sdecoret - stock.adobe.com
Privacy-enhancing technologies – myths and misconceptions
As the UK and US prepare to open a joint privacy-enhancing technology (PET) prize challenge, expert Ellison Anne Williams busts some myths and misconceptions around this emerging area
The business-enabling category of privacy-enhancing technologies (PETs) is making its mark as the one of the foundational technologies of the digital transformation era. With data as the backbone of the digital economy, market factors such as the drive to view data as an organisational asset, the need for global data sharing and collaboration, and an ever-increasing demand for privacy have catapulted this family of technologies into the spotlight.
The direct impact that they deliver to business and mission capabilities is the reason they are here to stay. Grouped together for their ability to enable, enhance and preserve the privacy of data throughout its lifecycle, these technologies are powerful and transformational in engineering trust and unlocking data value. As the value of PETs becomes more widely recognised and an increasing number of organisations and providers begin using the term, there remain a variety of questions and misconceptions to address.
Front and centre among items to clarify is the name itself. While there have been a number of proposed labels – privacy-preserving technologies, privacy-enhanced computation, privacy enablers – PETs has surfaced as the category name of choice. This is the designation that US and UK leaders used late last year when they announced an initiative to advance these technologies to “harness the power of data in a manner that protects privacy and intellectual property, enabling cross-border and cross-sector collaboration to solve shared challenges”.
It is also the category name being used by the United Nations, the ICO, and a growing number of large, global organisations.
Also, there are misconceptions about which technologies should be included in the category. Clarity on this item centres around how the technologies are used, the role they play in enhancing privacy, and where that impact takes place. As a mathematician by training, to me, the simplest dividing line comes down to computation.
PETs protect data in use, which describes data while it is being used or processed via searches or analytics. By this definition, the core pillars of PETs include homomorphic encryption, secure multi-party computation, and trusted execution environments (sometimes called confidential compute). Other approaches, such as synthetic data and data at rest protection mechanisms such as tokenisation, are tangential, but do not fit within the category because they do not protect data in use.
To continue building a shared understanding of this increasingly visible, transformational family of technologies, let’s address some common myths and misconceptions about PETs.
Myth 1: PETs aren’t ready for prime time
The PETs category includes technologies that protect, preserve and enhance data throughout its processing lifecycle – technologies that have been studied deeply for decades. Homomorphic encryption (HE), for example, became broadly recognised thanks to research published by Craig Gentry in 2009. The timing of the story is similar for secure multi-party computation (SMPC) and trusted execution environments (TEEs). What has changed more recently is the practicality of their broad use at scale.
Breakthroughs, largely driven by market need and motivation, have firmly taken these technologies from the realm of research to commercial readiness. Although the progress made in recent years is impressive, industry experts agree that we have only begun to scratch the surface. Gartner predicts that, by 2025, half of all large organisations will be using these capabilities for processing data in untrusted environments and multi-party data analytics use cases. These advances are being driven by a growing ecosystem of venture capital-backed startups, well-funded research components of global organisations, and academia.
There are a number of great examples of PETs being implemented at scale today for use cases in financial services, healthcare and government. PETs are enabling cross-jurisdictional data sharing for know-your-customer screenings and fraud investigations. They are enabling organisations to privately leverage third-party data assets without pooling or replicating data. They are facilitating more accurate risk assessment modelling by expanding the number of accessible data sources. They are protecting sensitive indicators and speeding time to value for applications at the processing edge.
In short, PETs are making entirely new things possible across a growing number of industries by overcoming regulatory, organisational, security and national boundaries to accommodate secure data usage and collaboration in ways that are not otherwise possible.
Myth 2: PETs protect data in use, at rest and in transit
The power of PETs lies in their ability to protect data while it is being used or processed – when searches, analytics and machine learning models are being run over data to extract value. This is different from, and complementary to, other traditional measures that protect data at rest, such as in the file system or database, or data in transit as it moves through the network.
While there are many effective, established solutions for protecting data at rest and data in transit, if organisations want to be able to safely and privately extract value from data assets, these traditional protection strategies are not sufficient. Also, PETs do not replace existing solutions protecting data at rest and in transit; they work alongside them to protect the final segment of the data triad, data in use.
Myth 3: The individual technologies within the PETs category are competitive
In an emerging category like PETs, there is a tendency to pit technologies against each other to evaluate which technology reigns supreme. The reality is that these technologies each offer unique attributes and choosing the right ones depends entirely on the use case requirements, infrastructure, and the desired level and type of protection. PETs can, and often do, work together.
For example, organisations can use an SMPC capability that leverages HE, and vice versa. Or SMPC and HE techniques can be leveraged in conjunction with a TEE. Organisations looking to utilise PETs should explore all the options available and educate themselves to determine the best fit.
Commercial PETs companies, regulatory bodies, industry consortiums, market analysts, researchers and other third-party groups have a role to play in these efforts to build awareness and enhance understanding. Likewise, those working in the PETs space need to recognise and embrace the role we play in educating the market, in helping differentiate the technologies and explaining their often-complementary nature, and do so in a way that acknowledges that the adoption of any and all PETs will best serve to address global privacy challenges.
Myth 4: PETs research = PETs commercialisation
PETs have a long and rich research history and, as such, many PETs are part of an active ecosystem that includes open source research libraries and algorithms. While it is fantastic to have a research foundation upon which to build, it is also important to remember that these elements are not ready-to-use commercial offerings. For example, HE libraries provide basic cryptographic components, but organisations leveraging them must dedicate engineering, algorithmic and integration resources in order to mature the basic building blocks into viable, enterprise-grade solutions.
Likewise, SMPC libraries offer basic algorithms and TEEs are built into many chips and cloud environments today, but there is much work and deep expertise required to take these fundamental elements and build practical, commercial offerings to protect data in use at scale. That is the value that commercial PETs software providers bring to the table – deep PETs knowledge and off-the-shelf capabilities that are ready to deploy and use today to solve real problems.
The open source research landscape is an awesome tool for advancing innovative technologies and the PETs category has certainly benefited from the efforts of numerous contributors. But these PETs research efforts are just the beginning of the story. Commercial solutions advance and give these research efforts the “wings” required to add real, measurable value.
Conclusion
The time for privacy-enhancing technologies is here. The technologies are ready, the market is ready, and the list of data usage problems demanding secure and private solutions continues to grow. Stephen Almond, director of technology and innovation at the ICO, recently summarised the value this innovative category delivers to the broader market: “Privacy-enhancing technologies help organisations build trust and unlock the potential of data by putting data protection by design into practice.”
We are undeniably in an era of digital transformation, and to ensure we continue forward on a foundation prioritising data privacy and security, we should embrace PETs now. That effort starts with shared understanding.
Ellison Anne Williams is CEO and founder of Enveil