Spartacus as a Service (SaaS): Privacy Through Obfuscation and the Right to Be Forgotten

The Third Servile War was over. The slave army has been defeated, and the survivors are offered a pardon by their Roman captors. The only requirement was that they identify Spartacus, their leader (Kirk Douglas). Rather than give away his identity, however, they all begin to yell out “I’m Spartacus!”—thus preserving his anonymity by overwhelming the Romans with possibilities. (Spoiler alert: they all die as a result.) What lesson can we learn from them about preserving privacy through obscurity?

The right to be forgotten has been held as fundamental human right by various governments. The recent Facebook scandal and a series of large scale breaches has centered the discussion on the privacy implications of this right. Most people agree that the right to be forgotten should allow users to remove accounts and material that they have created in the past¬—but how easy is it to disappear from online social media and networks in an effort to preserve one’s privacy? 

A sample identity (and its associated accounts across 26 different sites) demonstrates how difficult deletion is for end users. Governments have not mandated these privacy protections for users—and even if they had, enforcement would be problematic; there is little incentive for businesses to prune existing user data.

Since users cannot rely on governments to ensure privacy, a different method of privacy assurance is proposed: privacy through obfuscation. Existing accounts and personal data may be protected through obfuscation techniques, common in other research such as location cloaking. An open-source proof-of-concept (“Spartacus as a Service”) is presented that allows for these techniques to be employed on several well-known online applications. This prototype seeks to ensure that privacy is maintained without relying on organizations removing all data from their systems—effectively yelling “I’m Spartacus!” on behalf of the user.

Key takeaways:

• See how current regulation around the Right to Be Forgotten continues to lag behind real-world use cases and end-user’s base expectations.
• Understand how privacy must be a consideration for services going forward—as systems are built, they must consider how to dispose of information and data responsibly; new legislation and regulations are coming that will seek to enforce the Right to be Forgotten.
• Internalize that ensuring privacy may not always mean deletion or removal of data—obfuscation of identities, data, etc. may be enough to preserve relative anonymity. 
• Explore various methods of obfuscation that might apply in different environments and organizations.