Secure information sharing in distributed information management applications: problems and directions Piotr Mardziel, Adam Bender, Michael Hicks, Dave Levin, Mudhakar Srivatsa, Jonathan Katz Abstract— Interaction between entities who may not trust each other is now commonplace on the Internet. This paper focuses on the specific problem of sharing information between distrusting parties. Previous work in this area shows that privacy and utility can co-exist, but often do not provide strong assurances of one or the other. In this paper, we sketch a research agenda with several directions for attacking these problems, considering several alternative systems that examine the privacy vs. utility problem from different angles. We consider new mechanisms such as economic incentives to share data or discourage data leakage and a hybrid of code-splitting and secure multi-party computation to provide various assurances of secrecy. We discuss how to incorporate these mechanisms into practical applications, including online social networks, a recommendation system based on users’ qualifications rather than identities, and a “personal information broker” that monitors data leakage over time. We hope that this paper will spark ideas and conversation at ACITA about directions most worth pursuing. I. I NTRODUCTION The rise of distributed information management (DIM) applications has followed the rise of the Internet. In these applications, users store information on a site for the purpose of sharing it with recipients. Users have incentive to share data; for example, users build social capital when sharing data on a social network like LinkedIn, 1 creating future opportunities for work or collaboration. On the other hand, sharing too much information is dangerous because the recipients of the infor- mation, or the system itself (assuming it is not controlled by the information owner), may have incentive to share sensitive data with eavesdroppers that a user has not authorized to view his data, but would gain from knowing it. For example, Alice could report to Bob’s former employer that he has joined a company in violation of his former employer’s IP agreement, having discovered this information on LinkedIn. Government entities such as the military are in an analogous situation: they have incentive to share sensitive information— about potential military targets, suspicious activities, difficult technical problems, or vulnerabilities—with partners at differ- ing levels of trust. Misuse of this information may result in harm. But harm is also possible if information is not shared, as the information could be necessary to prevent loss of life, assets, or advantage. Mudhakar Srivatsa is located at the IBM T.J. Watson Research Center; all other authors are with the University of Maryland, College Park. 1 http://www.linkedin.com Our research aims to design mechanisms and protocols toward building applications that aim to balance these com- peting principles of need to know with responsibility to share. We would like both sites and users to be disincentivized or prevented from sharing information with eavesdroppers, while at the same time to be incentivized to share information, to add value to their work. In this paper, we outline the beginnings of a research agenda toward building more secure information management applications. We begin (Section II) by describing two styles of application that motivate our work—online social networks and information hubs—and describe the goals and incentives for users and administrators of these applications. Next we discuss ideas for employing economic models and mechanisms for describing the incentives of participants in these applications with the goal of developing policies that bal- ance the risk and reward of information sharing (Section III). In the following two sections we consider mechanisms use- ful for permitting no more sharing than necessary between mutually-distrusting parties (Section IV), including means to quantitatively estimate the information released during an interaction (Section V). Finally, we sketch future plans and conclude. II. APPLICATIONS In this section we present two applications that serve as motivation for the mechanisms we propose. The first, online social networks, have shown exponential growth in the number of users over the past few years. The second, a collaborative reviewing application, is a general class which encompasses many current and future uses. A. Online social networks An online social network (OSN) is an application through which users can easily share certain types of information, such as personal expertise and interests, noteworthy professional or personal events, photos, or messages. One popular OSN is Facebook, which specializes in social/personal interactions. Facebook has upwards of 400 million active users, 50% of which log in at least once per day [1]. LinkedIn is another pop- ular social network specializing in professional interactions, e.g., for finding employment and making business connections. The Pentagon has recognized that OSNs are valuable for military personnel, recently reversing a ban on the services [2], and at the prompting of Admiral Mike Mullen, Chairman of