Towards efficient and accurate privacy preserving web search

Abstract

Querying Web search engines is by far the most frequent activity performed by online users and consequently the one in which they are likely to reveal a significant amount of personal information. Protecting the privacy of Web requesters is thus becoming increasingly important. This is often done by using systems that guarantee unlinkability between the requester and her query. The most effective solution to reach this objective is the use of anonymous communication protocols (e.g., onion routing [10]). However, according to [14], anonymity might not resist to machine learning attacks. Thus, an adversary could link a query to her requester's public profile. Other approaches (e.g., [8,17]) guarantee unidentifiability of the user interests by generating noise (e.g., creating covert queries or adding extra keywords). However, these solutions overload the network and decrease the accuracy of the results. We present in this paper the first contribution that combines both approaches. It allows a user to perform a private Web search resistant to machine learning attacks while slightly decreasing the relevance of the results. Our three stage architecture contains: (1) a Privacy Proxy that relies on two non-colluding servers to hide the requester identity from the search engine; (2) a Linkability Assessment that analyses the risk that a request is reassociated with the identity of the requester; (3) an Obfuscator that protects the queries which have been flagged linkable by the linkability assessment.