Data Privacy in Trigger-Action Systems

TL;DR

This paper introduces eTAP, a privacy-preserving platform for trigger-action systems that executes rules without exposing private data, using garbled circuits to ensure security and practicality.

Contribution

eTAP is the first system to enable secure, private execution of trigger-action rules using garbled circuits, supporting common operations and integrating with popular TAPs.

Findings

Supports 100% of top IFTTT rules and 93.4% of Zapier rules

Achieves modest performance overhead with 70 ms latency increase

Proves security guarantees through formal protocols

Abstract

Trigger-action platforms (TAPs) allow users to connect independent web-based or IoT services to achieve useful automation. They provide a simple interface that helps end-users create trigger-compute-action rules that pass data between disparate Internet services. Unfortunately, TAPs introduce a large-scale security risk: if they are compromised, attackers will gain access to sensitive data for millions of users. To avoid this risk, we propose eTAP, a privacy-enhancing trigger-action platform that executes trigger-compute-action rules without accessing users' private data in plaintext or learning anything about the results of the computation. We use garbled circuits as a primitive, and leverage the unique structure of trigger-compute-action rules to make them practical. We formally state and prove the security guarantees of our protocols. We prototyped eTAP, which supports the most commonly used operations on popular commercial TAPs like IFTTT and Zapier. Specifically, it supports Boolean, arithmetic, and string operations on private trigger data and can run 100% of the top-500 rules of IFTTT users and 93.4% of all publicly-available rules on Zapier. Based on ten existing rules that exercise a wide variety of operations, we show that eTAP has a modest performance impact: on average rule execution latency increases by 70 ms (55%) and throughput reduces by 59%.