The Centre for Cyber Security and Privacy was one of the first organisations to become a PAD trustee. In this blog post, they introduce PAD and PAD trustees, and write about their experience of being a PAD trustee.
What is PAD?
PAD is an approach to ensuring privacy that is centred on the notion of transparency. The idea is to ensure that you are necessarily informed when data relevant to you is processed. For example, there may be good reasons why your bank needs to access your location; what PAD does is to guarantee that you can see that they have accessed it (and also, perhaps, their reason for doing so). PAD stands for “privacy-preserving accountable decryption”. When the bank wants to see your location, they need to decrypt it; it’s the decryption operation that is made transparent. The bank cannot prevent their access to your location from being recorded in the log that you see.
By making decryptions transparent, the decrypting agent (for example, your bank) can be held accountable. You can monitor how much private information about you they are processing, and ask them to explain why they are doing that. If you are not satisfied, you can take action, such as closing your account.
PAD trustees
A PAD trustee is a component of PAD that is run and controlled by an organisation external to and independent of the creators of PAD. There are currently four PAD trustees, and PAD is aiming to have about 10. PAD trustees are organisations that have their own business activity and are interested in helping make PAD work. The job of a trustee is to monitor a queue of decryption requests, and check that a decryption request found there matches information recorded on a public ledger (like a blockchain). If the check holds, then the trustee performs the decryption using a key it securely stores, and posts the decrypted information back to the blockchain.
PAD trustees don’t have any information about the nature of the request, the persons involved, or the data being processed. They are not required to make any judgement about the merits or otherwise of the decryption request - indeed, their ignorance of the nature of the request completely prevents them from making any such judgement. Their only job is to check that the request matches information held on the ledger, and if so, to perform the decryption. This is completely automated; the trustee typically runs a lightweight computer (such as a Raspberry Pi) which polls for requests, performs the checks, and performs the decryptions.
So far, all the PAD trustees are either universities or charities. This kind of organisation is suited to being a trustee, because it is generally respected by people for being the kind of organisation that upholds public values and serves the public good.
Trustees should be online most of the time, but PAD is designed to work even if there are temporary outages. PAD uses threshold cryptography. This means that decryptions can take place provided a certain fraction (for example, 3 out of 5) of the trustees are available.
Experience being a PAD trustee
The Centre for Cyber Security and Privacy is a research centre at the University of Birmingham that runs projects and writes academic papers about all aspects of computer security and privacy. We became a PAD trustee in June 2022 because we like the idea of PAD. It seems to provide a good approach to a very difficult question, namely, how to balance the requirement of privacy for individuals with the need of companies to access certain kinds of data.
The trustee software runs on a Raspberry Pi computer, and our job as trustee is to make sure the computer stays online so that it can monitor decryption requests, perform the necessary checks, and then return the decrypted information. There are several ways to set up a trustee platform, depending on the technical competence of the trustee. Ideally, a trustee has technical competence and is willing to be involved in the set-up. In this case, the trustee can source a Raspberry Pi by itself and configure a GNU/Linux flavour of their choice (e.g., Raspbian or Ubuntu). Then they can download the Javascript trustee software, inspect it, and configure it according to their wishes. This method allows the trustee to fully understand what the software does. There are no binaries in the distribution - everything is readable and inspectable and modifiable. The trustee can also update the software manually whenever the need arises.
Some trustees won’t have the technical competence and/or willingness to be so involved. PAD will configure and ship a Raspberry Pi for them, that’s ready to be plugged in. It can even be pre-configured with the trustee’s WiFi credentials, so it runs straight away. For these trustees, the trustee software can be configured to auto-update, minimising the requirement for the trustee to get involved.
We have chosen the “involved” option, so we control when and how updates take place (we get notifications from PAD when this is required). So far there have been a couple of updates, both related to new features or new configuration of the PAD system. The updates are very straightforward to apply. Our Raspberry Pi has chugged along without requiring much attention from us.
So what are trustees being trusted for?
As mentioned, the Raspberry Pi computer just runs by itself, and our job is limited to keeping it up and online, and occasionally installing software patches as they come up. We are not required (and not permitted) to get involved in the checking and decryption operations that the Raspberry Pi does. So what, exactly, is our role? Why are we needed as part of PAD? Couldn’t PAD servers do the job that we are doing?
Our role is to host the trustee system; it stores a decryption key, and its software is designed to use that key for decryption only if certain checks have worked successfully. The checking is to ensure the transparency of the decryption operation: the software checks that information about the decryption request has properly been inserted into an append-only blockchain, and hence will be available to the subject.
The core property that a trustee is trusted to provide is that a decryption will be done if, and only if, the request has been properly recorded in the ledger. Our job is to make sure that this usage policy of the decryption key on our Raspberry Pi is enforced. To fulfil this responsibility, we have to protect the Raspberry Pi from interference by attackers who may try to extract its private key. These could be online attackers (so we should keep the software patched and up-to-date); or they could be physically-present attackers that can take the memory card out of the Raspberry Pi (we should keep it in an access-controlled location).
To be part of PAD, we need our private decryption key to be a threshold share of the global decryption key that corresponds to the PAD encryption key. Our decryption key was generated by us at set-up time, and the global PAD encryption key is derived from the public keys of all the trustees. Like all the other trustees, we publish our public key and other public parameters, so that anyone can verify that the encryption key does indeed correspond to the set of trustees.
Conclusion and going forward
In the future, trustees may be able to specialise in different applications of PAD, either to limit their bandwidth or to reflect the role they want to have in protecting privacy. Being a PAD trustee means we are contributing to the running of a system which improves the transparency of private data usage, and hence improves privacy for ordinary people. It consumes a little bit of electricity and bandwidth, and potentially can make a big contribution to our online lives. We hope that PAD continues to find more and more use cases, and that the trustee ecosystem grows.
Comentarios