (data publishers) keep full control over their private data and private keys. Data publishing in PriServ takes into account owner privacy preferences and does not reveal any private information about data (encrypted data or data references). PriServ uses a DHT to efficiently locate data. It is implemented in Java using the Service Component Architecture and Java RMI for peer communication. The implementation uses the Chord DHT but any other DHT could be used.

Description

Online P2P communities such as professional communities (e.g., medical or research communities) are becoming popular due to increasing needs on data sharing. P2P environments offer valuable characteristics but limited guarantees when sharing sensitive or confidential data. They can be considered as hostile because data can be accessed by everyone (by potentially untrusted peers) and used for everything (e.g., for marketing or for activities against the owner’s preferences or ethics). In our work, we propose PriServ, a Privacy Service located on top of DHT-based P2P systems which prevents data privacy violations. Based on data owner privacy preferences, PriServ uses Hippocratic database principles, it takes into account for which purposes data are being shared/collected and which operations will be realized on data (e.g., read, write, disclosure). Additionally, PriServ uses encryption and reputation techniques to increase trust on peers requesting data.

The key idea behind PriServ is that everyone in the system be conscious of the data privacy preferences. We argue that nowadays systems should provide facilities to data owners to specify their data privacy preferences. Data servers should ensure those preferences when providing data and data requesters when requesting and using them.

Data privacy preferences of data owners are registered in Privacy Policies (PP). Inspired from P3P, next Figure shows a PP meta model.

Architecture

The global architecture of this work (see next Figure) considers that on top of the Internet network there is the P2P system. The overlay network layer takes in charge the routing system by implementing the lookup() function but also by managing the peers dynamicity (join/leave of peers). On top of this layer, the distributed storage layer ensures key-based data searching and data distribution by implementing the put()and get() functions. Those two layers make abstraction of the DHT-based P2P system. PriServ is implemented as an APPA (Atlas P2P Architecture) service on top of the DHT layer.

Next Figure shows the PriServ architecture in détail. Applications, publish and request data through PriServ. Principal components of the PriServ service (storage manager, policy manager, key manager, cipher manager, data signature manager, trust manager) are organized by an orchestrator. The orchestrator is the central component of PriServ. According to the peer type (i.e., requester, owner, server), the orchestrator executes a different workflow by using the components introduced before.

Owner orchestrator. Its role is to orchestrate the owner functionalities. It is responsible of publishing owner references or data depending on the called function (publishData() or publishReference()). It is also responsible of retrieving data or symmetric keys during the requesting process. It interacts with the application layer during publishing and with the requester orchestrator during retrieving.

Requester orchestrator. Its role is to orchestrate data requesting. It interacts with the application layer during requesting and with the owner orchestrator during retrieving.

Server orchestrator. Its role is to orchestrate the server functionalities. For that, it interacts with the DHT layer to store and retrieve data of the P2P system.

Basic functions

• publishData(data, PPId): Owner peers use this function to publish data content in the system. The second parameter is the privacy policy that dictates the usage conditions and access restrictions of the published data. This function returns true if data content is successfully distributed,
  • false otherwise. To protect data privacy against potential untrusted servers, before distribution, data content is encrypted (symmetric cryptography).
• publishReference(data, PPId): Owner peers use this function to publish data references in the system. The second parameter is the privacy policy that dictates the usage conditions and access restrictions of the published data references. This function returns true if data references are
  • successfully distributed, false otherwise. Servers store data references and help requesters to find data owners to obtain data content. Publishing only data references allows owners to publish private data while being sure that data content will be provided to the right requesters. This hypothesis can not be guaranteed in the previous function because servers may misbehave by returning encrypted data to unauthorized peers.
• request(dataRef, purpose, operation): Requester peers use this function to request data (dataRef ) for a specific purpose (e.g., researching, diagnosis, analyzing) to perform a specific operation (i.e., read, write, disclosure). This function returns the requested data if the requester has corresponding rights, otherwise it returns null. This function compels requesters to specify the access purposes and the operation that
  • they will apply to requested data. This explicit request commits users to use data only for specified purposes and operations. Legally, this commitment, may be used against malicious users if data are used for other purposes/operations.

