“Privacy policies are really hard to read and understand, and now with COVID-19 so many people are doing so much more online that privacy policies are more important than ever,” said Miti Mazmudar, a PhD candidate in the Cryptography, Security, and Privacy (CrySP) research group.
Although research has been conducted into alternative representations of privacy policies, the systems that have been developed do not determine whether website providers adhere to the data handling practices outlined in their privacy policies.
Mitigator can work on any computer, but the companies that own the website servers must have machines with a trusted execution environment — a secure area of modern server-class processors that guarantees the protection of code and data loaded in it with respect to confidentiality and integrity. The Mitigator implementation is prototyped using the Intel Software Guard Extensions (SGX) trusted hardware platform.
“The big difference between Mitigator and prior systems that had similar goals is that Mitigator’s primary focus is on the signal it gives to the user,” said Ian Goldberg, a Professor at the Cheriton School of Computer Science and the Canada Research Chair in Privacy Enhancing Technologies.
“The important thing is not just that the company knows their software is running correctly; we want the user to get this assurance that the company’s software is running correctly and is processing their data properly and not just leaving it lying around on disk to be stolen. Users of Mitigator will know whether their data is being properly protected, managed, and processed while the companies will benefit in that their customers are happier and more confident that nothing untoward is being done with their data.”