Abstract—An increasing number of surveys and articles highlight the failure of database servers to keep confidential data really private. Even without considering their vulnerability against external or internal attacks, mere negligences often lead to privacy disasters. The advent of powerful smart portable tokens, combining the security of smart card microcontrollers with the storage capacity of NAND Flash chips, introduces today credible alternatives to the systematic centralization of personal data. Individuals can now store their personal data (e.g., their medical folder) in their own smart tokens, kept under their control, and never disclose in clear their private data to the outside untrusted world. However, this new opportunity of managing and protecting personal data conflicts with the objective of implementing knowledge-based decision making tools on top of centralized data. This paper precisely addresses this issue and proposes to adapt the traditional model of Privacy-Preserving Data Publishing (PPDP) to an environment composed of a large set of tamper-resistant smart portable tokens seldom connected to a highly available but untrusted infrastructure. This combination of hypothesis makes the problem fundamentally different from any previously studied PPDP problem we are aware of. I.

While disks have offered a stable behavior for decades-thus guaranteeing the timelessness of many database design decisions, flash devices keep on mutating. Their behavior varies across models and across firmware updates for the same model. Many researchers have proposed to adapt database algorithms for existing flash devices; others have tried to capture the performance characteristics of flash devices. However, today, we neither have a reference DBMS design nor a performance model for flash devices: database researchers are running after flash memory technology. In this paper, we take the reverse approach and we define how flash devices should support database management. We advocate that flash devices should provide DBMS with more control over IO behavior without sacrificing correctness or robustness. We introduce the notion of bimodal flash devices that expose the full potential of the underlying flash chips as long as the submitted IOs respect a few well-defined constraints. We suggest two approaches for implementing bimodal flash devices: (a) based on the narrow block device interface, or (b) based on a rich interface that allows a DBMS to explicitly control IO behavior. We believe that these approaches are natural evolutions of the current generation of flash devices, whose complexity and opacity is illsuited for database management. We discuss how bimodal flash devices would benefit many existing techniques proposed by the database research community, and identify a set of new research issues. 1.