Web services today store and process ever-increasing amounts of our personal data on remote servers. This is true for large social networks like Facebook and Twitter, but also for smaller, special purpose web services run by small and medium-sized organizations. The organizations that operate these services are forced to spend significant resources to ensure that they comply with data protection laws, such as the European Union’s recent General Data Protection Regulation (GDPR). Compliance with this comprehensive legislation is costly and difficult, at least in part because the standard systems software that web-based applications rely on was never designed with user privacy in mind.

Our research seeks to understand this problem space – what widely-used abstractions are convenient for developers, and efficiently implemented, but hinder compliance? We are designing new, fundamentally privacy-centric computer systems abstractions that seek to achieve compliance with GDPR-like legislation by default.