Encryption, Security & Privacy

The notion that the state’s number one priority is to protect the wellbeing of the people it serves has been around for a long time. In exchange for taxation and compliance with the law, citizens will be protected by the resources held by governing authorities. 

Over time, the nature of this power relationship has evolved, not least because the means through which security is provided, as well as the scope of what security actually means, is ever changing.

Indeed, it has fuelled a debate around just how much interference and intrusion into privacy people are willing to accept in return for being kept safe. 

Realigning The Security Versus Privacy Debate 

Today, this conundrum is best encapsulated by varying public attitudes around the extent to which the police and security services should be leaning into information sources such as CCTV, phone records and other components of our digital footprints. 

Take London. With around 73 CCTV cameras per 1,000 inhabitants, it is by far the most surveilled city in the western world. And although Brits generally back its use, there are ongoing tensions around how CCTV is leveraged and whether privacy is being invaded too much in the name of protecting the public. There are also GDPR considerations, making it desirable that police should only get the information they need for a very specific, timebound purpose rather than an entire feed or database.

With many forms of digital and cybersecurity practices relying on the exchange of data to function, it begs the question - what if there was a way to enable cooperation between authorities and data holders without sacrificing individual privacy?

Fully Homomorphic Encryption (FHE) Offers A Solution

In simple terms, it is a technique that enables data to be processed blindly without having to decrypt it at any stage. Developers use a secret key to send encrypted data to a server where blind processing occurs - the result is encrypted and sent back, which developers then decrypt using their secret key. This enables the company or organisation providing the service to work with encrypted data on an end-to-end basis

Improving Privacy In Lawful Interception

Let’s come back to the security scenario and outline a couple of examples. There is a police investigation that involves looking for a suspect on a CCTV feed from a shopping centre. To locate them, the feed from the time period in question needs to be downloaded and put through a facial recognition programme. This presents problems in relation to privacy due to the amount of data that is being extracted to find one individual, which could be far greater than what a judge may grant the right to access. On the flipside, the police cannot simply tell the shopping centre CCTV operator who they are looking for, as this could result in the leakage of sensitive and secret information. 

Instead, using an FHE-enabled solution, the police could send the face of the suspect they need to locate in an encrypted manner. This would allow the operator to search and locate them without knowing who they are searching for, enabling what is commonly referred to as lawful interception. 

In the same manner, security forces may need to comb through the phone calls of a suspect and will need to work with telco companies storing the metadata. Again, this presents the challenge of only allowing access to what is needed, when it is needed and preserving the integrity of the database as a whole - as well as a citizen’s right to privacy! 

Of course, it’s not just police and security forces that have or need access to sensitive data. Businesses and corporations also hold vast amounts of sensitive data from competitive research, to commercial formulae to personnel records. In some cases, they may need to share information with a third-party service provider who has been instructed to carry out some form of cybersecurity audit or check. 

Part of this might involve a colleague wanting to know if their password has been hacked. This again presents a problem, because the only way to find out is to send the password to the third party, who now has this information at their disposal. 

Similarly, when it comes to a broader security audit, auditors need to examine their clients IT architecture and the list of all their network devices, applications and security tools in place to determine where vulnerabilities lie. Now that the third party knows about the company’s security vulnerabilities, there are two potential problems. First, the third party may not be trustworthy and use that information against the customer to hack them. Second, the third party itself could be hacked, leaving the information in the hands of cybercriminals.  

Once again, FHE can alleviate these concerns. In this case, an encrypted list of a company’s data can be sent to the third-party service provider to assess, without them knowing what those applications are.

FHE also makes the service provider a less attractive target for hackers, simply because they do not hold the sensitive information they are seeking. 

These are just two ways in which FHE has the potential to realign the security versus privacy debate. By offering the best of both worlds, individuals and organisations can have their security maintained without having to divulge key parts of their digital footprints. 

Ghazi Ben Amor is VP of Corporate Development at Zama

You Might Also Read: 

Hong Kongers Erase Their Digital Footprints:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Cyber Security And Ransomware Attacks - Problems & Solutions
Challenges For CTOs In 2023 »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cynet

Cynet

Cynet simplifies security by providing a rapidly deployed, comprehensive platform for detection, prevention and automated response to advanced threats with near-zero false positives.

TNO Cyber Security Lab

TNO Cyber Security Lab

TNO Cyber Security Lab is a dedicated facility for innovative and experimental research with the goal of a safe and resilient cyberspace.

StickyMinds

StickyMinds

StickyMinds is the web's first interactive testing community exclusively engaged in improving software quality throughout the software development lifecycle.

JPCERT/CC

JPCERT/CC

JPCERT/CC is the first Computer Security Incident Response Team (CSIRT) established in Japan.

Idaho National Laboratory (INL)

Idaho National Laboratory (INL)

INL is an applied engineering laboratory dedicated to supporting the US Dept of Energy's missions in energy research, nuclear science and national defense including critical infrastructure protection.

Alpine Cyber Solutions

Alpine Cyber Solutions

Alpine Cyber is a Managed IT Service Provider focused on cybersecurity and cloud services.

OriginalMy

OriginalMy

OriginalMy is a cybersecurity startup, focussed on digital governance and information authentication. Its mission is to prove authenticity using state-of-the-art cryptography and blockchain technology

The PenTesting Company

The PenTesting Company

The PenTesting Company is owned and operated by offensive security professionals. Penetration Testing is essentially all we do.

Factmata

Factmata

Factmata is an social and news media monitoring and analytics product that uses AI to identify and track narratives online, highlighting those most likely to cause brand harm or misinform the public.

VLC Solutions

VLC Solutions

VLC Solutions is an independent solutions and technology service provider offering Cloud Services, Cybersecurity, ERP Services, Network Management Services, and Compliance Solutions.

ABM Technology Group

ABM Technology Group

ABM Technology Group (formerly True IT) provide business information technology services, solutions, and consulting for small to mid-sized organizations.

NMi Group

NMi Group

NMi Group is a global pioneer in mission-critical Testing, Inspection, Certification, and Calibration (TICC) services.

Scribe Security

Scribe Security

Scribe security provides end-to-end software supply chain security solutions.

Amtivo Ireland

Amtivo Ireland

Amtivo Ireland (formerly Certification Europe and EQA) offers a range of certifications and related services.

Foresights

Foresights

Foresights is a Nordic company utilizing advanced intelligence tradecraft and extensive cyber security capabilities to deliver services and advisory tailored to our client’s critical requirements.

GrabDefence

GrabDefence

GrabDefence enables digital businesses to thrive by safeguarding their ecosystem against fraud risk, digital identity threats and compliance challenges.