Privacy Protection: A New Frontier in Information Technology
Computing on data without seeing data may be new privacy necessity
06-22-2021
Jim Tyson
CYBER
In early May, Apple released a significant update to its mobile devices by introducing what it dubbed “App Tracking Transparency.”
This ensures that if you own an iPhone, any app must ask your permission before tracking your activity outside of its own app. Many cybersecurity experts call this one of the most consequential privacy updates Apple has released, and it has already sparked more than a few fights between tech giants on both sides of the privacy protection aisle.
Breaches breed protection
Privacy of your personal information is more important than ever. Major data breaches like the 2017 Yahoo breach of 3 billion accounts, the First American Financial Corp. breach in 2019, and the Cambridge Analytica scandal, which set nearly every Facebook user’s information up for sale for political advertising, have all exposed cracks in online privacy that need to be plugged up.
Based on how most Americans have dozens of online accounts storing their personal information, I would guess most Americans have had their personal information lost in a data breach, maybe even one of the aforementioned three.
The problem intensifies when information is identifying. Every time you provide your name, date of birth, email, or other personal data, you better hope this information is going to a network protected with privacy-preserving technology, or your information could be going on sale, and a small set of attributes can quickly identify an individual.
Protecting data in motion
Privacy-preserving technology is borne out of the growing recognition that internet communications present a significant risk to privacy among individuals and organizations. As parties share information, cybercriminals can swoop in and steal data without either the senders or recipients knowing it.
Homomorphic encryption is one emerging privacy-preserving technology that protects data, not only while in transit or in storage, but during computation as well. Homomorphic encryption enables users to perform computations on encrypted data without first decrypting it.
A typical application might be its use to protect individual health information while allowing data analytics on collections of health records. A significant portion of data in healthcare must, by law, be protected from unauthorized use. Homomorphic encryption has the potential to enable the secure sharing and combining of confidential data for use in clinical trials and studies.
Another privacy-preserving technology is known as zero-knowledge proofs. Zero-knowledge proofs provide a method by which one party can prove to another that it knows a value without saying how it knows the value or what the value is. As a simplistic illustration, imagine I tell you I can prove that I know where Waldo is in a “Where’s Waldo?” without revealing where he is in the picture or how I found him.
There is a way to do this, by using a piece of paper or cardboard much larger than the "Where’s Waldo?" picture. If I cut a hole in a piece of cardboard, and place it over the picture without you watching me do that, the hole in the cardboard will prove I know where Waldo is, without revealing the location or revealing how I found him.
Zero-knowledge proofs have growing use in blockchain because they allow for the recording of private transactions between parties on the blockchain without allowing non-parties to see the of content those transactions. (Normally in a blockchain, every participant can see the content of every transaction.)
Defending the nation’s data
It should not be surprising that the federal government has privacy protection on its list of top priorities, especially when it comes to both personal health data, as well as national security information. There’s even a government office that does nothing but track data breaches. As the government researches future use of privacy-preserving technologies, homomorphic encryption and zero-knowledge proofs are of growing interest.
The biggest barriers to the adoption of these technologies are that they are complex, and in some cases (e.g., homomorphic encryption) are currently too slow in implementation to be practical. But recent advances by leading technology vendors such as Microsoft, IBM, Intel, and others suggest that the pace of innovation is rapid and this technology may become cost-effective in the relatively near future.
Other approaches to privacy
Once privacy-preserving technologies become mainstream, they will be transformative for the government. If data stays encrypted and is never decrypted, even during processing, that’s plainly more secure.
Other privacy-preserving technologies are being explored as well, such as secure multiparty computation. This method is similar to homomorphic encryption. It allows for multiple parties to compute a function with their own inputs while keeping those inputs private.
Another approach involves using a secure or trusted execution environment. Leading CPU manufacturers (e.g., Intel, AMD) are producing chips with hardware protections around code execution, such that it becomes, in theory, physically impossible for an outside process to gain access to the data that is in computation.
The monster of our own making
Aggregating troves of data from multiple sources to execute big data analysis can help generate more data-driven decisions than ever before. But big data is also a monster of our own making that exponentially compounds the risk of data theft and misuse. The UN Handbook on Privacy-Preserving Computation Techniques says big data has created “easy target(s) for cybercriminals from outside organizations. … Equally concerning is the risk of insider threats.”
As cybercriminals become more sophisticated and can intercept big data in transit, more attention must be paid to curb this problem. The advancement and enforcement of privacy-preserving technologies will be key to ensure input and output privacy in future analysis systems.
Posted by: Jim Tyson
Senior Principal Systems Engineer
Jim Tyson is a solution architect and senior principal systems engineer in SAIC’s Defense and Civilian Sector.
Tyson joined SAIC in 2016 and leads civilian and Department of Defense business capture and technical proposal development efforts. In 2017 and 2018, Tyson completed two SAIC Research Fellow projects exploring the capabilities and benefits of blockchain technology. In 2017, he led the technical design of a proof-of-concept of blockchain technology on a task order for a high-profile federal civilian agency.
In 2019, he led the design and development of a blockchain solution for securing supply chain transactions on an SAIC research and development project in partnership with Goodyear Tire and Rubber Co. and Microsoft. Tyson was named an SAIC Fellow the same year for his leadership and contributions in exploring the potential of blockchain technology for customer needs.
Prior to joining SAIC, Tyson worked for more than 25 years in a variety of positions for an IT contracting company based in Washington, D.C., including as systems analyst, team leader, project manager, business development lead, COO, and CEO. The company grew from just 20 employees to one with more than 240 staff and independent contractors.
Tyson is a certified Enterprise Architect with the Open Group Architecture Framework and holds DevOps Foundation and Project Management Professional certifications. Tyson received his bachelor’s degree in English and psychology from Duke University. He earned an MBA from Edinburgh Business School and a JD from Concord Law School.
