Whether for a business or an individual, there is no such thing as absolute privacy or absolute security. Security and privacy are continua that contribute to overall feelings of safety and trust, and are considered in the context of:
- What data or systems are being protected?
- What are the benefits of the protection?
- What is the cost or effort to achieve a given level of protection?
- What are the implications of not being protected?
- What is or is not permissible under laws and regulations?
The Big Limitation with Encryption Today
Encryption is a technique to make data unintelligible to users or systems that do not possess a ‘key’ to unlock access to that data. Traditional symmetric and asymmetric approaches to encryption, even in their advanced forms, tend to protect the data while it is not being used – encrypting data when stored in databases and file servers and encrypting data when it moves between systems or networks. But these systems then require that the data to be decrypted before it can be queried and used. This becomes an impediment to sharing data between organizations, even for noble causes such as medical research.
Homomorphic Encryption Could Be the Answer
While that sounds like a reasonable technical constraint, researchers in the field of cryptography have dreamed for over half a century of a world where data could be operated on while remaining encrypted. These types of encryption schemes are known as homomorphic encryption. As a measure of the difficulty of the problem, early approaches were limited to certain classes of problems and were given names such as partiallyhomomorphic, somewhat homomorphic and leveled fully homomorphic.
The most desirable end state is what researchers describe as fully homomorphic encryption (FHE), where the encryption techniques can be applied to the broadest set of problems. If FHE was ubiquitous today, we would be able to strike the perfect balance between user privacy, data protection regulations and analytics like never before. Does it sound too good to be true? Well unfortunately, it is, at least today.
Sounds Great, Where Can I Get it?
A significant breakthrough in the development of practical FHE came in 2009 from Craig Gentry, a researcher at IBM. Researchers at IBM and Microsoft have developed toolkits to make FHE more widely available, although they require specialized expertise to use and technical limitations remain.
Widescale adoption of FHE will require:
- Widely available database systems supporting FHE (think Amazon Web Services, Microsoft and other cloud providers)
- Libraries available in a variety of programming languages
- Performance that is comparable to when operating on decrypted data.
What Do We Do in the Meantime?
Businesses should apply the 7 Principles of Privacy by Design to their data processing systems. This includes limiting the data you collect and process, and ensuring that you process data consistent with the social license granted by your customers. We’ve written previously about how we take a minimalist approach to analytics with our MySudo product, which is a model that we believe balances the privacy of our users and our need to operate a business.
As individuals, we should all acknowledge that government regulation and technology is not at a point today where we can abdicate responsibility for controlling access to our personal information. Read more on how you can get started.