This work addresses the challenge of protecting personally identifiable information (PII) in device logs when shared with third-party analyzers, where existing approaches struggle to balance analytical utility with end-to-end privacy guarantees. The authors propose Proteus, a novel framework that uniquely integrates keyed-hash pseudonymization, time-based ratcheted encryption, and DICE-based device attestation to preserve log fidelity while ensuring forward secrecy and resistance against multi-snapshot correlation attacks. Proteus enables controlled data sharing with time-bound decryption capabilities and integrates transparently into Android’s logcat infrastructure. Experimental evaluation across three hardware generations demonstrates a median per-log latency overhead of only 0.2 milliseconds and an average storage overhead of 97.1 bytes per PII field.

Device logs are essential for forensic investigations, enterprise monitoring, and fraud detection; however, they often leak personally identifiable information (PII) when exported for third-party analysis. Existing approaches either fail to minimize PII exposure across all stages of log collection and analysis or sacrifice data fidelity, resulting in less effective analysis. We present Proteus, a privacy-preserving device logging framework that enables forensic analysis without disclosing plaintext PII or compromising fidelity, even when facing adversaries with access to multiple snapshots of the log files. To achieve this, Proteus proposes a two-layer scheme that employs keyed-hash pseudonymization of PII fields and time-rotating encryption with ratcheted ephemeral keys to prevent multi-snapshot correlation. For controlled sharing, clients export ratchet states that grant time-bounded access, permitting decryption of pseudonymized tokens that enable linkage and timeline reconstruction without exposing the underlying PII. Subsequent ratchet rotations ensure forward secrecy, while DICE-based attestation authenticates device provenance. We implement Proteus as a transparent extension to Android's logcat and evaluate it across three generations of hardware. Our results demonstrate a median latency of 0.2 ms per message and an average per-PII-field size overhead of only 97.1 bytes.