We propose an approach to protect confidentiality of
data and accesses to them when data are stored and
managed by external providers, and hence not under
direct control of their owner. Our approach is based on
the use of distributed data allocation among three
independent servers and on a dynamic re-allocation of
data at every access. Dynamic re-allocation is enforced
by swapping data involved in an access across the
servers in such a way that accessing a given node
implies re-allocating it to a different server, then
destroying the ability of servers to build knowledge by
observing accesses. The use of three servers provides
uncertainty, to the eyes of the servers, of the result of
the swapping operation, even in presence of collusion
among them.