US Senator encourages the use of 'Privacy Enhancing Technologies'

US Senator encourages the use of 'Privacy Enhancing Technologies'

In a letter to the Commission on Evidence-Based Policymaking, US Senator Ron Wyden, D-Ore. proposed the use of privacy enhancing technologies (PETs) by government agencies in order to protect sensitive data.  

“I write to remind the commission that new government databases, even if they are created for well-intended purposes, can both threaten the liberty of Americans and create an irresistible target for criminal hackers and foreign governments.  For that reason, I strongly urge the commission to recommend that privacy enhancing technologies (PETs), such as secure multi-party computation (MPC) and differential privacy, must be utilized by agencies and organizations that seek to draw public policy related insights from the private data of Americans.”

Differential privacy is a method that does not reveal personally identifiable information when querying a database; however, it requires a tradeoff between privacy and accuracy of the results.  More robust cryptographic methods like MPC allow secure and arithmetically accurate computations on data from multiple sources without revealing private data.

Presenters at the Sixth Meeting of the Commission on Evidence-Based Policymaking discussed how advanced secure computation technologies are starting to be utilized in other countries such as Switzerland and are sufficiently developed for broader commercial adoption.

Banking on [digital] Trust

Banking on [digital] Trust

banking_digital.png

Trust cements the foundation of the banking industry.  Without it, we would be more apt to keep cash stuffed under our mattresses than in the impenetrable vault of a stranger. Modern digital banking wins and maintains customers' trust based on the security, transparency and accessibility of their data.  Unfortunately that trilogy is not always mutually inclusive. 

A series of publicized actions over the past 14 months have highlighted the struggle for this balance, as J.P. Morgan Chase & Co. and Wells Fargo & Co. limited direct linking between customer accounts and third party providers such as Intuit (maker of QuickBooks and owner of Mint.com) due to security concerns and, according to a 2015 WSJ article, a perception of "increasing competition." Now it appears that the business value and consumer benefit of secure data sharing has prevailed, as both J.P. Morgan Chase & Co. and Wells Fargo & Co. have signed deals with Intuit.  As stated in a Feb. 7 Business Insider report, "customers will be able to share their account data with Intuit's services through the bank's open application programming interface (API) — without entering online banking details — from the second half of 2017."  This opens greenfield opportunities for both the banks and third party providers to create new revenue streams from collective data sets while offering their customers a more integrated experience. 

The decision to make it easier for clients to access and share their data with third parties suggests that these banks are trying to rebuild trust and loyalty.
— BI Intelligence

Customers obviously want the value that such service providers and 'data aggregators' can bring, but centralizing sets of highly sensitive personal information is generally not a prudent path to minimize security risks, nor is relinquishing control or access to the data the best way for banks to maximize their value-added services.  There are cryptographic and computational methods that enable each party to keep their information private while running aggregate models and algorithms on the distributed data. This is one of the challenges that we are addressing with our next-gen platform, which we will be announcing later this year, going beyond secure data search and sharing to secure data computing.

Behavioral Futures and Surveillance Capitalism

Behavioral Futures and Surveillance Capitalism

circuit_mind-01.png

The inevitable onslaught of targeted advertisements has both consumers and technology companies wondering whether there is any alternative future for internet economics.  Jonathan Shaw recently published a compelling piece in Harvard Magazine, breaking down some of the biggest challenges to our understanding of individual freedoms and technological progress. In this article he interviews the outspoken privacy advocate, Harvard professor and author Shoshana Zuboff who coined the term "surveillance capitalism" in reference to a market in which "rights are taken from us without our knowledge, understanding, or consent and used to create products designed to predict our behavior."  How do consumers gain control and maintain privacy when they are the targeted commodity? 

Yochai Benkler, the director of the Berkman Klein Center for Internet and Society, believes that personal data should be held by consumers themselves, creating a more robust decentralized network of sensitive information that is not prone to single points of failure that we have witnessed in the large-scale breaches of governments and industry.  A more practical solution to this distributed storage and access challenge would be strong encryption and the retention of secret keys, so that the data can securely reside anywhere while the individual retains control of their privacy.  It is also important to note the coupling of these aspects, as the pioneering security expert Bruce Schneier has stated, "I actually can't give you privacy unless you have security."

Confusion in China's Cyber Laws

Confusion in China's Cyber Laws

The latest in a wave of sovereign data security laws has emerged from China, causing some alarm with companies trying to understand how it could impact their businesses.  Several sectors are identified as "critical information infrastructure", including telecommunications, information services and finance, who would be required to store personal information and sensitive business data in China, among other things. Perhaps the most significant concern is the ambiguity of China's intentions with this new legislation, although the acceptance of several U.S. technology companies into the Technical Committee 260 earlier this year indicates a broadening will to collaborate.  

Regardless of the objectives and enforcement methods used in this and similar legislation around the world, if users and customers encrypt their data before corporate networks or applications process it, it is virtually impossible for authorities in any sovereignty to hold enterprises accountable for content that they cannot see or access.

 

Cloud Security by the numbers

Cloud Security by the numbers

With over 3,000 IT professionals surveyed, the recent Ponemon study sponsored by Gemalto addressed issues concerning the "Global State of Cloud Data Security."  The webcast can be viewed here and the report can be downloaded here.  The participants represented a good cross section of company scale and geographic location around the world.  Over 70% of those surveyed believe that the "management of privacy and data protection regulations" are more complex in the cloud, due in part to the fact that a similar number believe that it is "more difficult to protect confidential or sensitive information in the cloud" (see graphic). 

