The huge growth of e-shopping has brought convenience to customers and increased revenue to merchants and financial entities. Moreover, e-shopping has evolved to possess many functions, features, and requirements (e.g., regulatory ones). However, customer privacy has been mostly ignored, and while it is easy to add simple privacy to an existing system, this typically causes loss of functions. What is needed is enhanced privacy on one hand, and retaining the critical functions and features on the other hand. This is a dilemma which typifies the “privacy versus utility” paradigm, especially when it is applied to an established primitive with operational systems, where applying conventional privacy-by-design principles is not possible and completely altering information flows and system topologies is not an option. This dilemma is becoming more problematic with the advent of regulations such as the European GDPR, which requires companies to provide better privacy guarantees whenever and wherever personal information is involved. In this chapter, we put forward a methodology for privacy augmentation design that is specially suitable for real-world engineering processes that need to adhere to the aforementioned constraints.We call this the “utility, privacy, and then utility again” paradigm. In particular,we start from the state-of-the-art industry systems that we need to adapt; then we add privacy enhancing mechanisms, reducing functionality in order to tighten privacy to the fullest (privacy); and finally, we incorporate tools which add back lost features, carefully relaxing privacy this time (utility again). Specifically, we apply this process to current e-shopping infrastructures, making them privacy respectful without losing functionality. This gives an e-shopping system with enhanced privacy features, presents a set of “utility-privacy trade-offs,” and showcases a practical approach implementing the notion of “privacy by design” while maintaining asmuch compatibility as possible with current infrastructures. Finally, we note that we implemented and tested performance of our design, verifying its reasonable added costs.
Acknowledgements
The work of Jesus Diaz was done in part in the Universidad Autónoma de Madrid and while visiting the Network Security Lab at Columbia University. The work of Seung Geol Choi was supported in part by ONR award N0001418WX01542 and NSF award #1618269. The work of David Arroyo was supported by projects S2013/ICE-3095-CM (CIBERDINE) and MINECO DPI2015-65833-P of the Spanish Government. The work of Francisco B. Rodriguez was supported by projects MINECO TIN2014-54580-R and TIN2017-84452-R of the Spanish Government. The work of Moti Yung was done in part while visiting the Simons Institute for Theory of Computing, UC Berkeley.