Encryption, Security & Privacy

Uploaded on 2023-05-05 in TECHNOLOGY--Resilience, GOVERNMENT-Law Enforcement, FREE TO VIEW

The notion that the state’s number one priority is to protect the wellbeing of the people it serves has been around for a long time. In exchange for taxation and compliance with the law, citizens will be protected by the resources held by governing authorities. 

Over time, the nature of this power relationship has evolved, not least because the means through which security is provided, as well as the scope of what security actually means, is ever changing.

Indeed, it has fuelled a debate around just how much interference and intrusion into privacy people are willing to accept in return for being kept safe. 

Realigning The Security Versus Privacy Debate 

Today, this conundrum is best encapsulated by varying public attitudes around the extent to which the police and security services should be leaning into information sources such as CCTV, phone records and other components of our digital footprints. 

Take London. With around 73 CCTV cameras per 1,000 inhabitants, it is by far the most surveilled city in the western world. And although Brits generally back its use, there are ongoing tensions around how CCTV is leveraged and whether privacy is being invaded too much in the name of protecting the public. There are also GDPR considerations, making it desirable that police should only get the information they need for a very specific, timebound purpose rather than an entire feed or database.

With many forms of digital and cybersecurity practices relying on the exchange of data to function, it begs the question - what if there was a way to enable cooperation between authorities and data holders without sacrificing individual privacy?

Fully Homomorphic Encryption (FHE) Offers A Solution

In simple terms, it is a technique that enables data to be processed blindly without having to decrypt it at any stage. Developers use a secret key to send encrypted data to a server where blind processing occurs - the result is encrypted and sent back, which developers then decrypt using their secret key. This enables the company or organisation providing the service to work with encrypted data on an end-to-end basis

Improving Privacy In Lawful Interception

Let’s come back to the security scenario and outline a couple of examples. There is a police investigation that involves looking for a suspect on a CCTV feed from a shopping centre. To locate them, the feed from the time period in question needs to be downloaded and put through a facial recognition programme. This presents problems in relation to privacy due to the amount of data that is being extracted to find one individual, which could be far greater than what a judge may grant the right to access. On the flipside, the police cannot simply tell the shopping centre CCTV operator who they are looking for, as this could result in the leakage of sensitive and secret information. 

Instead, using an FHE-enabled solution, the police could send the face of the suspect they need to locate in an encrypted manner. This would allow the operator to search and locate them without knowing who they are searching for, enabling what is commonly referred to as lawful interception. 

In the same manner, security forces may need to comb through the phone calls of a suspect and will need to work with telco companies storing the metadata. Again, this presents the challenge of only allowing access to what is needed, when it is needed and preserving the integrity of the database as a whole - as well as a citizen’s right to privacy! 

Of course, it’s not just police and security forces that have or need access to sensitive data. Businesses and corporations also hold vast amounts of sensitive data from competitive research, to commercial formulae to personnel records. In some cases, they may need to share information with a third-party service provider who has been instructed to carry out some form of cybersecurity audit or check. 

Part of this might involve a colleague wanting to know if their password has been hacked. This again presents a problem, because the only way to find out is to send the password to the third party, who now has this information at their disposal. 

Similarly, when it comes to a broader security audit, auditors need to examine their clients IT architecture and the list of all their network devices, applications and security tools in place to determine where vulnerabilities lie. Now that the third party knows about the company’s security vulnerabilities, there are two potential problems. First, the third party may not be trustworthy and use that information against the customer to hack them. Second, the third party itself could be hacked, leaving the information in the hands of cybercriminals.  

Once again, FHE can alleviate these concerns. In this case, an encrypted list of a company’s data can be sent to the third-party service provider to assess, without them knowing what those applications are.

FHE also makes the service provider a less attractive target for hackers, simply because they do not hold the sensitive information they are seeking. 

These are just two ways in which FHE has the potential to realign the security versus privacy debate. By offering the best of both worlds, individuals and organisations can have their security maintained without having to divulge key parts of their digital footprints. 

Ghazi Ben Amor is VP of Corporate Development at Zama

You Might Also Read: 

Hong Kongers Erase Their Digital Footprints:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Cyber Security And Ransomware Attacks - Problems & Solutions
Challenges For CTOs In 2023 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

EC-Council

EC-Council

EC-Council is a member-based organization that certifies individuals in various e-business and information security skills.

Infiltrate

Infiltrate

INFILTRATE is a deep technical conference that focuses entirely on offensive security issues.

Flashpoint

Flashpoint

Flashpoint is a globally trusted leader in risk intelligence for organizations that demand the fastest, most comprehensive coverage of threatening activity on the internet.

Auth0

Auth0

Auth0 is a cloud service that provides a set of unified APIs and tools that instantly enables single sign-on and user management for any application, API or IoT device.

Intelligent Business Solutions Cyprus (IBSCY)

Intelligent Business Solutions Cyprus (IBSCY)

IBSCY Ltd is a leading provider of total IT solutions and services in Cyprus specializing in the areas of cloud services and applications, systems integration, IT infrastructure and security.

Uppsala Security

Uppsala Security

Uppsala Security built the first crowdsourced Threat Intelligence platform known as the Sentinel Protocol, which is powered by blockchain technology.

Corvid

Corvid

Corvid is an experienced team of cyber security experts who are passionate about delivering innovative, robust and extensive defence systems to help protect businesses against cyber threats.

Safe Security

Safe Security

Safe Security (formerly Lucideus) provides Cyber risk assessment services and platforms to multiple Fortune 500 companies and governments across the globe.

Recovery Point Systems

Recovery Point Systems

Recovery Point is a leading national provider of IT secure and compliant infrastructure and business resilience services.

Titans24

Titans24

Titans24 is a Software-as-a-Service security platform for web applications. It prevents attacks on business websites that are protected under 11 cyber-security layers.

Ascent Cyber

Ascent Cyber

Ascent Cyber provide simple and stress-free solutions to protect your business and its customers from the worries and costs of cybercrime.

link22

link22

link22 offers a high level of expertise within IT security and system solutions. We help public and private actors with highly secure IT-solutions.

Vaultree

Vaultree

We believe in an encrypted tomorrow. Vaultree technology enables a foundational change in how we communicate with each other: Safely!

Tonex

Tonex

Tonex providing industry-leading technology training, courses, seminars, workshops, and consulting services to companies and government organizations around the world.

ASPIA InfoTech

ASPIA InfoTech

ASPIA Infotech is a leading Information and cybersecurity organization focused on innovative approaches to avert targeted attacks.

AArete

AArete

AArete is a global management and technology consulting firm specializing in strategic profitability improvement, digital transformation, and advisory services.