Privacy enhancing technologies: It's time to demonstrate the business benefits
By safely bridging silos, PETs could open up whole new areas of business and research, so why aren't we hearing more about them?
If data could be shared across functional silos in the knowledge that personal, sensitive or confidential information would not leak, it could turbocharge a huge number of collaborative activities.
An obvious one is health. Allowing researchers and AI modellers access to every patient's NHS records with no risk of deanonymisation (unfortunately relatively trivial with pseudonymised data) would enable more accurate diagnostics, larger drug efficacy trials and highly targeted medical interventions.
Banks could quickly spot fraud and money laundering as they could monitor across jurisdictions and other operational silos.
Energy companies could match supply and demand real-time in real time and on a national scale.
Developers of LLMs and other AI models would be protected against model inversion attacks which can reveal the source training data.
And businesses could share results of analyses with partners without worrying that confidential or commercially sensitive information would get into the wrong hands. Indeed data categorisations - personal, sensitive, confidential, medical, criminal - would cease to be important.
Even better, in the spirit of open data, analyses could flow between domains allowing the analysis of energy use on health, or policy on finances.
The methods being developed to enable this vision are collectively called privacy enhancing technologies (PETs). They include techniques for anonymisation, for collaborative analysis without disclosing the source data, for encryption, and for securing or air-gapping environments. Some are mature like trusted execution environments in cloud and confidential cloud services, others, such as homomorphic encryption, are just starting to become viable now.
Use cases for PETs
The Royal Society's Privacy to Partnership report, published in January, analyses the promise of PETs, the current state of the market and barriers to adoption. It also provides several recommendations for legislators to help them deliver on their potential value. One of its authors, Jon Crowcroft, professor of communications systems at Cambridge University, says that potential value is huge, and use cases go far beyond the targetted advertising which has so far been the main beneficiary of the big data revolution.
"Adverts associated with search and social media are as nothing compared with what one might do with healthcare data, optimising energy use across a country, food supply chains, but then suddenly you're in the realm of the personal," he said, during a webinar organised by PET vendor Enveil.
In the realm of personal data, of course, countless regulations and barriers concerning security and commercial confidentiality come into play.
Ellison Anne Williams, CEO of Enveil, spoke of uses in financial service and other highly regulated industries, where privacy and data security are paramount.
"Silos around data are increasing to grow, sometimes for good reasons. So how do you leverage data globally as an asset in a way that accepts those silos and boundaries and the reasons they exist?" she asked.
A global bank onboarding a new customer needs to know "in a business-relevant time frame" whether this customer is being banked anywhere else across other jurisdictions. Currently, that can take "weeks or months", as centralised searching is not legally possible. PETs could remove that restriction. They are currently being assessed by regulators including as the FCA and the ICO, as well as by some financial institutions themselves.
Why aren't PETs more prominent?
But PETs in one form or another have been around for a while. Why, given their significant promise as enablers of better business and policymaking, aren't they more prominent?
Businesses are afraid to commit, said Vivienne Artz, co-chair of the International Regulatory Strategy Group data committee. The real barriers come from a lack of certainty about the place of PETs, whose capabilities overlap with existing business solutions, particularly from a legal standpoint.
"It's not clear in the legislation what status they have. If businesses are using PETs where does that processing fall on the spectrum of legal requirements, regulation and risk?"
There are organisational barriers too, said Crowcroft. The more silos you connect the more stakeholders you're going to affect, and if their interests aren't aligned progress can grind to a halt. A recent trial of sharing data across departments and regions in the NHS took two years to get off the ground - and that is within just one (albeit large and complex) organisation.
In addition, there are non-trivial technical difficulties to overcome, such as the management of cryptographic keys across boundaries.
So far, much of the work on PETs has been in academia and small sandboxed trials. To overcome these hurdles, build awareness and enhance understanding of PETs large-scale demonstrations are required. It's time to scale up.
"Stop talking, start using, and demonstrate those positive outcomes so there's confidence in adoption going forward," said Artz. "Think of PETs not as a technical or legal solution but more of a business solution."
She also urged regulators to step up and be more supportive.
"Innovation is moving on. If you want to support a really powerful risk based approach to privacy which can generate incredibly powerful and impactful returns for business, society and government, your support [in providing clarity] is hugely important."