Security doubts have long plagued the sharing of data between organisations but is there light at the end of the tunnel? Jem Brown explains why Homomorphic Encryption offers a viable solution.
The press often gets a fair bit of stick for only reporting on bad news. Front pages – or perhaps it’s more apt these days to highlight their home pages – tend to be harbours of the negative, rather than the positive.
There are many reasons. Sudden disasters, for example, are more dramatic than slow improvements and it’s also down to us – we are wired to pay more attention to unpleasant news, something psychologists describe as “negativity bias”.
When it comes to the ever increasing media coverage of data issues, the situation is little different. While stories of data breaches abound, little or no attention is paid to the fact that data sharing between organisations, and between those in the public and private sectors, takes place without incident every single day. And in many of these cases – particularly those involving intelligence or criminal investigations – it is vital to the national interest.
However, this is no cause for complacency. New privacy requirements such as GDPR and the DPA have reshaped the way data is handled and this new normal, combined with the sheer scale of data that organisations now store and process, have rendered old systems obsolete. Certainly, the past practice of bulk sharing data sets is less and less acceptable as a solution.
One alternative is for the organisation requesting the data to surgically search and bring back only the information which relates to suspects or subjects of interest from a partner data provider. Unfortunately this has proven to be a significant technical challenge to date.
Enter Homomorphic Encryption
We are all familiar with encryption of data at rest, which is inactive data stored physically in any digital form such as databases, data warehouses, archives and so on. We’re also accustomed to data encryption when it’s in transit – i.e. when it moving from a sender to a recipient, like a WhatsApp message, for example.
But what Homomorphic Encryption (HE) offers for the first time is encrypted processing. The maths behind HE has been around for 20 years but a practical – i.e. sufficiently cheap and fast enough – implementation has always been difficult to achieve. Indeed, it is still many years away if the solution is to be able to secure any arbitrary type of processing.
Recently, researchers have looked at applying HE to a limited problem space. In the last couple of years Enveil, a US start-up, has launched a new product, ZeroReveal, which allows the requesting organisation to keep what they are interested in encrypted and secure from the partner organisation providing the data.
When the requester searches the partner data set, the matching algorithm uses HE so that even the database administrators who own the data can’t see what data has been selected and returned as a result set. HE will always come with a processing overhead but working with Enveil, BAE Systems have demonstrated that ZeroReveal can return results in time frames which can fit with how investigators operate.
This secure, surgical search capability is valuable in many ways. For example, in intelligence investigations many private organisations may hold pertinent data about a suspect but the fact that an individual is being investigated may be highly sensitive and not sharable with these data providers. Another example is in financial services, where financial crime (such as money laundering) will normally involve interactions between multiple financial institutions. An informed and insightful picture can really only be constructed if data is shared between these financial institutions, data which generally needs to be protected on both privacy and commercial grounds.
But it’s not just a technology issue
Recently we have seen increasing interest in technologies which support private data sharing; for example, in June Google announced ‘Private Join and Compute’ which is also an HE-based solution. However, it’s important to note that as with most technology solutions, adoption is rarely down to the coolness of the technology. More often, it’s dependent upon human factors. Generating trust and persuading people to be comfortable about using this new approach is crucial.
One way to ensure the right governance structures are in place is through pilots, which are a good way to build new capability and confidence. And as my colleague Holly Armitage has pointed out, an increased focus on ethics will also help clear away doubts about the power and potential of greater data sharing.
There is clearly some way still to go before encrypted processing has taken deep root. But the potential is clear. Fast forward a few years and I’d wager that HE will have become a familiar – and much relied on – component of the data landscape.
Watch this space.