YOU SHALL NOT COMPUTE on my Data: Access Policies for Privacy-Preserving Data Marketplaces and an Implementation for a Distributed Market using MPC

Stefan More, Lukas Alber

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review


Personal data is an attractive source of insights for a diverse field of research and business. While our data is highly valuable, it is often privacy-sensitive. Thus, regulations like the GDPR restrict what data can be legally published, and what a buyer may do with this sensitive data. While personal data must be protected, we can still sell some insights gathered from our data that do not hurt our privacy. A data marketplace is a platform that helps users to sell their data while assisting buyers in discovering relevant datasets. The major challenge such a marketplace faces is balancing between offering valuable insights into data while preserving privacy requirements. Private data marketplaces try to solve this challenge by offering privacy-preserving computations on personal data. Such computations allow for calculating statistics or training machine learning models on personal data without accessing the data in plain. However, the user selling the data cannot restrict who can buy or what type of computation the data is allowed. We close the latter gap by proposing a flexible access control architecture for private data marketplaces, which can be applied to existing data markets. Our architecture enables data sellers to define detailed policies restricting who can buy their data. Furthermore, a seller can control what computation a specific buyer can purchase on the data, and make constraints on its parameters to mitigate privacy breaches. The data market's computation system then enforces the policies before initiating a computation. To demonstrate the feasibility of our approach, we provide an implementation for the KRAKEN marketplace, a distributed data market using MPC. We show that our approach is practical since it introduces a negligible performance overhead and is secure against several adversaries.

Original languageEnglish
Title of host publicationProceedings of the 17th International Conference on Availability, Reliability and Security, ARES 2022
Subtitle of host publicationARES 2022
Place of PublicationNew York, NY, USA
PublisherAssociation of Computing Machinery
ISBN (Electronic)9781450396707
Publication statusPublished - 23 Aug 2022
Event17th International Conference on Availability, Reliability and Security: ARES Workshop on Security, Privacy, and Identity Management in the Cloud - Vienna, Austria
Duration: 23 Aug 202226 Aug 2022
Conference number: 4

Publication series

NameACM International Conference Proceeding Series


Workshop17th International Conference on Availability, Reliability and Security
Abbreviated titleSECPID 2022
Internet address


  • Access Control
  • Data Market
  • Privacy-preserving Computation
  • Secure Multi-party Computation
  • Trust Policies

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications


Dive into the research topics of 'YOU SHALL NOT COMPUTE on my Data: Access Policies for Privacy-Preserving Data Marketplaces and an Implementation for a Distributed Market using MPC'. Together they form a unique fingerprint.

Cite this