Privacy concerns relating to sharing network traces have traditionally been handled via sanitization, which includes removal of sensitive data and IP address anonymization. We argue that sanitization is a poor solution for data sharing that offers insufficient research utility to users and poor privacy guarantees to data providers.

We claim that a better balance in the utility/privacy trade-off, inherent to network data sharing, can be achieved via a new paradigm we propose: secure queries. In this paradigm, a data owner publishes a query language and an online portal, allowing researchers to submit sets of queries to be run on data. Only certain operations are allowed on certain data fields, and in specific contexts. Query restriction is achieved via the provider's privacy policy, and enforced by the language's interpreter. Query results, returned to researchers, consist of aggregate information such as counts, histograms, distributions, etc. and not of individual packets. We discuss why secure queries provide higher privacy guarantees and higher research utility than sanitization, and present a design of the secure query language and a privacy policy.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Cynthia Dwork. Differential Privacy. In Proceedings of the 33rd International Colloquium on Automata, Languages and Programming, 2006.
	2	S. Coull, C. Wright, F. Monrose, M. Collins, and M. Reiter. Playing Devil's Advocate: Inferring Sensitive Information from Anonymized Network Traces. In Proceedings of the Network and Distributed System Security Symposium, February 2007.
	3	Qixiang Sun , Daniel R. Simon , Yi-Min Wang , Wilf Russell , Venkata N. Padmanabhan , Lili Qiu, Statistical Identification of Encrypted Web Browsing Traffic, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.19, May 12-15, 2002
	4	S. E. Coull , M. P. Collins , C. V. Wright , F. Monrose , M. K. Reiter, On web browsing privacy in anonymized NetFlows, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-14, August 06-10, 2007, Boston, MA
	5	Tadayoshi Kohno , Andre Broido , K. C. Claffy, Remote Physical Device Fingerprinting, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.211-225, May 08-11, 2005  [doi>10.1109/SP.2005.18]
	6	Ruoming Pang , Mark Allman , Vern Paxson , Jason Lee, The devil and packet trace anonymization, ACM SIGCOMM Computer Communication Review, v.36 n.1, January 2006  [doi>10.1145/1111322.1111330]
	7	Jeffrey C. Mogul , Martin Arlitt, SC2D: an alternative to trace anonymization, Proceedings of the 2006 SIGCOMM workshop on Mining network data, p.323-328, September 11-15, 2006, Pisa, Italy  [doi>10.1145/1162678.1162686]
	8	Vern Paxson. Trace sanitization scripts. http://ita.ee.lbl.gov/html/contrib/sanitize.html.
	9	Jun Xu , Jinliang Fan , Mostafa H. Ammar , Sue B. Moon, Prefix-Preserving IP Address Anonymization: Measurement-Based Security Evaluation and a New Cryptography-Based Scheme, Proceedings of the 10th IEEE International Conference on Network Protocols, p.280-289, November 12-15, 2002
	10	Nabil R. Adam , John C. Worthmann, Security-control methods for statistical databases: a comparative study, ACM Computing Surveys (CSUR), v.21 n.4, p.515-556, Dec. 1989  [doi>10.1145/76894.76895]
	11	Latanya Sweeney, k-anonymity: a model for protecting privacy, International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, v.10 n.5, p.557-570, October 2002  [doi>10.1142/S0218488502001648]
	12	Xiaokui Xiao , Yufei Tao, M-invariance: towards privacy preserving re-publication of dynamic datasets, Proceedings of the 2007 ACM SIGMOD international conference on Management of data, June 11-14, 2007, Beijing, China  [doi>10.1145/1247480.1247556]
	13	Ashwin Machanavajjhala , Johannes Gehrke , Daniel Kifer , Muthuramakrishnan Venkitasubramaniam, \ell -Diversity: Privacy Beyond \kappa -Anonymity, Proceedings of the 22nd International Conference on Data Engineering, p.24, April 03-07, 2006  [doi>10.1109/ICDE.2006.1]
	14	MAWI Working Group Traffic Archive. http://tracer.csl.sony.co.jp/mawi/.
	15	Greg Minshall. tcpdpriv tool. http://ita.ee.lbl.gov/html/contrib/tcpdpriv.html.
	16	Eddie Kohler. Ipsumdump tool. http://www.cs.ucla.edu/~kohler/ipsumdump/.
	17	Eddie Kohler. Ipaggregate tool. http://www.cs.ucla.edu/~kohler/ipsumdump/aggcreateman.html.
	18	Ruoming Pang , Vern Paxson, A high-level programming environment for packet trace anonymization and transformation, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany  [doi>10.1145/863955.863994]
	19	Gianluca Iannacone. CoMo: An Open Infrastructure for Network Monitoring -- Research Agenda. http://como.intel-research.net/pubs/como.agenda.pdf.
	20	Lobster web page. http://www.ist-lobster.org/publications/deliverables/D1.1a.pdf.