Practical Data Access Minimization in Trigger-Action Platforms


Trigger-Action Platforms (TAPs) connect disparate online services and enable users to create automation rules in diverse domains such as smart homes and business productivity. Unfortunately, the current TAP design is flawed from a privacy perspective, since it has unfettered access to sensitive user data. We point out that TAPs suffer from two types of overprivilege: (1) attribute-level, where it has access to more data attributes than it needs for running user-created rules; and (2) token-level, where it has access to more APIs than it needs. To mitigate overprivilege and subsequent privacy concerns we design and implement minTAP, a practical approach to data access minimization in TAPs. Our key insight is that the semantics of a user-created automation rule implicitly specifies the minimal amount of data it needs. This allows minTAP to leverage language-based data minimization to apply the principle of least-privilege by releasing only the necessary attributes of user data to the TAP. Using real user-created rules on the popular IFTTT TAP, we demonstrate that minTAP on average sanitizes 3.7 sensitive data attributes per rule, with tolerable performance overhead and without modifying IFTTT.
Joint work with Yunang Chen, Mohannad Alhanahnah, Rahul Chatterjee, and Earlence Fernandes, to appear in USENIX Security 2022.

Oct 8, 2021 12:00 AM