Abstract:

The principle of data minimization is foundational to privacy and security, yet putting it into practice remains a significant challenge. This talk develops language-based data minimization and demonstrates how to enforce it in practice across modern data-driven systems. We explore how the semantics of user-defined automation logic can be analyzed to derive minimal data-access requirements. We leverage program dependency analysis and deferred computation to enforce data-access minimization in some cases even in adversarial environments, without requiring trust in the execution platform. Our approach spans both static and dynamic enforcement techniques and accommodates features such as queries and nondeterminism. We showcase its effectiveness for Trigger-Action Platforms (TAPs) through the development and empirical evaluation of tools such as minTAP and LazyTAP. 

Bio: Andrei Sabelfeld is Professor at Chalmers University of Technology, Visiting Professor at KTH, and, previously, Researcher at Cornell University in Ithaca, NY, USA. Andrei’s research spans from foundations to applications in a range of topics including software security, web security, IoT security, security foundations, and applied cryptography. He is a recipient of a number of prestigious prizes and awards from ERC, KAW, SSF, VR, WASP, Chalmers, Google, Amazon, Meta (Facebook), and OpenAI.