Encryption, Security & Privacy

The notion that the state’s number one priority is to protect the wellbeing of the people it serves has been around for a long time. In exchange for taxation and compliance with the law, citizens will be protected by the resources held by governing authorities. 

Over time, the nature of this power relationship has evolved, not least because the means through which security is provided, as well as the scope of what security actually means, is ever changing.

Indeed, it has fuelled a debate around just how much interference and intrusion into privacy people are willing to accept in return for being kept safe. 

Realigning The Security Versus Privacy Debate 

Today, this conundrum is best encapsulated by varying public attitudes around the extent to which the police and security services should be leaning into information sources such as CCTV, phone records and other components of our digital footprints. 

Take London. With around 73 CCTV cameras per 1,000 inhabitants, it is by far the most surveilled city in the western world. And although Brits generally back its use, there are ongoing tensions around how CCTV is leveraged and whether privacy is being invaded too much in the name of protecting the public. There are also GDPR considerations, making it desirable that police should only get the information they need for a very specific, timebound purpose rather than an entire feed or database.

With many forms of digital and cybersecurity practices relying on the exchange of data to function, it begs the question - what if there was a way to enable cooperation between authorities and data holders without sacrificing individual privacy?

Fully Homomorphic Encryption (FHE) Offers A Solution

In simple terms, it is a technique that enables data to be processed blindly without having to decrypt it at any stage. Developers use a secret key to send encrypted data to a server where blind processing occurs - the result is encrypted and sent back, which developers then decrypt using their secret key. This enables the company or organisation providing the service to work with encrypted data on an end-to-end basis

Improving Privacy In Lawful Interception

Let’s come back to the security scenario and outline a couple of examples. There is a police investigation that involves looking for a suspect on a CCTV feed from a shopping centre. To locate them, the feed from the time period in question needs to be downloaded and put through a facial recognition programme. This presents problems in relation to privacy due to the amount of data that is being extracted to find one individual, which could be far greater than what a judge may grant the right to access. On the flipside, the police cannot simply tell the shopping centre CCTV operator who they are looking for, as this could result in the leakage of sensitive and secret information. 

Instead, using an FHE-enabled solution, the police could send the face of the suspect they need to locate in an encrypted manner. This would allow the operator to search and locate them without knowing who they are searching for, enabling what is commonly referred to as lawful interception. 

In the same manner, security forces may need to comb through the phone calls of a suspect and will need to work with telco companies storing the metadata. Again, this presents the challenge of only allowing access to what is needed, when it is needed and preserving the integrity of the database as a whole - as well as a citizen’s right to privacy! 

Of course, it’s not just police and security forces that have or need access to sensitive data. Businesses and corporations also hold vast amounts of sensitive data from competitive research, to commercial formulae to personnel records. In some cases, they may need to share information with a third-party service provider who has been instructed to carry out some form of cybersecurity audit or check. 

Part of this might involve a colleague wanting to know if their password has been hacked. This again presents a problem, because the only way to find out is to send the password to the third party, who now has this information at their disposal. 

Similarly, when it comes to a broader security audit, auditors need to examine their clients IT architecture and the list of all their network devices, applications and security tools in place to determine where vulnerabilities lie. Now that the third party knows about the company’s security vulnerabilities, there are two potential problems. First, the third party may not be trustworthy and use that information against the customer to hack them. Second, the third party itself could be hacked, leaving the information in the hands of cybercriminals.  

Once again, FHE can alleviate these concerns. In this case, an encrypted list of a company’s data can be sent to the third-party service provider to assess, without them knowing what those applications are.

FHE also makes the service provider a less attractive target for hackers, simply because they do not hold the sensitive information they are seeking. 

These are just two ways in which FHE has the potential to realign the security versus privacy debate. By offering the best of both worlds, individuals and organisations can have their security maintained without having to divulge key parts of their digital footprints. 

Ghazi Ben Amor is VP of Corporate Development at Zama

You Might Also Read: 

Hong Kongers Erase Their Digital Footprints:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Cyber Security And Ransomware Attacks - Problems & Solutions
Challenges For CTOs In 2023 »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Blue Solutions

Blue Solutions

Blue Solutions is a consultancy-led, accredited software distributor who provides IT solutions and support to small and medium enterprises.

PFP Cybersecurity

PFP Cybersecurity

PFP provides a SaaS solution for life-cycle protection based on our IoT security platform and power usage analytics.

BitSight Technologies

BitSight Technologies

BitSight transforms how companies manage information security risk with objective, verifiable and actionable Security Ratings.

Pixalate

Pixalate

Pixalate is an omni-channel fraud intelligence company that works with brands and platforms to prevent invalid traffic and improve ad inventory quality.

Crypto4A Technologies

Crypto4A Technologies

Crypto4A quantum-ready cybersecurity solutions significantly improve protection for Cloud, loT, Blockchain, V2X, government and military application deployments.

Carbide

Carbide

Carbide (formerly Securicy) breaks down enterprise-class security and privacy requirements and makes them accessible to, and achievable by, companies of all sizes.

Axcient

Axcient

Axcient offers MSPs the most secure backup and disaster recovery technology stack with a proven Business Availability suite.

Snode Technologies

Snode Technologies

Snode's Guardian cybersecurity platform uses AI and machine learning to monitor, detect and proactively respond to all threats on every device within your network.

Aries Security

Aries Security

Aries Security provides a premiere cyber training range and skills assessment suite and develops content for all levels of ability.

SecureStack

SecureStack

SecureStack helps software developers find security & scalability gaps in their web applications and offers ways to fix those gaps without forcing those developers to become security experts.

Mjenzi Cloud

Mjenzi Cloud

Mjenzi Cloud is a provider of cloud IaaS solutions including managed backup services, affordable & secure cloud virtual compute/storage/compute services, bare-metal services and cloud security.

Industrial Control System Information Sharing and Analysis Center (ICS-ISAC)

Industrial Control System Information Sharing and Analysis Center (ICS-ISAC)

ICS-ISAC is a non-profit, public/private Knowledge Sharing Center established to help facilities develop situational awareness in support of local, national and international security.

Techstep

Techstep

Techstep is a complete mobile technology enabler, making positive changes to the world of work; freeing people to work more effectively, securely and sustainably.

eCloudvalley Digital Technology

eCloudvalley Digital Technology

eCloudvalley Digital Technology is a born-in-the-cloud partner focused entirely on AWS services across APAC region.

eCapital

eCapital

eCAPITAL is a leading venture capital firm that provides early to growth stage funding to technology companies in fields including software & information technology, cybersecurity and industry 4.0.

AppSOC

AppSOC

AppSOC is a leader in Application Security Posture Management (ASPM) and Code-to-Cloud Vulnerability Management.