Prototype

In our prototype, peers are implemented as Java objects using the Service Component Architecture (SCA). They can be deployed over a single machine or several machines connected together via a network. Each object contains the code which is needed for calling PriServ protocols.

To communicate between peers, we use Java RMI which allows an object to invoke a method on a remote object. The prototype provides a GUI that enables the user to manage her local data and the published data in the P2P system, monitor the data stored at each peer, the privacy policies

created by owners and the references for data which are allowed to access for particular purposes and operations.

Demonstration

A video demonstration of a privacy preserving application (PPA) can be downloaded here << .wmv >> <<.mov>>.

In this demonstration we show a PPA which uses the PriServ service.

The key features of the prototype are demonstrated through the following scenarios:

• Privacy policies management: This scenario is used to show how a user can specify her privacy preferences by defining her own privacy policies (PP). She is also able to attach different PPs to a datum in order to control the access to her data.
• Data publishing: This scenario shows how a user can publish data in the P2P system. Users have the choice between publishing encrypted data or obly data references.
• Data Searching: This scenario shows how a user can search for data. A user has a choice between: (a) a local search on her own local data, (b) a P2P data requesting, and (c) a purpose-based references searching. We show how data access is only granted to allowed requesters.

Download

http://sourceforge.net/projects/priserv/

Publications

Book chapter

• Mohamed Jawad, Patricia Serrano-Alvarado, Patrick Valduriez. "Supporting Data Privacy in P2P Systems". Chapter on "Security and Privacy Preserving in Social Networks" book to be published by Springer ISBN 978-3-7091-0893-2 by August 2013. hal-00807625.

Conferences

• Mohamed Jawad, Patricia Serrano Alvarado, Patrick Valduriez, and Stéphane Drapeau, Data Privacy in Structured P2P systems with PriServ, 25èmes Journées des Bases de Données Avancées (BDA), October 20-23, 2009, Namur, Belgium.
• Mohamed Jawad, Patricia Serrano Alvarado, Patrick Valduriez, and Stéphane Drapeau, A Data Privacy Service for Structured P2P Systems, Proceedings of the Mexican International Conference in Computer Science (ENC), September 21-25, 2009, Mexico City, Mexico.
• Mohamed Jawad, Patricia Serrano Alvarado, and Patrick Valduriez, Protecting Data Privacy in Structured P2P Networks, Proceedings of the Second International Conference on Data Management in Grid and P2P Systems (Globe), August 31-September 4, 2009, Linz, Austria.
• Mohamed Jawad, Patricia Serrano Alvarado, and Patrick Valduriez, Design of PriServ, a Privacy Service for DHTs, Proceedings of the 2008 International Workshop on Privacy and Anonymity in Information Society (PAIS), collocated with EDBT, March 29-29, 2008, Nantes, France.

Poster and demo

• Mohamed Jawad, Patricia Serrano Alvarado, and Patrick Valduriez, Stéphane Drapeau, Privacy Support for Sensitive Data Sharing in P2P Systems, 27èmes journées de Bases de Données Avancées (BDA), Demonstration paper and poster, October 24-27, 2011, Rabat, Morocco.
• Mohamed Jawad, Patricia Serrano Alvarado, and Patrick Valduriez, PriServ: Service de Gestion de Confidentialité de Données dans les Systèmes Pair-à-Pair, third award in the Journées des Doctorants de l'ESTIM (JDOC), 2009, Nantes, France.

PhD Thesis

• Mohamed Jawad, Data Privacy in P2P Systems, PhD Thesis, Université de Nantes, tel-00638721, June, 2011.

Master report

• Boris Lucas, Test de PriServ, un service de confidentialité de données pour les environnements pair-à-pair, avec PeerUnit, Université de Nantes, Master II ALMA, Master Report, September, 2010.

Contributors

• Mohamed Jawad. LINA. [web page]
• Patricia Serrano Alvarado. LINA. [web page]
• Patrick Valduriez. INRIA. [web page]
• Stéphane Drapeau. Obeo. [web page]
• Boris Lucas. [web page].

Contact: Mohamed[dot]Jawad[at]univ-nantes[dot]fr