Researchers from Google, Mozilla, University College London (UCL) and Stanford and Chalmers Universities in the US are presenting a paper today at the 11th USENIX Symposium on Operating Systems Design and Implementation in Colorado which they believe will set a new standard for online privacy in the future.
The presentation is about a new system called Confinement with Origin Web Labels (COWL), which will be freely available to download and use from 15th October.
COWL is designed to solve a problem which exists at the heart of today’s web architecture. As more and more of our critical applications are moved online, they have to be able to share data among themselves in order to be effective. The problem is that every time they do, your data is at risk of leaking out through a third party site over which developers have no control.
Professor Brad Karp of UCL explains the issue thus:
“One useful web application would let users check they’re not being overcharged for items they’ve ordered from Amazon,” Karp says in a press statement issued today, “The app would have to pull in information from the user’s bank statement and Amazon, reconcile the two, and present the result in the browser. To do this, a web developer would need to write code that integrated data from the bank’s web site with data from Amazon’s web site… This clearly compromises the user’s privacy as the provider of the app gains full access to the user’s online banking system and Amazon account.”
The most obvious manifestation of this is when we link our Google Drives with Evernote with Dropbox with Feedly with Trello and so on, but the problem is exacerbated by the re-use of off the shelf Java and open source snippets to create web pages and apps which may never be checked or updated, yet third parties are implicitly trusting. You have no idea, generally speaking, whether a third party script is accidentally leaking all your personal data gathered in one app but used by another all over the web.
The solution, according to the authors of the paper, is for developers of app A to define exactly what information is shared with app B, and for that information to be rendered useless once its been processed. This is done by enclosing the data in a secure container rather than simply pumping one iframe into another, as is currently often the case. Technically, COWL is described as:
According to the creators, there’s almost no processing overhead either.
If COWL is successful, it could be the holy grail of data protection: something that offers privacy to the user while still allowing the modern net to function. We’re off to read the report again and speak to a few devs about how successful they think it might be.
One use of COWL, if I understand the paper correctly, might be to get rid of the problematic password reset “memorable questions” process. Rather than storing all your details with Facebook, for example, your memorable data might be kept at memorablequestions.com. When Facebook needs to know that data it retrieves it as required, uses it in a secured environment and then destroys it. (In the real world, Facebook would probably become the store of that data for others to access, of course).Eurekanet, Image – George Clooney Batman Cowl, CC by Popculturegeek]