Scalable and Private Media Consumption with Popcorn
Popcorn is a media delivery system that helps protect consumers by preventing content delivery platforms from being able to determine what material a consumer digests. Popcorn addresses several motivations. At its most fundamental, the goal is to shield a person’s consumption from scrutiny, information which could reveal a user’s political, cultural, or socioeconomic background - all information that would be worrisome if publicized or viewable by an unauthorized third entity (particularly the content delivery system). On the other hand, the ability for a commercial system to control content or enforce certain legal policies are examples of a larger body of digital rights that providers like Netflix would like to retain for business purposes. Existing cryptographic protocols under the family of Private Information Retrieval (PIR) allow clients to make requests without servers being able to infer the request. However, existing approaches before the paper put limitations on the compute power or scale of the application, which would severely undermine a system like Netflix. The goal of Popcorn is to find the balance between cryptographically secure primitives and a client-platform dynamic where both sides’ needs for security and information are met.
Popcorn is a system built with three goals in mind. It wants to provably hide one’s media diet at a relatively low cost, while being compatible with the standards set by commercial media streaming. One of the main contributions is that Popcorn composes ITPIR and CPIR to get the desirable properties of both. When there are multiple servers, ITPIR is used to communicate from server to client. The Client communicates with the key library through CPIR. To address the need for ITPIR to inspect the entire dataset, the requests are batched to amortize the overhead of running ITPIR. ITPIR and CPIR both require processing the entire library per request. However, in combination, Popcorn is able to perform cheap operations that require processing the library per batch instead. Popcorn also uses compression to satisfy the fixed size address requirement.
The 3.87x cost scale relative to non-private servers, while admirable, felt like a happy compromise between the batch processing size and the resulting latency. I understand the 15 second latency benchmark is used as a justification for the amount of tolerable latency, which therefore helps determine the largest batch size before the acceptable delay is exceeded. With that being said, the 3.87x value feels somewhat arbitrary, and is a measurement that is true in the worst-case scenario of tolerable latency. In addition, it seems that while Popcorn is private and affordable, the ITPIR servers are assumed to be trustworthy and do not collude maliciously. In addition, as the library increases in size, the associated costs increase linearly. Popcorn also does not support recommendations or aggregate view statistics, although, as the authors mention, this is something that has been previously addressed.
The network cost seems to incur 2x of the 3.7x cost. It could be interesting to see if this cost can be further reduced. For instance, a technique oriented around allowing two servers to communicate with pseudo random number generators to preserve privacy while avoiding the network altogether could cut this multiplier down by more. While Netflix-like platforms are an interesting system, it’d be interesting to see if the low overhead that Popcorn offers could be adapted to different commercial systems such as private web search or private APIs with PIR techniques.