Allowing others to know my exact location makes me uneasy. I can’t specifically articulate what I’m concerned about, but I trust my gut on these kinds of questions, and I know I’m not alone in feeling this way.
This “location uneasiness” eventually presented a challenge to one of our practices: we are a fully remote team, and in all-hands meetings we usually “go around the room” in east-to-west order for each person’s update. This ordering methodology did not reveal anybody’s exact location, so nobody was concerned about it. Figuring out the correct order, however, became harder and harder.
As our team grew, we found ourselves struggling to remember the exact geographic order of each colleague. Additionally, our company culture encourages us to work from wherever we want, and it turns out that my colleagues like to travel. Determining the geographic order in each meeting became a distraction. We thought about abandoning our practice of geographic ordering, but everybody liked the idea of traversing the globe to get updates from our far-flung team members. Clearly it was time to formalize and automate the ordered list.
A small team of us decided to build a simple web application atop our confidential computing platform to solve our ordering problem and illustrate the value of privacy-preserving computing. While this small example may not be the most compelling use case for our product, it does illustrate a pattern that could apply to other applications with a similar need for location privacy.
Our simple application incrementally collects and stores sensitive location data (i.e., a colleague’s exact location, whenever it changes), and later performs computation on that sensitive data to produce useful output (i.e., an ordered list of team members). What makes this application an effective steward of privacy is that the coordinates are stored encrypted and are only decrypted during computation inside Cape’s trusted execution environment, called an enclave. The app can dynamically generate geographically ordered lists based on everybody’s exact locations, but the privacy of each individual’s location is preserved.
The location update UI is a simple web form: provide your name and location, specified as latitude and longitude:
The web application then lets any of us retrieve an ordered list of our colleagues, on demand. To produce the list, the web application passes the complete collection of encrypted coordinates to a function that runs in Cape’s confidential computing platform. Inside the enclave, the function decrypts everybody’s coordinates, and creates the requested ordered list. The high-precision coordinates can only be decrypted inside the enclave because that’s the only place the private key is available to Cape Privacy’s decrypt functionality. When our function returns the ordered list, the plaintext coordinates evaporate when the enclave exits. The only way in and out of the enclave is through the secure connection provided by Cape—the enclave has no other access to the network. What happens in Cape, stays in Cape!
Our implementation is a simple web application that uses Cape’s built-in encrypt functionality when collecting coordinates; and a custom Cape function to subsequently compute the geographic ordering of our colleagues.
Whenever a colleague provides an updated location, the web client calls
The second Cape function produces an ordered list of colleagues, which is displayed to the user in the web browser. The function takes two input parameters: a list of colleagues and their encrypted coordinates (presented as a JSON document); and a flag indicating whether to produce an east-west ordering or a north-south ordering. Here is a snippet of the input JSON document, in which you can see Cape-encrypted coordinates:
In the custom Cape function, each coordinate is decrypted using Cape’s
decrypt function, which is available only to code running inside the enclave. Once the coordinates are restored to plaintext, the function sorts the team from east-to-west or north-to-south, and then returns the ordered list, containing only first names.
In the entire application, the coordinates are only ever decrypted inside the Cape enclave, computed upon, and then discarded. Everybody’s exact location is always accurate, and also stays completely private.
Our nomadic colleagues can continue to travel and work from wherever they want, and now they can update their locations without any unease around sharing that sensitive data. The automatically generated, up-to-date ordered lists provide a fun structure to our meetings without risking anyone’s privacy.
This simple application illustrates an important pattern found in many websites and mobile applications: The application provider wants to collect some sensitive information from you, which they will use to provide some information of value to you (e.g., credit worthiness, medical diagnosis, cohort analysis). As a user, you are probably concerned about the privacy of the information you are providing, but you make the tradeoff analysis regarding whether the promised information has enough value to you.
Wouldn’t it be better if you didn’t need to make the tradeoff? That is, you could receive, for example, an important credit evaluation; without being concerned that the financial numbers you shared would be seen by prying eyes. That’s what encrypting and then securely processing is all about, and we are working hard to make it easy for all applications to adopt it.