Lock on wooden table showing what organizations need to know about privacy enhancing technology before putting it to use

What’s Old Is New Again: Examining Privacy Enhancing Technologies

The term Privacy Enhancing Technologies (PETs) has been around for decades and is now experiencing a renaissance as the global awareness, demand, and regulation for privacy increases. While the label itself is intuitively powerful — who isn’t in favor of technologies that enhance privacy? — it is also ill-defined and often misunderstood. There are a broad and varied range of business-enabling capabilities powered by Privacy Enhancing Technologies, but not all PETs are created equal. In order for businesses to fully receive the benefits of leveraging the technologies in this increasingly visible category, they must start by understanding what the label encompasses and which market challenges PETs are most apt to address.

At its core, PETs are a family of technologies that enable, enhance, and preserve the privacy of data throughout its lifecycle. Beyond locking down the data, some of these technologies allow data assets to be securely and privately used, overcoming the very regulatory barriers that have in many ways spurred a renewed interest in their usage. Organizations that have seen business functionalities inhibited by the surge in privacy regulations see PETs as a way to extract critical insights without the need to move or replicate data, which is often not feasible. PETs can also allow these organizations to pursue data sharing and collaboration practices while remaining in compliance. In order to implement strategies that are flexible and adaptable enough to work effectively across a wide-range of regulatory environments, business leaders are increasingly embracing PETs in the context of implementing data-centric security and zero trust concepts.

To unpack what this means, it’s helpful to consider the three states of data — at rest, in transit, and in use — which can represent the three segments of the Data Security Triad. Data at Rest includes inactive data stored in any number of digital forms such as in databases, data lakes, or other storage technologies. It is frequently protected using database encryption, tokenization, and pseudonymization techniques along with access control and governance/provenance solutions. While Data at Rest protection is well understood from a technical perspective, there is sometimes a gap in sufficient solution implementation within organizations.

The Data in Transit segment includes any data that is moving through the network, typically protected by TLS/SSL protocols. It is the most well understood and well solutioned segment of the Data Security Triad and likely to be one of the first points of focus when securing organizational data assets. The general acknowledgement and understanding around securing Data at Rest and Data in Transit make them ‘commodity’ — and while they are important pillars of data-centric security and privacy preservation, they are not the focus of the current usage of the PET terminology.

Instead, the usage of Privacy Enhancing Technologies is focused on the third area of the Data Security Triad: Securing Data in Use. This is the segment in which data assets are meaningfully used or processed. Organizations often need to perform operations such as searches or analytics in order to extract value, which creates points of data exposure. PETs are designed to help eliminate this vulnerability by enabling data to be securely and privately processed. In this era of compliance, it is particularly important that organizations performing operations on personally identifiable information or other types of sensitive data understand the risks inherent to Data in Use in order to minimize regulatory risk.

Today, there are a handful of technologies being used to preserve privacy by securing Data in Use, the most commonly referenced of which include homomorphic encryption, secure multiparty compute, and trusted execution environments. Once limited to discussions in the academic and theoretical space, these technologies have moved into the domain of commercially practical for the first time. The security levels of these technologies are positively correlated with their ability to preserve and/or enhance privacy: the more secure, the more privacy is preserved. Homomorphic encryption provides the strongest security (and hence is the greatest privacy enhancing), while trusted execution environments are the weakest option mentioned here (and hence is the least privacy preserving). The level of security required is dependent upon the use case, the type of data being processed, and the trust levels of the parties involved.

PETs are used most effectively and efficiently when they protect the part of data that specifically needs to be secured. For example, take a financial services onboarding/Know Your Customer challenge that was highlighted as part of a TechSprint hosted by the Financial Conduct Authority last year. A prospective customer provides a bank with the information needed to open an account, which may include name, address, occupation, and a number of other personal identifiers. The bank runs the information through its system to check for existing account information and red flags that can help create a risk profile for the potential customer. However, privacy regulations prevent the bank from efficiently sharing or cross-referencing that personal information with third-parties or even other branches of its own bank that fall beyond regional or jurisdictional barriers. When PETs (homomorphic encryption in this case) are used to protect the query which contains the PII, the bank can securely collaborate with other intra- or inter-bank data sources to enhance the risk profile while ensuring the regulated information contained in the query is never decrypted in an untrusted environment. The encrypted results returned enable the onboarding bank to make better informed, intelligence-led decisions — all while ensuring the privacy of the prospective customer remains protected.

This use case, and many others like it that can be found across verticals including healthcare, financial services, and government, demonstrates the power of PETs through the business-enabling capabilities they facilitate. The attention PETs have garnered in recent months is warranted and representative of the paradigm-shifting power they hold. The use of PETs is becoming increasingly critical in verticals where accelerating regulations limit business functions. In its 2019 “Protecting Privacy in Practice” report, The Royal Society said that PETs “could create new opportunities to use datasets without creating unacceptable risks” with potential to reshape the data economy. But, before organizations can put Privacy Enhancing Technologies to use, they need to understand the range of technologies included under this umbrella of a category label as well as the specific challenges that they are best positioned to address.