Research Update: A Language for Automatically Enforcing Privacy Policies

For the last three years, I have been working on things building up to the creation of Jeeves (project website here), a new programming language for automatically enforcing privacy policies. Last week I presented our first paper on Jeeves at the Principles of Programming Language (POPL) conference. You may read our paper here and look over the slides here.

To describe Jeeves I will quote Jacob Aron, who does a good job in this recent New Scientist article:

Even with your friends under control, a software bug could still expose your private data - as Facebook CEO Mark Zuckerberg himself found out recently when a glitch revealed his photos to the world. To solve this, researchers at the Massachusetts Institute of Technology have come up with a new programming language called Jeeves that automatically enforces privacy policies.

Programmers have to explicitly ensure data flowing through their software obeys necessary privacy policies, but it is easy to slip up and let information leak out. Jeeves solves that by substituting the value of variables within the software depending on who the user is. For example, say Alice posts a message but doesn't want anyone but herself to see who wrote it. The programmer can use the variable "author" without worrying what the user sees - when the software runs, Jeeves ensures Alice will see her own name, but everyone else logging in will see "Anonymous".

Jean Yang, who helped develop Jeeves, says the new language lets a programmer delegate privacy responsibilities and concentrate on the actual function of their code, much like a party host might entrust their butler with ensuring the needs of each guest are met so they can spend more time socialising.

Jeeves allows the programmer to provide high-level declarative policies for privacy and rely on the runtime system to automatically produce outputs adhering to these policies. The Jeeves runtime uses symbolic evaluation and constraint-solving in order to do this. We have an implementation of Jeeves as an embedded domain-specific language in Scala. (Code here.)

Next steps for Jeeves include looking at how Jeeves can handle policies for integrity and declassification (in addition to confidentiality) and looking ta how well Jeeves scales for real-world applications.

It says a lot about our research community that languages and solvers are at a point where we can even consider this sort of separation of global concerns from core program functionality. I am excited about a future in which we can continue to make programmers’ lives easier by teasing out and automating concerns such as privacy.