Collection and storage of massive datasets is normal practice for many organizations. This trend is driven by inexpensive data storage costs and the increasing benefits of data-driven insights and decision-making. Another trend is the desire to share and link data. In particular, the low cost and high reward for sharing network traffic datasets is particularly striking. Unfortunately, network data is sensitive: it may contain personally identifiable information or details of sensitive network structures. Technical solutions to data sharing when information disclosure is a concern must address three challenges: secure access, privacy protection, and utility preservation. Secure access allows the analyst to perform their computation without ever seeing the raw data. Even if the analyst never sees the raw data, they may still be able to infer sensitive information based on the output. Privacy protection ensures this inference cannot happen. Utility preservation ensures that results are useful as if the analyst had direct access to raw data. Data anonymization is a commonly proposed solution to the data sharing problem, including for network trace analyses. Unfortunately, any instantiation of the data anonymization paradigm will fundamentally pose a substantial risk to either privacy or utility. Our Solution TRIFECTA: a utility-and-privacy-preserving platform for secure data release. TRIFECTA achieves a stronger combination of utility preservation and privacy protection than data anonymization techniques. Specifically, data contributors are given strong, quantifiable guarantees regarding how much information can be learned about them based on their decision to contribute, and data analysts are able to link datasets from multiple sources and extract useful analysis results, nearly as if they had access to each original raw dataset. These capabilities are made possible through our combined use of secure hardware enclaves, differential privacy and formal methods. Our use of secure hardware provides a solution to secure access, whereas our combined use of differential privacy and formal methods provides a solution for utility preservation and privacy protection, as well as âtuning knobsâ for navigating the tension between utility and privacy concerns. TRIFECTA builds on two existing prototypes which already exhibit many of our proposed capabilities. TRIFECTA will enable secure, privacy-preserving data sharing at low cost, resulting in numerous public benefits. Specifically, TRIFECTA will automatically: minimize the cost and effort of sharing sensitive data, minimize the likelihood of unintended data leakage, and enable discovery and safe use of shared sensitive datasets. In Phase 1, we will build TRIFECTA by integrating two existing prototypes and investigate challenges in utility/privacy trade-offs. In Phase 2 we will streamline deployment, develop solutions to privacy/utility challenges, and demonstrate data sharing workflows âat sc
