Lunch Hour Lecture: Protecting users’ privacy in modern web applications

“This thing will never take off,” Professor Brad Karp (UCL Computer Science) jokingly recalls himself saying about the World Wide Web when the concept was first introduced to him in the 1990s. Yet since its introduction, when websites were simply static documents, it has gone on to be of incredible value to people across the globe.

The evolution of the World Wide Web has led to an increasing focus on web applications, or ‘apps’, and with this has come a problematic conflict between privacy and functionality. It is this conflict that formed the basis of Professor Karp’s Lunch Hour Lecture, as he put forward a solution to end this “unpalatable trade-off”.

According to Professor Karp, the issue has arisen as a result of the Web’s original architecture; designers were thinking about privacy when building the Web, but this same approach has restricted the creation of web applications. To get around such restrictions, developers need to work outside of this architecture and subsequently compromise on privacy.

An example of this is same-origin policy (SOP). SOP means that a script from one origin is unable to be read from another origin, thus creating a ‘brick wall’ and ensuring privacy. However, the inability for cross-origin interaction here means that modern apps are unable to function as intended, so they often ask you to give them access to your sensitive information instead.

Although in such instances the app is not malicious but simply trying to deliver functionality, the repeated sharing of such information in itself creates privacy risks. For this reason, Professor Karp and a team of PhD students from UCL and Stanford University have been working towards a solution that allows cross-origin sharing of information without having a detrimental effect on privacy.

This solution is centred on confinement, and more specifically, Confinement with Origin Web Labels (COWL). Making use of COWL means that sensitive information is labelled in a way that ensures it is confined to the relevant parties and cannot be shared outside of this relationship.

This, in a way, ‘relaxes’ SOP to allow safe cross-origin interaction, in turn enabling both functionality and privacy. The idea has been deployed across Firefox and Chromium, and it has also generated significant interest in the media for its ability to offer a “simple, fast and backward compatible” solution.

Professor Karp’s Lunch Hour Lecture highlighted that, despite the power of the Web in the modern world, it’s often easy to underestimate its limitations and the challenges that they present.

However, it also highlighted the impressive work that is being done to overcome such challenges, ensuring that the World Wide Web continues to be at the forefront of our everyday lives.

Read The Register’s online article on COWL.

You can catch up on previous Lunch Hour Lectures via the dedicated Lunch Hour Lectures YouTube channel.

Details of other Lunch Hour Lectures taking place this term are available on the UCL Events calendar.