Users can share information, but the network only sees encrypted data.
By Tom Simonite
Researchers at Microsoft have developed mobile social networking software that lets users share personal information with friends but not the network itself.
|Picture sharing: This photo will be tagged and sent to the users’ friends—but it will be encrypted so that the company that handles the network won’t be able to see it.
“When you share a photo or other information with a friend on [a site like] Flickr, their servers are also able to read that information,” explains Iqbal Mohomed, a researcher at Microsoft Research Silicon Valley, who developed the new network, called Contrail, with several colleagues. “With Contrail, the central location doesn’t ever know my information, or what particular users care about–it just sees encrypted stuff to pass on.”
When a Contrail user updates his information on the network, by adding a new photo, for example, the image file is sent to a server operating within the networks’ cloud, just as with a conventional social network. But it is encrypted and appended with a list that specifies which other users are allowed to see the file. When those users’ devices check in with the social network, they download the data and decrypt it to reveal the photo.
Contrail requires users to opt-in if they want to receive information from friends. When a person wants to receive a particular kind of update from a contact, a “filter” is sent to that friend’s device. If, for example, a mother wants to see all the photos tagged with the word “family” by her son, she creates the filter on her phone. The filter is encrypted and sent via the cloud to her son’s device.
Once decrypted, the filter ensures that every time he shares a photo tagged “family,” an encrypted version is sent to the cloud with a header directing it to the cell phone belonging to his mother (as well as anyone else who has installed a similar filter on his device). Encryption hides the mother’s preferences from the cloud, as well as the photos themselves. Each user has a cryptographic key on his or her device for every friend that is used to encrypt and decrypt shared information.
Contrail runs on Microsoft’s cloud computing service, Windows Azure, and the team has developed three compatible applications running on HTC Windows Mobile cell phones. “This is an [application programming interface] on top of which you can build all kinds of social applications,” explains Mohomed. “We just developed these applications to demonstrate what it can do.”
As well as the picture-sharing app, the researchers created a tool for sharing location information with friends. Friends can receive a notification when a user enters an area drawn on a map (see video of the app being demonstrated). But users restrict the amount of information shared by their phone. “It’s my location, so I get control,” says Mohomed. “If my boss wanted to track my location, I could allow them to do it only during the week, for example.”
Mohomed thinks some people will be attracted by the idea of a more secure social network, although he admits that a provider might need to find a different business model–many networks, including Facebook, rely on being able to access user data in order to deliver tailored advertising.
“I may not care that Flickr can see my photos and messages, but people may feel differently about location sharing,” says Mohomed. “Imagine you are using an application that allows you to track your kid’s cell phone–what if their server is compromised?”
David Koll, a researcher at the University of Göttingen, Germany, agrees that such scenarios are worth worrying about. He points out that there have been recent examples of servers being hacked. Social service provider RockYou, for example, had the login details of 32 million users stolen last year. “It’s good to think about different ways to run social networks,” he says. “People are becoming more aware of their privacy, and having a central store that knows everything has risks.”
Koll and his Göttingen colleagues are working on an alternative social networking architecture for mobile devices of their own. It would do away with a central server altogether, and have user data in secure caches distributed across the devices in the network. Having a central server has benefits, though. A cloud-based platform is straightforward to scale, says Mohomed. “If you have more users or traffic all of a sudden, perhaps due to a natural disaster, you just add more cloud instances to handle it.”