Private Use of Untrusted Web Servers via Opportunistic Encryption

Users clamor for online services hosted on remote web servers. As a result, there is a growing concern about the security and privacy of the data uploaded by users to such remote services, which are under the control of potentially untrusted parties. A fair amount of work has focused on preventing, detecting, and correcting security breaches of web services, with limited efforts spent on the privacy concerns. Here we argue that the assurance of online data privacy must go beyond legal or social contracts, which provide only post-facto redress, to employ technical solutions. We sketch an architecture that enhances the privacy of data sent to remote web servers, in spite of any actions by the parties controlling the web servers. Towards this end, we propose the use of client-side opportunistic encryption and decryption to allow the user to control the future use of any data they upload to a web server. We examine the challenges involved and proposed new research directions.