Tech you need to know: Privacy Enhancing Technologies

This article is part of our Opinions section.

Our globally connected world certainly isn’t lacking data. Whether extracting insights that lead to better-informed decisions, looking for competitive advantage or expanding inputs used for AI applications, data makes a difference. Business leaders understand that the ability to leverage broader, richer data sources leads to enhanced outcomes.

However, the ability to securely and privately utilise data assets from a wide range of sources — internal, third party, partner, commercial and open source — to unlock value without increasing organisational risk is a challenge on the minds of leaders across industries.

Privacy Enhancing Technologies, or PETs, are a family of technologies poised to disrupt the traditional approach to data usage by overcoming barriers rooted in privacy and security concerns. Grouped together for their unique ability to protect data in use throughout the processing lifecycle, the technologies in the PETs category have long been the subject of academic and enterprise-driven research, but are now being utilised to address real-world business problems at scale.

In this article, I’ll discuss the unique value delivered by PETs and why IT and business professionals need to know and understand them today.

All about the usage

Data is only as valuable as the insights and advantages you can extract from it, and enabling data to be securely and privately used is where Privacy Enhancing Technologies shine.

If you’re wondering about this distinction, it’s worth revisiting the concept of the data triad. At the most basic level, data exists in one of three states: at rest, in transit, or in use. Enterprises (and vendors alike) clearly understand the need to protect data at rest on the file system/in databases as well as data in transit, which aims to ensure the security of data as it moves through the network.

These protection strategies are a critical, standard practice. In fact, there is broad acceptance that overlooking these foundational security schemes at the enterprise level would be an egregious oversight.

The approach to protecting data in use is not yet standardised; many large organisations fail to recognise the exposure that comes with using data in even the most basic ways, such as performing a search or analytics.

There are a number of vulnerabilities that arise when data is not protected during processing. In a cross-jurisdictional scenario, such as a bank performing searches on customer data that resides in another location, exposing the content of a search or analytics could violate data localisation or other regulatory compliance standards, especially if the search contains PII or other sensitive information.

For organisations that need to leverage third-party data sources, exposure of search or analytics content could reveal sensitive interests or intent. Take, for example, an investment firm conducting M&A research using market data aggregated by a commercial data provider. If the search content is visible to the data owner (as it is in most systems), the intention of the investor has the potential to be compromised, increasing the overall risk of the deal.

By protecting data during processing, PETs eliminate unintended exposure of sensitive or regulated search content, such as financial or health information, and broaden the types of sources that can be leveraged for business purposes. When implemented in conjunction with data at rest and data in transit protections, PETs ensure protection for data assets throughout their lifecycle.

This focus on protecting the data itself rather than the broader network is also a central pillar of a zero-trust protection strategy, an approach that many organisations are prioritizing today.

A noteworthy family of technologies

Now that we have a sense of the value PETs provide, we can shift to a closer look at the technologies themselves, as well as the factors that have warranted the category’s increased attention of late.

A number of market influences, including the proliferation of global privacy regulations and the ongoing segmentation of data across organisational silos and security boundaries, have left business leaders looking for ways to protect data without hindering its usability.

Beyond the accelerating need, PETs have also been enjoying a “coming of age” moment. As with nearly all market-driven advancements, need drives interest; interest drives innovation; and innovation drives investment and adoption. Combine these forces together and we see the emergence of robust startup, research and open-source communities that have led to breakthroughs in performance and efficiency, transporting PETs from conceptual to practical for large-scale, enterprise use.   

At the heart of the PETs family are three key technology pillars: secure multiparty computation, homomorphic encryption and trusted execution environments. While there are many adjacent technologies, we will focus on these as they best represent the value at the heart of PETs: protecting the usage of data.

• Secure Multiparty Computation (SMPC): Living up to its name, SMPC is a protocol that protects data by enabling it to be processed across multiple parties.
• Homomorphic Encryption (HE): Standing apart for its ability to allow data to be processed in its encrypted state (ciphertext) as if it were in the unencrypted domain (plaintext), HE ensures sensitive data is never exposed at any point during processing. 
• Trusted Execution Environments (TEEs): Also referred to in the market as Confidential Computing, TEEs are perimeter-based security technology that exists on the chip itself.  

Each of these technologies has strengths and weaknesses; there is no one-size-fits-all PETs solution. In fact, many of the technologies are complementary and can be used together depending on the security and privacy requirements of a given scenario.

Ultimately, the decision as to what the most effective PETs-powered capability will be comes down to the use case.

Business enablers: PETs in practice

For PETs to make an impact, all that is required is a need to unlock value from data. As such, the use cases for Privacy Enhancing Technologies are wide-ranging — they can be utilised by highly regulated commercial industries such as financial services and healthcare, public sector organisations with significant security constraints, businesses powering the Internet of Things and data usage at the edge, data owners who want to securely monetise existing assets, as well as entities looking to capitalise on the power of AI/ML with mindfulness relative to their organisational risk profile.

The implications of PETs for AI/ML applications is an emerging, critical area of focus that came to the forefront last fall when President Biden’s Executive Order for Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence pointed to PETs as a key enabler of Secure AI. As part of the order, US federal agencies were directed to advance the adoption of PETs “to protect privacy and to combat the broader legal and societal risks”.

Other global governments, policy bodies and think tanks (including ICO, CIPL and the United Nations) have recommended the use of PETs to ensure AI systems are deployed in a manner that supports privacy and long-term sustainability.

PETs can advance AI/ML model training by allowing data to be securely trained over diverse, disparate data sources without the need to pool, replicate or compromise the ownership of the underlying datasets. They can also be used to protect models during evaluation, helping prevent attacks such as model spoofing and model poison when models are used outside of an organisation’s trusted environment.   

By protecting the usage of data, PETs are poised to transform how and where organisations can leverage data to drive business value. While these technologies are actively deployed today, the market continues to quickly advance and mature.

Organisations recognise the value of PETs — and regulators and lawmakers continue to solidify the need for these technologies by driving policy that requires a private and secure approach to data usage. In the future, protecting data while it’s being used or processed will be standard practice as organisations look to capitalise on the business value of expanded data sources while minimising their risk exposure.

In short, organisations that understand and begin to implement PETs now will be a step ahead in this data-driven era where every advantage matters. 

Worth a read

• Smartsheet brings secure AI to the enterprise
• What I learned at Slack City Tour, Sydney
• Ransomware trends: what’s on the increase and what’s going down