Sok: data sovereignty
发表信息
作者
- Jens Ernstberger
- Jan Lauinger
- Fatima Elsheimy
- Liyi Zhou
- Sebastian Steinhorst
- Ran Canetti
- Andrew Miller
- Arthur Gervais
- Dawn Song
笔记
Society appears to be on the verge of recognizing the need for control over sensitive data in modern web applications. Recently, many systems claim to give control to individuals, promising the preeminent goal of data sovereignty. However, despite recent attention, research and industry efforts are fragmented and lack a holistic system overview. In this paper, we provide the first transecting systematization of data sovereignty by drawing from a dispersed body of knowledge. We clarify the field by identifying its three main areas: (i) decentralized identity, (ii) decentralized access control and (iii) policy-compliant decentralized computation. We find that literature lacks a cohesive set of formal definitions. Each area is considered in isolation, and priorities in industry and academia are not aligned due to a lack of clarity regarding user control. To solve this issue, we propose formal definitions for each sub-area. By highlighting that data sovereignty transcends the domain of decentralized identity, we aim to guide future works to embrace a broader perspective on user control. In each section, we augment our definition with security and privacy properties, discuss the state of the art and proceed to identify open challenges. We conclude by highlighting synergies between areas, emphasizing the real-world benefit obtained by further developing data sovereign systems.
社会似乎正逐渐意识到在现代网络应用中掌控敏感数据的必要性。近期,众多系统宣称将控制权交还个人,以实现数据主权的首要目标。然而,尽管关注度提升,研究与产业实践仍呈碎片化,缺乏系统性全景。本文通过整合分散的知识体系,首次对数据主权进行了横截面式的系统化梳理。我们通过界定三大核心领域厘清了这一领域:(一)去中心化身份认证,(二)去中心化访问控制,以及(三)合规性去中心化计算。研究发现现有文献缺乏统一的形式化定义体系,各领域孤立发展,且因用户控制权界定模糊导致产学研目标错位。为此,我们为每个子领域提出了形式化定义。通过阐明数据主权超越去中心化身份认证范畴的特性,本文旨在引导未来研究采用更全面的用户控制视角。各章节在定义基础上补充安全与隐私属性,综述前沿进展并指明开放挑战。最后通过揭示领域间协同效应,我们着重强调了发展数据主权系统将带来的现实效益。