Encryption, Security & Privacy

The notion that the state’s number one priority is to protect the wellbeing of the people it serves has been around for a long time. In exchange for taxation and compliance with the law, citizens will be protected by the resources held by governing authorities. 

Over time, the nature of this power relationship has evolved, not least because the means through which security is provided, as well as the scope of what security actually means, is ever changing.

Indeed, it has fuelled a debate around just how much interference and intrusion into privacy people are willing to accept in return for being kept safe. 

Realigning The Security Versus Privacy Debate 

Today, this conundrum is best encapsulated by varying public attitudes around the extent to which the police and security services should be leaning into information sources such as CCTV, phone records and other components of our digital footprints. 

Take London. With around 73 CCTV cameras per 1,000 inhabitants, it is by far the most surveilled city in the western world. And although Brits generally back its use, there are ongoing tensions around how CCTV is leveraged and whether privacy is being invaded too much in the name of protecting the public. There are also GDPR considerations, making it desirable that police should only get the information they need for a very specific, timebound purpose rather than an entire feed or database.

With many forms of digital and cybersecurity practices relying on the exchange of data to function, it begs the question - what if there was a way to enable cooperation between authorities and data holders without sacrificing individual privacy?

Fully Homomorphic Encryption (FHE) Offers A Solution

In simple terms, it is a technique that enables data to be processed blindly without having to decrypt it at any stage. Developers use a secret key to send encrypted data to a server where blind processing occurs – the result is encrypted and sent back, which developers then decrypt using their secret key. This enables the company or organisation providing the service to work with encrypted data on an end-to-end basis. 

Improving Privacy In Lawful Interception

Let’s come back to the security scenario and outline a couple of examples. There is a police investigation that involves looking for a suspect on a CCTV feed from a shopping centre. To locate them, the feed from the time period in question needs to be downloaded and put through a facial recognition programme. This presents problems in relation to privacy due to the amount of data that is being extracted to find one individual, which could be far greater than what a judge may grant the right to access. On the flipside, the police cannot simply tell the shopping centre CCTV operator who they are looking for, as this could result in the leakage of sensitive and secret information. 

Instead, using an FHE-enabled solution, the police could send the face of the suspect they need to locate in an encrypted manner. This would allow the operator to search and locate them without knowing who they are searching for, enabling what is commonly referred to as lawful interception. 

In the same manner, security forces may need to comb through the phone calls of a suspect and will need to work with telco companies storing the metadata. Again, this presents the challenge of only allowing access to what is needed, when it is needed and preserving the integrity of the database as a whole - as well as a citizen’s right to privacy! 

Of course, it’s not just police and security forces that have or need access to sensitive data. Businesses and corporations also hold vast amounts of sensitive data from competitive research, to commercial formulae to personnel records. In some cases, they may need to share information with a third-party service provider who has been instructed to carry out some form of cybersecurity audit or check. 

Part of this might involve a colleague wanting to know if their password has been hacked. This again presents a problem, because the only way to find out is to send the password to the third party, who now has this information at their disposal. 

Similarly, when it comes to a broader security audit, auditors need to examine their clients IT architecture and the list of all their network devices, applications and security tools in place to determine where vulnerabilities lie. Now that the third party knows about the company’s security vulnerabilities, there are two potential problems. First, the third party may not be trustworthy and use that information against the customer to hack them. Second, the third party itself could be hacked, leaving the information in the hands of cybercriminals.  

Once again, FHE can alleviate these concerns. In this case, an encrypted list of a company’s data can be sent to the third-party service provider to assess, without them knowing what those applications are.

FHE also makes the service provider a less attractive target for hackers, simply because they do not hold the sensitive information they are seeking. 

These are just two ways in which FHE has the potential to realign the security versus privacy debate. By offering the best of both worlds, individuals and organisations can have their security maintained without having to divulge key parts of their digital footprints. 

Ghazi Ben Amor is VP of Corporate Development at Zama

You Might Also Read: 

Hong Kongers Erase Their Digital Footprints:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Cyber Security And Ransomware Attacks - Problems & Solutions
Challenges For CTOs In 2023 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Ilex International

Ilex International

Ilex International is a European software vendor which specialises in Identity & Access Management solutions.

Korea Internet & Security Agency (KISA)

Korea Internet & Security Agency (KISA)

KISA is committed to improving the competitiveness, reliability and security of Internet information and knowledge in Korea.

Viavi Solutions

Viavi Solutions

Viavi Solutions is a global leader in both network and service enablement and optical security performance products and solutions.

Egyptian Supreme Cybersecurity Council (ESCC)

Egyptian Supreme Cybersecurity Council (ESCC)

ESCC is responsible for developing a national strategy to face and respond to the cyber threats and attacks and to oversee its implementation and update.

Foreseeti

Foreseeti

Foreseeti is Europe’s leading provider of Automated Threat Modeling and Attack Simulation solutions.

SixThirty CYBER

SixThirty CYBER

SixThirty is a venture fund that invests in early-stage enterprise technology companies from around the world building FinTech, InsurTech, and Cybersecurity solutions.

Tactic Labs

Tactic Labs

Tactic Labs (part of the Avnon Group) delivers a holistic Cyber-Security Management Platform which provides military-grade protection, safeguarding critical infrastructures and mission-critical data.

Kyndryl

Kyndryl

Kyndryl has a comprehensive portfolio that leverages hybrid cloud solutions, business resiliency, and network services to help optimize your IT workloads and transformations.

NGN International

NGN International

NGN International is a full-fledged systems integrator and managed security services provider established in 2015 in Bahrain.

Cyber Protection Group (CPG)

Cyber Protection Group (CPG)

Cyber protection Group specialize in Penetration Testing. We work with enterprise level companies as well as small to medium sized businesses.

Trusted Security Solutions (TSS)

Trusted Security Solutions (TSS)

TSS are specialist in IT Security and providing Cybersecurity Solutions & Services combined with storage and backup.

Zenity

Zenity

Zenity is the first and only security governance platform for low-code/no-code applications.

Edgio

Edgio

Edgio provides unmatched speed, security, and simplicity at the edge through globally-scaled media and applications platforms.

IDECSI

IDECSI

IDECSI delivers cutting-edge technology and engages all employees in the security system for effective and cost-efficient data protection.

VISO Cyber Security

VISO Cyber Security

VISO provide Cyber Security Consulting and CISO as a Service to companies who need to augment their leadership teams with information security expertise.

xdr.global

xdr.global

Xdr.global is a cybersecurity consulting firm, focused on promoting and aligning Extended Detection and Response (XDR) security solutions.