In today's data-driven economy, individuals share their data with platforms in exchange for services such as search, social networks, and health recommendations, platforms use the data to provide those services and create other revenue-generating opportunities, e.g., selling the data to data brokers, all of which generate tremendous value. With the ever-expanding data economy comes the growing concern about potential data misuse. While most platforms give individuals specific control over their data (i.e., what data is being shared), individuals cannot limit the purposes of sharing their data since they cannot control how their data is used once it is shared. In this paper, we introduce a data management solution to this socio-technical problem. We present a data escrow design that permits individuals to observe all dataflows -- not just what data is shared but also for what purpose it will be used. Rather than having individuals' data flowing to the platform, the platform delegates their computation to the escrow, where individuals can observe and manage their data. We propose a minimally invasive programming interface to enable the escrow's delegated computation model; developers specify dataflows via the interface and the escrow runs the computation based on developers' specifications. In addition to proposing the escrow design, which is general and applies to different ecosystems such as web browsers, wearables, and mobile platforms, we also contribute a concrete escrow implementation in the Apple ecosystem. In our evaluation, we analyze the dataflows in real-world applications and show that the escrow's programming interface supports implementing a wide range of dataflows, and thus applications. We show that our escrow-based solution is a feasible and practical alternative to today's data governance and has minimum overhead.

翻译：在当今数据驱动的经济中，个体将数据分享给平台以换取搜索、社交网络和健康建议等服务，平台则利用这些数据提供相应服务并创造其他创收机会（例如将数据出售给数据经纪商），所有这些都产生了巨大价值。随着数据经济的不断扩张，人们对潜在数据滥用的担忧日益加剧。虽然大多数平台赋予个体对其数据的特定控制权（即控制分享哪些数据），但个体无法限制数据分享的目的，因为他们无法控制数据被分享后的使用方式。本文针对这一社会技术问题提出了一种数据管理解决方案。我们设计了一种数据托管机制，允许个体观察所有数据流——不仅包括分享哪些数据，还包括数据将被用于何种目的。该机制不是将个体数据直接流向平台，而是让平台将计算任务委托给托管方，使个体能够在托管环境中观察和管理自身数据。我们提出了一种侵入性最小的编程接口来实现托管方的委托计算模型：开发者通过该接口指定数据流，托管方则根据开发者的规范执行计算。除了提出这种通用且适用于不同生态系统（如网络浏览器、可穿戴设备和移动平台）的托管设计方案外，我们还贡献了在苹果生态系统中的具体实现。在评估中，我们分析了真实应用中的数据流，证明该托管编程接口能够支持实现广泛的数据流及应用。研究表明，我们基于托管的解决方案是当前数据治理模式可行且实用的替代方案，并且具有极低的开销。