Whereas enterprises look to save money, improve scalability and simplify their IT infrastructure through cloud services, they believe that security, privacy and compliance are much harder to achieve.  Perhaps it is no surprise then that only about a third of those surveyed use encryption to secure their cloud data; however, it is encouraging to note that half of those using cryptographic tools make data unreadable before sending it to the cloud provider, implying that they manage their own keys.  Responses are trending in the right direction but we still need to do more work to educate IT pros on how to exceed privacy and regulatory requirements through proper end-to-end encryption.

 

 

Open Camps Conference at UN

Open Camps Conference at UN

The world's largest mission-driven open source conference, Open Camps aims to "break down barriers to technology innovation through open source governance, communities and collaboration." The Inpher team presented the _ultra development platform for application-level security and privacy at the Search Camp session in New York on July 10th. The paradigm of trust in computing changes with new methods to share and query encrypted data with standard search and storage platforms such as Solr and Hadoop. Sensitive information can be computed in untrusted environments wherein the hosting provider has zero knowledge. The session highlighted how enterprises from insurance companies to healthcare providers are securing a path to scale in the public cloud for big data storage, sharing and analytics.

 

Gone, not forgotten.

Gone, not forgotten.

You can throw away the key, but information is persistent.

You can throw away the key, but information is persistent.

Strong privacy laws that establish the 'right to be forgotten' may be unenforceable.  EU citizens can request that search engines remove results that are no longer relevant or accurate; however, researchers at NYU have found that even after links are delisted it is possible determine the names of individuals who petitioned for their removal.  Simply by reviewing source material on websites, parsing names that are mentioned, then cross-referencing searches of the article topics with null results for those names, virtually anyone could uncover 30-40% of the delisted results and individuals.  The fact that antagonists can exploit this easy hack leads to the paradoxical 'Streisand effect' for those who wish to regain anonymity.  The lesson? Once information is out of your control, it stays that way- no amount of legislation can reverse Pandora's gossip box.

[Secure] Sharing is caring

[Secure] Sharing is caring

Many of our customers responded with the need to share sensitive data with approved collaborators.  We are excited to announce the release of  _ultra 1.2 to support sharing of encrypted data sets without decryption through single key exchange. This capability is particularly useful in big data collaboration because the compute overhead to share data is independent of its size. Key exchange is accomplished in constant time which means the shared encrypted data set is immediately available for computation. 

Keyword search is enabled on shared data by utilizing a key exchange system based on standard public and secret key cryptography. The _ultra encrypted key architecture allows applications to manage information in vulnerable cloud or on-premise environments while keeping sensitive data unreadable to the infrastructure provider and host.

Rethinking IoT Security

Rethinking IoT Security

     Inpher SDK Running natively on a Raspberry Pi- data is encrypted and indexed as it is created for secure cloud operations.

     Inpher SDK Running natively on a Raspberry Pi- data is encrypted and indexed as it is created for secure cloud operations.

With over 20 billion devices coming online by 2020 and an estimated 25 vulnerabilities per product, it's no wonder that IoT security is a hot topic.  While acknowledging that encryption is not the complete answer, we maintain that data should be protected as it is created.  That's why we engaged cryptographer and hardware security expert Dr. Andrea Miele, a researcher at Intel Labs, to see if he could deploy our libraries natively on an IoT device.  And he did!  Without modification he ran our _open toolkit on a Raspberry Pi 2 Model B  to encrypt and index on the device, enabling secure log data storage in the public cloud with wicked fast search and sharing operations.  We are working on our next-gen solution that will enable analytics to be run directly on the encrypted data for truly secure distributed computing. In the meantime feel free to ping us for more info!

Safe Harbor 2.0 and the reaction of cyber imperialists

Safe Harbor 2.0 and the reaction of cyber imperialists

Mr. Schrems has his doubts about 'Safe Harbor 2.0', according to his recent interview with Ars Technica.  Others have been quick to jump on board with dissent, eyeing opportunities to become a neutral data haven.  According to John Whelan, a data privacy lawyer,  in an interview  with the Irish site independent.ie, “If Privacy Shield doesn't work out and ultimately data has to be segregated, Ireland is viewed as a good and safe place to store data by multinationals.”

In our view it's unfortunate when when the physical location of data is used to sovereign advantage. The debate is really about the jurisdiction that governs privacy in a borderless internet.  It’s analogous to the imperialistic ideology of traditional network security; build a firewall and monitor your perimeter instead of securing the applications and data- your virtual citizens.  Who cares where the information is physically stored and processed as long as only the right people can see it?   In our opinion the tech industry should obviate the debate with a multilateral security and privacy framework that empowers international citizens, i.e. their users.  Governments should follow.

ATTACK OF THE OMBUDSPERSON - draft Privacy Shield document released

The draft document for ‘Safe Harbor 2.0’ was released on March 2, and is pending review and approval by the EU Article 29 Working Party by the end of March (sure).  Sidley Austin’s Data Matters blog covers it well.  In summary, the new framework is ‘significantly different’ from Safe Harbor 1.0 so companies must re-certify to “ensure a level of protection of personal data that is essentially equivalent to the one guaranteed by the basic principles laid down in Directive 95/46.”  Access rights, liability and provisions for securing personal data are all more stringent.

Bring on the ombudsperson!!!

Making big data anonymous and useful.

Making big data anonymous and useful.

We are pleased to see The Economist educating their audience about techniques like homomorphic encryption and multiparty computation, as well as noting that "putting them to work on messy, real-world data is proving tricky."   Hopefully further investigation will include methods we support for searching encrypted data that scale and provide the performance necessary for real-world applications.