The Role of Privacy Enhancing Technologies (PETs) and Their Uses for Business
Published: 6th January 2023
In an era where privacy plays a key part in adhering to customer needs and regulations, firms are struggling to get the most out of their data. Privacy enhancing technologies (PETs) are the cyber security industry’s answer to protecting customer data while extracting the information businesses need. Rob Pocock, our Technical Director, shares his thoughts on the role of PETs and their relevance for businesses.
What are privacy enhancing technologies?
The whole objective of PETs (e.g. homomorphic encryption, secure multiparty computation, and trusted execution environments) is to protect people’s personal data, usually with a combination of process and technology.
Quite often, the focus is on the protection of data when stored on a server somewhere. But when you consider that virtually all network traffic is now encrypted, security and performance monitoring tools can’t see the malware in network traffic unless it has been unlocked.
This poses two problems; how do you prevent cyber-attacks? And how do you monitor your clients’ quality of experience without putting their data at risk, or indeed, breaking industry compliance?
Sure, you can unlock the traffic with decryption tools before it reaches the security or monitoring layer, but if the network is carrying credit card numbers or personally identifiable information (PII), you need to ensure they are not seen by the security and monitoring tools, or indeed the people using them.
Challenges such as these need a combination of focus and advanced network visibility technology to ensure any potentially sensitive data is obfuscated. And only then can the ‘win-win of security filtering and quality of experience monitoring take place without putting peoples’ data at risk.
What are the benefits of privacy enhancing technologies for businesses?
The overarching benefit for businesses is having the ability to access a depth of data which can then be conditioned to its advantage – without breaking confidentiality.
For example, if a coffee chain wants to set up in a new area, the business will want to access location-based data to examine where its target audience congregates. Data from a Mobile Network Operator, conditioned correctly with PETs, will allow the organisation to safely access this kind of data without breaking confidentiality because it anonymises information that isn’t relevant, such as the name, address, and date of birth of its mobile phone subscribers. As a result, what remains is generic information so that data crunching and well-informed decisions can still take place.
Where are these technologies being used?
PETs should be used wherever data related to people is being accumulated. Where, and how well they are being used can be another topic altogether. For example, booking a holiday means the holiday company will need information like your name, passport number, and address. Whilst most of us hand them this data without giving thought to who has access to it, where it is stored, and what sort of security stack is protecting it, in the wrong hands, someone will know when and for how long your home is likely to be empty.
With this type of technology and the amount of personal data out there, incorrect assumptions can also be made. An example of this is if a driver frequently charges their electric car at the same location at a hospital – there is data linked to the car they own. Consequently, if this driver applied for a life insurance policy and the insurers had access to that data, they might make assumptions about that person’s health status as they are often at a hospital car park. However their parking at a hospital could be for a myriad of reasons, none of which are related to their health.
How should privacy enhancing technologies be implemented?
PETs should be implemented with careful consideration and in accordance with regulatory compliance. Essentially, it comes down to how and where you are doing it. For example, it’s important that businesses safely enable quality of experience monitoring to adapt to customer needs. If you want to properly see how people interact with your e-commerce website, you need to access copies of the network data that carry the end-to-end transaction. As said earlier, you don’t want to record their card number and personally identifiable information, and chance break industry compliance and putting your clients at risk.
Are there any risks/disadvantages involved in using privacy enhancing technologies?
Damages from data loss or disclosure can be devastating for companies, their clients, and supply chains. Remember the British Airways hack? The initial infiltration came via a baggage handling company logging in to BA’s remote access gateway using an unbeknown compromised device. But when the hackers moved laterally into BA’s network, they found website logs containing credit card details in clear text. Ideally, organisations want as much information as possible so they can run highly targeted marketing or sell that data to another agency. However, the risk is that the value of their data diminishes because it has less information. Through masking certain information like name, date of birth, and credit card number when it passes through the network, businesses can avoid destroying the value of the data, they can protect the end user, and do so without impacting their own cyber security.
What does the future hold for privacy enhancing technologies and what will drive their adoption?
We need to have a better understanding of data. By default, businesses are used to asking for lots of information. For example, car rental companies need to know about recent insurance claims and if you are over the age of 23. To find this information, they ask to know your date of birth, but they don’t need to store this in order to know if you are aged 23 years or over. Subsequently, the organisation has received a lot more information than is needed.
As consumers, we need to challenge requests for our personal data to avoid overexposing ourselves. And as responsible employers and colleagues, we don’t just need to protect client data, we also have a duty to our staff and supply chains to ensure they do not come in to contact with data outside of their remit – because no one wants to be viewed as either an accidental or intentional source of a data or compliance breach.
As industry regulation tightens in response to continued breaches of personal information, we see PETs becoming even more prevalent. They will allow organisations that hold or create data containing PII to keep it secure.