Policy-Carrying Data: A Privacy Abstraction for Attaching Terms of Service to Mobile Data

Despite decades of work on privacy-protecting systems, mobile user privacy remains at the mercy of cloud service providers. This paper proposes a different approach — let users attach Terms of Service (ToS) to their data before uploading it to the cloud. We propose an abstraction, called policy-carrying data (PCD), that lets users specify and attach ToS to their data. PCD guarantees that cloud providers claim they are compliant with the ToS policy before they are able to access the data. To offer this guarantee, PCD relies on attribute-based encryption. We present PCD’s semantics, its properties, and describe how PCD can be added to JSON or REST. Our hope is that PCD opens a different research path — designing privacy abstractions that provide legal ammunition for mobile users against misuse of their data.